[Winpcap-users] Filtering Expression fails
Guy Harris
guy at alum.mit.edu
Fri Jan 25 23:51:53 GMT 2008
john mcnicholas wrote:
> - after examining the bpf program code, they probably won't work if you
> are running on a vlan.
Right - to make a filter work on VLAN-encapsulated packets, you have to
precede it with "vlan and", e.g.
vlan and tcp[tcpflags] & tcp-syn != 0
In at least some OSes, a VLAN attachment shows up as a separate network
device, so you have a "raw" Ethernet device (which supplies packets as
they appear on the wire, complete with VLAN headers if present) and a
"VLAN" Ethernet device (which supplies only packets for the VLAN they're
attached to, without VLAN headers) - a regular filter would work on VLAN
packets when captured from the VLAN interface.
See
http://wiki.wireshark.org/CaptureSetup/VLAN
> (or perhaps a number of other network types)
Possibly, but different network types would cause different code to be
generated.
More information about the Winpcap-users
mailing list