tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filter not working?

From: Guy Harris <guy () netapp com>
Date: Fri, 7 Feb 2003 16:02:22 -0800
On Fri, Feb 07, 2003 at 03:25:11PM +0100, Gisle Vanem wrote:

I have the following filter to log "suspicious traffic" to my PC:

icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) 
|| 
( 
  (tcp[13] & 3 != 0) && 
  (port not (25 || 80 || 110 || 119 || 6346 || 6347))
)

"windump -dF suspicious.filter" says:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ldb      [23]
(003) jeq      #0x1             jt 14   jf 4
(004) jeq      #0x11            jt 5    jf 15
(005) ld       [26]
(006) jeq      #0xd90d0788      jt 15   jf 7
(007) jeq      #0xd90d0415      jt 15   jf 8
(008) ld       [30]
(009) jeq      #0xd90d0788      jt 15   jf 10
(010) jeq      #0xd90d0415      jt 15   jf 14
(011) jeq      #0x86dd          jt 12   jf 15       ; IPv6 enabled  windump
(012) ldb      [20]
(013) jeq      #0x11            jt 14   jf 15
(014) ret      #96
(015) ret      #0


That's odd, because if I do

        .\windump -r {Ethernet capture file} -d "icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) || 
((tcp[13] & 3 != 0)       && (port not (25 || 80 || 110 || 119 || 6346 || 6347)) )"

with WinDump 3.6.1 and WinPcap 2.3, the resulting program is

        (000) ldh      [12]
        (001) jeq      #0x800           jt 2    jf 31
        (002) ldb      [23]
        (003) jeq      #0x1             jt 34   jf 4
        (004) jeq      #0x11            jt 5    jf 11
        (005) ld       [26]
        (006) jeq      #0xd90d0788      jt 35   jf 7
        (007) jeq      #0xd90d0415      jt 35   jf 8
        (008) ld       [30]
        (009) jeq      #0xd90d0788      jt 35   jf 10
        (010) jeq      #0xd90d0415      jt 35   jf 34
        (011) jeq      #0x6             jt 12   jf 35
        (012) ldh      [20]
        (013) jset     #0x1fff          jt 35   jf 14
        (014) ldxb     4*([14]&0xf)
        (015) ldb      [x + 27]
        (016) jset     #0x3             jt 17   jf 35
        (017) ldh      [x + 14]
        (018) jeq      #0x19            jt 35   jf 19
        (019) jeq      #0x50            jt 35   jf 20
        (020) jeq      #0x6e            jt 35   jf 21
        (021) jeq      #0x77            jt 35   jf 22
        (022) jeq      #0x18ca          jt 35   jf 23
        (023) jeq      #0x18cb          jt 35   jf 24
        (024) ldh      [x + 16]
        (025) jeq      #0x19            jt 35   jf 26
        (026) jeq      #0x50            jt 35   jf 27
        (027) jeq      #0x6e            jt 35   jf 28
        (028) jeq      #0x77            jt 35   jf 29
        (029) jeq      #0x18ca          jt 35   jf 30
        (030) jeq      #0x18cb          jt 35   jf 34
        (031) jeq      #0x86dd          jt 32   jf 35
        (032) ldb      [20]
        (033) jeq      #0x11            jt 34   jf 35
        (034) ret      #65535
        (035) ret      #0

If I put your filter into a file, and do

        .\windump -r {Ethernet capture file} -dF {filter file}

I get the same program.

If you're not using the standard WinPcap and WinDump, this might be a
bug - ask the WinPcap developers about it.  (I tried it with the current
CVS tcpdump and libpcap, and it worked.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: