The underlying problem here is not a difference between libpcap 1.0.0 (which
is, in effect, what you're using here, unless you're using an old version of
WinPcap) and libpcap 1.1.1 (which is what comes with the OS on my machine, OS X
Mountain Lion).
It's that, as there's no BPF mechanism for dealing cleanly with VLAN headers
(BPF having been developed back in 1993 or so, and 802.1Q came out in 1998),
VLANs require the explicit "vlan" keyword, so that, for example:
1) to test for a given IP address being *present* in packets with VLAN
headers, you have to do "vlan and host XXX.XXX.XXX.XXX", and to test for it
being present both with and without VLAN headers, you have to do "host
XXX.XXX.XXX.XXX or (vlan and host XXX.XXX.XXX.XXX)";
2) to *exclude* IP packets in which a given IP address is present, you
need to do
!(host XXX.XXX.XXX.XXX or (vlan and host XXX.XXX.XXX.XXX))
so the correct filter for your simple case is
!(host 192.168.10.2 or (vlan and host 192.168.10.2))
and the correct filter for your more-complex case is
!(host 192.168.10.2 or host 192.168.0.3 or port 161 or (vlan and (host
192.168.10.2 or host 192.168.0.3 or port 161)))
(some parentheses may be redundant).
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
