tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Question regarding unexpected tcpdump expression evaluation

From: Eldon Stegall via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 1 Feb 2021 22:55:17 +0000
--- Begin Message --- From: Eldon Stegall <estcpdw () eldondev com>
Date: Mon, 1 Feb 2021 22:55:17 +0000
Hello All,
I seem to be having an odd issue with tcpdump, or my understanding of
it, and I would like to request clarification. I hope this is an
appropriate place to do so, and that I'm not doing something foolish.
Thanks in advance, issue description follows:

Consider the following pcap, synthetically generated for this test. It
is a simple SYN and RST:

# tcpdump -nr test2.pcap
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, win 29200, options [mss 1460,sackOK,TS val 
44286743 ecr 0,nop,wscale 7], length 0
22:50:08.054140 IP 10.0.2.2.80 > 10.0.2.15.44128: Flags [R.], seq 0, ack 3067912572, win 0, length 0

Now, consider the following filters:

# grep . fgood fextra
fgood:not ((host 10.0.2.2) and (host 10.0.2.1  or (host 10.0.2.15 or net 192.168.1.0/24)))
fextra:not ((host 10.0.2.2) and (host 10.0.2.1  or (net 192.168.1.0/24 or host 10.0.2.15)))

It would seem to me that the logical "or" is commuted, which should make
these two expressions equivalent.  However, the resulting output of
supplying these two filters with the pcap to tcpdump is not equivalent.
The "good" filter passes no packets, because the negated expression
evaluates to true, as both sides of the "and" are fulfilled:

# tcpdump -nr test2.pcap -F fgood
reading from file test2.pcap, link-type EN10MB (Ethernet)
#

The "extra" filter passes a packet for some reason (the SYN):
# tcpdump -nr test2.pcap -F fextra
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, win 29200, options [mss 1460,sackOK,TS val 
44286743 ecr 0,nop,wscale 7], length 0
# 

Can someone explain to me why these two filters would not be equivalent?
The files used in this test can be obtained by running the following
command:
    
    echo
    
"H4sIAKOAF2AAA+3Vv0vDQBQH8Ne0aumig1AHh8OpWa53lx+nILSLi1MRcW60VQdpShpR1D/A2X9Ai6uTSOdC/wJRcBFXZ/8D7xrEtqLVIS3q+8DlmpfwvTTHa2keYscU6TjdWRmcu5+5zZgjGRNcqrqUzAHixP9oAPuN0AsIgcD3w6/uG3b9l6L5sNoIBa1vefW41tAb7Nr2p/svpBvtvysd4QpgnLuWBYTF9UC9/vn+33eumwakeiopSKhj/ShbfrgFWIVoPM2fP78crK3Dqb2RhhWA5c29IhQn24UMGNNqGFdlKLUem8c648IIZuYKAEZq4iZlpDPGZSer64lkckonn9ypAIhGlBnld5NzADp5oa1TdTqUVLai0k9KswBnrVG+ob+N5rd3fL8S6xrD+p+L9/63ubqPM2lJ7P9RqPkhyeV2/UZIOKOMCipM4tUqpK/GCfGDgZKjS7WqKiypM3eRcsrywjaJaWbG/a3Qd6n+rx6GgRfnGsP733nrfyltS///q1Ps/1H4Uf9/7HZd7v9VMLH9EUIIIYQQQgghhBBCCCGEEBqXV397ZmIAKAAA"
    |base64 -d |tar  -xvz


Thanks, I hope this venue is appropriate! I looked on the pcap-filter
man page, but probably missed something!

Eldon

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: