[Winpcap-users] V4.0A - filter syntax
Guy Harris
guy at alum.mit.edu
Tue May 30 00:56:02 GMT 2006
On May 29, 2006, at 2:24 PM, Marcel van Lieshout wrote:
> Two filters in V4.0A:
>
> "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
> "ether dst 01:02:03:04:05:06 or ether broadcast"
> Both compile succesfully, but only the second one gives the
> expected result
They compile to the same *filter code* with both top-of-tree libpcap
CVS and libpcap 0.8.3 on Mac OS X, so, at least with those versions
of libpcap, they'd have to give the exact same result.
What do
windump -d "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
windump -d "ether dst 01:02:03:04:05:06 or ether broadcast"
print? If they print the same thing, then it's pure accident that
the latter gave the expected result.
More information about the Winpcap-users
mailing list