tcpdump mailing list archives

Filter not working?

From: "Gisle Vanem" <giva () bgnett no>
Date: Fri, 7 Feb 2003 15:25:11 +0100

I have the following filter to log "suspicious traffic" to my PC:

icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) 
|| 
( 
  (tcp[13] & 3 != 0) && 
  (port not (25 || 80 || 110 || 119 || 6346 || 6347))
)

"windump -dF suspicious.filter" says:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ldb      [23]
(003) jeq      #0x1             jt 14   jf 4
(004) jeq      #0x11            jt 5    jf 15
(005) ld       [26]
(006) jeq      #0xd90d0788      jt 15   jf 7
(007) jeq      #0xd90d0415      jt 15   jf 8
(008) ld       [30]
(009) jeq      #0xd90d0788      jt 15   jf 10
(010) jeq      #0xd90d0415      jt 15   jf 14
(011) jeq      #0x86dd          jt 12   jf 15       ; IPv6 enabled  windump
(012) ldb      [20]
(013) jeq      #0x11            jt 14   jf 15
(014) ret      #96
(015) ret      #0

------------------------------

Why are the tcp SYN/FIN and ports not evaluated? I guess the filter spec is
wrong, but what?

Gisle V.

# rm /bin/laden 
/bin/laden: Not found 

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Filter not working? Gisle Vanem (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
  - Re: Filter not working? Guy Harris (Feb 07)
    - Re: Filter not working? Gisle Vanem (Feb 07)
    - Re: Filter not working? Guy Harris (Feb 07)