Wireshark mailing list archives

Re: Capture filter question

From: Marco Simone Zuppone <msz () msz it>
Date: Mon, 7 Nov 2011 13:42:38 +0000

Hello,

good idea!! Thanks a lot :-)
 Kind regards,
Marco - StockTrader

On Mon, Nov 7, 2011 at 6:03 AM, Sake Blok <sake () euronet nl> wrote:

On 6 nov 2011, at 10:18, Marco Zuppone wrote:

the point of my question was:
What is the difference between 'not arp and port not 53' and 'not arp

and not port 53'??

Maybe is possible to reduce the problem to: what is the difference

between 'not port xxx' and 'port not xxx' ?

Both the syntaxes are accepted but I was wondering if there is a

difference in the end result if the 'not' clause is before or after the
'port' one.

You can check the resulting BPF code of a capture filter in the Wireshark
capture options. The BPF code are the machine code instructions for the BPF
engine. You can also use tcpdump to generate them:

sake@MacSake:~$ tcpdump -d "ip and not port 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 14
(002) ldb      [23]
(003) jeq      #0x84            jt 6    jf 4
(004) jeq      #0x6             jt 6    jf 5
(005) jeq      #0x11            jt 6    jf 13
(006) ldh      [20]
(007) jset     #0x1fff          jt 13   jf 8
(008) ldxb     4*([14]&0xf)
(009) ldh      [x + 14]
(010) jeq      #0x35            jt 14   jf 11
(011) ldh      [x + 16]
(012) jeq      #0x35            jt 14   jf 13
(013) ret      #65535
(014) ret      #0
sake@MacSake:~$ tcpdump -d "ip and port not 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 14
(002) ldb      [23]
(003) jeq      #0x84            jt 6    jf 4
(004) jeq      #0x6             jt 6    jf 5
(005) jeq      #0x11            jt 6    jf 13
(006) ldh      [20]
(007) jset     #0x1fff          jt 13   jf 8
(008) ldxb     4*([14]&0xf)
(009) ldh      [x + 14]
(010) jeq      #0x35            jt 14   jf 11
(011) ldh      [x + 16]
(012) jeq      #0x35            jt 14   jf 13
(013) ret      #65535
(014) ret      #0
sake@MacSake:~$

As you can see, both filters generate the same BPF code, so the filters
are the same.

Hope this helps,
Cheers,


Sake


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Capture filter question Marco Zuppone (Nov 05)
- Re: Capture filter question David Alanis (Nov 05)
  - Re: Capture filter question David Alanis (Nov 05)
    - Re: Capture filter question Marco Zuppone (Nov 06)
    - Common Traffic haZard0us (Nov 06)
    - Re: Common Traffic j.snelders (Nov 06)
    - Re: Capture filter question Sake Blok (Nov 06)
    - Re: Capture filter question Marco Simone Zuppone (Nov 07)