On Fri, Feb 07, 2003 at 03:25:11PM +0100, Gisle Vanem wrote:
> I have the following filter to log "suspicious traffic" to my PC:
>
> icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21))
> ||
> (
> (tcp[13] & 3 != 0) &&
> (port not (25 || 80 || 110 || 119 || 6346 || 6347))
> )
>
> "windump -dF suspicious.filter" says:
>
> (000) ldh [12]
> (001) jeq #0x800 jt 2 jf 11
> (002) ldb [23]
> (003) jeq #0x1 jt 14 jf 4
> (004) jeq #0x11 jt 5 jf 15
> (005) ld [26]
> (006) jeq #0xd90d0788 jt 15 jf 7
> (007) jeq #0xd90d0415 jt 15 jf 8
> (008) ld [30]
> (009) jeq #0xd90d0788 jt 15 jf 10
> (010) jeq #0xd90d0415 jt 15 jf 14
> (011) jeq #0x86dd jt 12 jf 15 ; IPv6 enabled windump
> (012) ldb [20]
> (013) jeq #0x11 jt 14 jf 15
> (014) ret #96
> (015) ret #0
That's odd, because if I do
.\windump -r {Ethernet capture file} -d "icmp || (udp && (host not
217.13.7.136 and host not 217.13.4.21)) || ((tcp[13] & 3 != 0) && (port not (25
|| 80 || 110 || 119 || 6346 || 6347)) )"
with WinDump 3.6.1 and WinPcap 2.3, the resulting program is
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 31
(002) ldb [23]
(003) jeq #0x1 jt 34 jf 4
(004) jeq #0x11 jt 5 jf 11
(005) ld [26]
(006) jeq #0xd90d0788 jt 35 jf 7
(007) jeq #0xd90d0415 jt 35 jf 8
(008) ld [30]
(009) jeq #0xd90d0788 jt 35 jf 10
(010) jeq #0xd90d0415 jt 35 jf 34
(011) jeq #0x6 jt 12 jf 35
(012) ldh [20]
(013) jset #0x1fff jt 35 jf 14
(014) ldxb 4*([14]&0xf)
(015) ldb [x + 27]
(016) jset #0x3 jt 17 jf 35
(017) ldh [x + 14]
(018) jeq #0x19 jt 35 jf 19
(019) jeq #0x50 jt 35 jf 20
(020) jeq #0x6e jt 35 jf 21
(021) jeq #0x77 jt 35 jf 22
(022) jeq #0x18ca jt 35 jf 23
(023) jeq #0x18cb jt 35 jf 24
(024) ldh [x + 16]
(025) jeq #0x19 jt 35 jf 26
(026) jeq #0x50 jt 35 jf 27
(027) jeq #0x6e jt 35 jf 28
(028) jeq #0x77 jt 35 jf 29
(029) jeq #0x18ca jt 35 jf 30
(030) jeq #0x18cb jt 35 jf 34
(031) jeq #0x86dd jt 32 jf 35
(032) ldb [20]
(033) jeq #0x11 jt 34 jf 35
(034) ret #65535
(035) ret #0
If I put your filter into a file, and do
.\windump -r {Ethernet capture file} -dF {filter file}
I get the same program.
If you're not using the standard WinPcap and WinDump, this might be a
bug - ask the WinPcap developers about it. (I tried it with the current
CVS tcpdump and libpcap, and it worked.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
