[Winpcap-users] Filter Problem

Deston High mqx at low-axs.net
Wed Nov 30 15:01:26 GMT 2005 

Hello Guy,

i had some time to check again the strange filter occurrence
and i'm again able to cupture my packet i send.

i used: sprintf(filter,"not dst host %s", myip);
the packet includes a ether + pppoes header.
however, it don't work with: sprintf(filter,"src host %s", myip);

thats strange, eh? :)

greetz



Deston High wrote:

>
>
> Guy Harris wrote:
>
>> Deston High wrote:
>>
>>> is it possible to use a filter like this: "pppoe or ether or xxx and 
>>> tcp and port 60000". should work, right?
>>
>>
>>
>> Maybe.  It depends on whether having *ALL* filters on Ethernet (or 
>> perhaps other LANs) check for protocols running directly on Ethernet, 
>> protocols running on PPPOE, and protocols running on VLANs on 
>> Ethernet would increase CPU time spent doing packet filtering enough 
>> to make a difference that matters - not everybody runs PPPoE or VLANs 
>> on their LAN, so not everybody *needs* that.
>>
>> If it would, you'd have to do something such as
>>
>>     (tcp and port 60000) or (pppoes and tcp and port 60000)
>>
>> if you need that, so that
>>
>>     tcp and port 60000
>>
>> doesn't do extra checks for PPPoE on LANs where you don't need that 
>> check.
>
>
> thx for that advise!
> its just one packet to process... so i don't care about cpu usage here.
>
>>> I capture on ethernet device (NIC) . so, for me it's definitive 
>>> IP-over-PPP-over-Ethernet.
>>
>>
>>
>> And a filter of "src host XXX.XXX.XXX.XXX" captured IP-over-PPPoE 
>> traffic from that host (not IP-over-Ethernet traffic from that host)?
>
>
> definitiv IP-over-PPPoE, thats why i post here. it's very strange... 
> looks like i only can't touch the tcp header but ip header seems ok. 
> from what i have posted before: "not dst host XXX.XXX.XXX.XXX" where 
> XXX..... is my internet IP, works on IP-over-PPPoE!
> i used this to make sure i only capture data where "dst host is not my 
> ip", or in other words "src host is my ip".
>
> i will try that again and reply here.
>
> thx for your help!
>
>> ("I'm capturing on an Ethernet device" doesn't imply "it's definitely 
>> IP-over-PPPoE" - a LAN can have both local Ethernet traffic and PPPoE 
>> traffic on it, for example.)
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>

More information about the Winpcap-users mailing list