tcpdump mailing list archives
Question regarding unexpected tcpdump expression evaluation
From: Eldon Stegall via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 1 Feb 2021 22:55:17 +0000
--- Begin Message --- From: Eldon Stegall <estcpdw () eldondev com>
Date: Mon, 1 Feb 2021 22:55:17 +0000
Hello All, I seem to be having an odd issue with tcpdump, or my understanding of it, and I would like to request clarification. I hope this is an appropriate place to do so, and that I'm not doing something foolish. Thanks in advance, issue description follows: Consider the following pcap, synthetically generated for this test. It is a simple SYN and RST: # tcpdump -nr test2.pcap reading from file test2.pcap, link-type EN10MB (Ethernet) 22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0 22:50:08.054140 IP 10.0.2.2.80 > 10.0.2.15.44128: Flags [R.], seq 0, ack 3067912572, win 0, length 0 Now, consider the following filters: # grep . fgood fextra fgood:not ((host 10.0.2.2) and (host 10.0.2.1 or (host 10.0.2.15 or net 192.168.1.0/24))) fextra:not ((host 10.0.2.2) and (host 10.0.2.1 or (net 192.168.1.0/24 or host 10.0.2.15))) It would seem to me that the logical "or" is commuted, which should make these two expressions equivalent. However, the resulting output of supplying these two filters with the pcap to tcpdump is not equivalent. The "good" filter passes no packets, because the negated expression evaluates to true, as both sides of the "and" are fulfilled: # tcpdump -nr test2.pcap -F fgood reading from file test2.pcap, link-type EN10MB (Ethernet) # The "extra" filter passes a packet for some reason (the SYN): # tcpdump -nr test2.pcap -F fextra reading from file test2.pcap, link-type EN10MB (Ethernet) 22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0 # Can someone explain to me why these two filters would not be equivalent? The files used in this test can be obtained by running the following command: echo "H4sIAKOAF2AAA+3Vv0vDQBQH8Ne0aumig1AHh8OpWa53lx+nILSLi1MRcW60VQdpShpR1D/A2X9Ai6uTSOdC/wJRcBFXZ/8D7xrEtqLVIS3q+8DlmpfwvTTHa2keYscU6TjdWRmcu5+5zZgjGRNcqrqUzAHixP9oAPuN0AsIgcD3w6/uG3b9l6L5sNoIBa1vefW41tAb7Nr2p/svpBvtvysd4QpgnLuWBYTF9UC9/vn+33eumwakeiopSKhj/ShbfrgFWIVoPM2fP78crK3Dqb2RhhWA5c29IhQn24UMGNNqGFdlKLUem8c648IIZuYKAEZq4iZlpDPGZSer64lkckonn9ypAIhGlBnld5NzADp5oa1TdTqUVLai0k9KswBnrVG+ob+N5rd3fL8S6xrD+p+L9/63ubqPM2lJ7P9RqPkhyeV2/UZIOKOMCipM4tUqpK/GCfGDgZKjS7WqKiypM3eRcsrywjaJaWbG/a3Qd6n+rx6GgRfnGsP733nrfyltS///q1Ps/1H4Uf9/7HZd7v9VMLH9EUIIIYQQQgghhBBCCCGEEBqXV397ZmIAKAAA" |base64 -d |tar -xvz Thanks, I hope this venue is appropriate! I looked on the pcap-filter man page, but probably missed something! Eldon
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Question regarding unexpected tcpdump expression evaluation Eldon Stegall via tcpdump-workers (Feb 01)