[Winpcap-users] strange filtering issue

Eric Kollmann xnih13 at gmail.com
Mon May 5 21:51:59 UTC 2014


These are all in my program Satori and I honestly haven't looked at them in
years since they were working but I found that once you introduce "vlan"
into it trying to filter more broadly from a bpf filter didn't always work,
though looks like I still tried:

ARP - (arp) or (vlan and arp)
DHCP - udp dst port 67 or 68) or (vlan and (udp dst port 67 or 68))
IP - (ip) or (ipv6) or (vlan and (ip or ip6))
SNMP - (udp dst port 161) or (udp dst port 162) or (udp src port 161) or
(vlan)

plus many others on my different dlls for passive fingerprinting.

All of this to say, I used bpf as the broad sword to filter out some, then
internal I checked to see if it was vlan traffic and parsed it down from
there.  Playing with vlan traffic and bpf filters didn't seem to work well
7 years ago when I started playing with it in the 3.x days, never looked
much since then.


On Mon, May 5, 2014 at 3:16 PM, Jerry Riedel <riedel at codylabs.com> wrote:

>
>
> On May 5, 2014, at 12:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>
> > !host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host
> 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes
> both hosts and port 161 from packets with and without the vlan tag.
>
> >
> > Beyond confirming that using parentheses had an undesirable effect on
> the filter logic I did not do further testing to sort that one out.
>
> Yes, that's the issue.
>
> > Based on my testing, it does seem that this is a case where the Windows
> port differs from the *nix implementation of tcpdump.
>
> What testing have you don on *nix?  (Note that the the compiling a filter
> expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the
> interpretation of the BPF code to do filtering is done either in built-in
> kernel code in *nix and WinPcap driver code on Windows or in
> libpcap/WinPcap if the kernel-mode code can't do it for some reason, so
> it's not a tcpdump issue.) _______________________________________________
>
> Other than using tcpdump (and snoop) back in the Solaris 5 days, I haven't
> really tested on *nix. What I meant was that the parentheses do not work in
> my winpcap/windump environment in the way they are said to work in the
> tcpdump documentation, based on my Windows based testing. If the
> parentheses do work as advertised in Linux that is great as I plan to move
> all of this off Windows and into Linux when I get some free time.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20140505/5b313171/attachment-0001.html>


More information about the Winpcap-users mailing list