tcpdump mailing list archives
Re: Filter not working?
From: Guy Harris <guy () netapp com>
Date: Fri, 7 Feb 2003 16:02:22 -0800
On Fri, Feb 07, 2003 at 03:25:11PM +0100, Gisle Vanem wrote:
I have the following filter to log "suspicious traffic" to my PC: icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) || ( (tcp[13] & 3 != 0) && (port not (25 || 80 || 110 || 119 || 6346 || 6347)) ) "windump -dF suspicious.filter" says: (000) ldh [12] (001) jeq #0x800 jt 2 jf 11 (002) ldb [23] (003) jeq #0x1 jt 14 jf 4 (004) jeq #0x11 jt 5 jf 15 (005) ld [26] (006) jeq #0xd90d0788 jt 15 jf 7 (007) jeq #0xd90d0415 jt 15 jf 8 (008) ld [30] (009) jeq #0xd90d0788 jt 15 jf 10 (010) jeq #0xd90d0415 jt 15 jf 14 (011) jeq #0x86dd jt 12 jf 15 ; IPv6 enabled windump (012) ldb [20] (013) jeq #0x11 jt 14 jf 15 (014) ret #96 (015) ret #0
That's odd, because if I do .\windump -r {Ethernet capture file} -d "icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) || ((tcp[13] & 3 != 0) && (port not (25 || 80 || 110 || 119 || 6346 || 6347)) )" with WinDump 3.6.1 and WinPcap 2.3, the resulting program is (000) ldh [12] (001) jeq #0x800 jt 2 jf 31 (002) ldb [23] (003) jeq #0x1 jt 34 jf 4 (004) jeq #0x11 jt 5 jf 11 (005) ld [26] (006) jeq #0xd90d0788 jt 35 jf 7 (007) jeq #0xd90d0415 jt 35 jf 8 (008) ld [30] (009) jeq #0xd90d0788 jt 35 jf 10 (010) jeq #0xd90d0415 jt 35 jf 34 (011) jeq #0x6 jt 12 jf 35 (012) ldh [20] (013) jset #0x1fff jt 35 jf 14 (014) ldxb 4*([14]&0xf) (015) ldb [x + 27] (016) jset #0x3 jt 17 jf 35 (017) ldh [x + 14] (018) jeq #0x19 jt 35 jf 19 (019) jeq #0x50 jt 35 jf 20 (020) jeq #0x6e jt 35 jf 21 (021) jeq #0x77 jt 35 jf 22 (022) jeq #0x18ca jt 35 jf 23 (023) jeq #0x18cb jt 35 jf 24 (024) ldh [x + 16] (025) jeq #0x19 jt 35 jf 26 (026) jeq #0x50 jt 35 jf 27 (027) jeq #0x6e jt 35 jf 28 (028) jeq #0x77 jt 35 jf 29 (029) jeq #0x18ca jt 35 jf 30 (030) jeq #0x18cb jt 35 jf 34 (031) jeq #0x86dd jt 32 jf 35 (032) ldb [20] (033) jeq #0x11 jt 34 jf 35 (034) ret #65535 (035) ret #0 If I put your filter into a file, and do .\windump -r {Ethernet capture file} -dF {filter file} I get the same program. If you're not using the standard WinPcap and WinDump, this might be a bug - ask the WinPcap developers about it. (I tried it with the current CVS tcpdump and libpcap, and it worked.) - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Filter not working? Gisle Vanem (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Gisle Vanem (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)