[Winpcap-users] Filtering Expression fails

[john mcnicholas]

>
> I'm new to this winpcap library.
> Currently i'm using winpcap 4.0.1 in my VC++ compiler.
> I have to filter the TCP packets holding the SYN flag.
>
>
> Whenever i tried using the filter string "tcp[13] & 0x02 != 0", it just
> hanging in pcap_next_ex() function.Still its waiting for the packets to
> come.
> But i'm getting the SYN packets in my ethereal running at the same time.
> Also i tried, "tcp[tcpflags] & tcp-syn != 0" and "tcp port 8080 and
> tcp-syn". None of them works.
> I didn't get any error message while compiling and setting the filter.
>
> But Its works fine with the filter strings "tcp" and "tcp port 8080".
>
> Is this the correct expression what i'm looking for?
> That will be great for me if anybody help me regarding this.
>

Briefly:

- the first two filter expressions worked for me, although I only tried on a
trace file but that shouldn't matter.
  (pcap version = 4.0.0.1040)

- after examining the bpf program code, they probably won't work if you are
running on a vlan.
  (or perhaps a number of other network types)

- sug: try testing your filter with a trace file first.  grab one from
wireshark.org if necessary.
  (Note: the protocol stack that worked for me was the simple ETH:IP:TCP )

good luck.

john
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080125/8fc131fb/attachment.htm