[Winpcap-users] More about filtering expression syntax
Guy Harris
guy at alum.mit.edu
Thu Nov 6 01:30:56 GMT 2008
On Nov 5, 2008, at 1:59 AM, Ziara . wrote:
> but I've tried with = "src host zzz.zzz.zzz.zzz and src host
> yyy.yyy.yyy.yyy" and is a invalid expression.
To be precise, the error is "expression rejects all packets", i.e.
that expression cannot ever match any packet, as it checks whether the
IPv4 source address of the packet is zzz.zzz.zzz.zzz *and* is, at the
same time, yyy.yyy.yyy.yyy, which is impossible if zzz.zzz.zzz.zzz and
yyy.yyy.yyy.yyy aren't the same.
A libpcap/WinPcap filter expression "A and B" matches the packet only
if A and B are simultaneously true.
> Are there some way to filter multiple source ip or destination ip or
> both?
The magic word here is "or", i.e.
src host zzz.zzz.zzz.zzz or src host yyy.yyy.yyy.yyy
matches any packet where the IPv4 source address is zzz.zzz.zzz.zzz
*or* is yyy.yyy.yyy.yyy.
More information about the Winpcap-users
mailing list