Wireshark mailing list archives

Re: Capture filter question

From: Sake Blok <sake () euronet nl>
Date: Mon, 7 Nov 2011 07:03:01 +0100

On 6 nov 2011, at 10:18, Marco Zuppone wrote:

the point of my question was:
What is the difference between 'not arp and port not 53' and 'not arp and not port 53'??
Maybe is possible to reduce the problem to: what is the difference between 'not port xxx' and 'port not xxx' ?
Both the syntaxes are accepted but I was wondering if there is a difference in the end result if the 'not' clause is 
before or after the 'port' one.


You can check the resulting BPF code of a capture filter in the Wireshark capture options. The BPF code are the machine 
code instructions for the BPF engine. You can also use tcpdump to generate them:

sake@MacSake:~$ tcpdump -d "ip and not port 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 14
(002) ldb      [23]
(003) jeq      #0x84            jt 6    jf 4
(004) jeq      #0x6             jt 6    jf 5
(005) jeq      #0x11            jt 6    jf 13
(006) ldh      [20]
(007) jset     #0x1fff          jt 13   jf 8
(008) ldxb     4*([14]&0xf)
(009) ldh      [x + 14]
(010) jeq      #0x35            jt 14   jf 11
(011) ldh      [x + 16]
(012) jeq      #0x35            jt 14   jf 13
(013) ret      #65535
(014) ret      #0
sake@MacSake:~$ tcpdump -d "ip and port not 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 14
(002) ldb      [23]
(003) jeq      #0x84            jt 6    jf 4
(004) jeq      #0x6             jt 6    jf 5
(005) jeq      #0x11            jt 6    jf 13
(006) ldh      [20]
(007) jset     #0x1fff          jt 13   jf 8
(008) ldxb     4*([14]&0xf)
(009) ldh      [x + 14]
(010) jeq      #0x35            jt 14   jf 11
(011) ldh      [x + 16]
(012) jeq      #0x35            jt 14   jf 13
(013) ret      #65535
(014) ret      #0
sake@MacSake:~$ 

As you can see, both filters generate the same BPF code, so the filters are the same.

Hope this helps,
Cheers,


Sake


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Capture filter question Marco Zuppone (Nov 05)
- Re: Capture filter question David Alanis (Nov 05)
  - Re: Capture filter question David Alanis (Nov 05)
    - Re: Capture filter question Marco Zuppone (Nov 06)
    - Common Traffic haZard0us (Nov 06)
    - Re: Common Traffic j.snelders (Nov 06)
    - Re: Capture filter question Sake Blok (Nov 06)
    - Re: Capture filter question Marco Simone Zuppone (Nov 07)