Re: [tcpdump-workers] Stick with Travis for continuous integration, or switch?

[Denis Ovsienko via tcpdump-workers]

--- Begin Message ---
On Mon, 18 Jan 2021 22:29:21 -0800
Guy Harris via tcpdump-workers 
wrote:

> I guess we meet those requirements, although I'm not too keen on
> having to keep going hat-in-hand to them every time we run out of
> credits; hopefully, we can just get a renewable amount.

I had requested a renewable OSS allowance on 29 January, got the
template response and confirmed the details. Let's see where it goes.
The account is at 3790/1 credits as of today, in other words, three
more builds of libpcap or at most one tcpdump build, if/when the latter
migrates.

-- 
Denis Ovsienko
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

[tcpdump-workers] Question regarding unexpected tcpdump expression evaluation

[Eldon Stegall via tcpdump-workers]

--- Begin Message ---
Hello All,
I seem to be having an odd issue with tcpdump, or my understanding of
it, and I would like to request clarification. I hope this is an
appropriate place to do so, and that I'm not doing something foolish.
Thanks in advance, issue description follows:

Consider the following pcap, synthetically generated for this test. It
is a simple SYN and RST:

# tcpdump -nr test2.pcap
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, 
win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0
22:50:08.054140 IP 10.0.2.2.80 > 10.0.2.15.44128: Flags [R.], seq 0, ack 
3067912572, win 0, length 0

Now, consider the following filters:

# grep . fgood fextra
fgood:not ((host 10.0.2.2) and (host 10.0.2.1  or (host 10.0.2.15 or net 
192.168.1.0/24)))
fextra:not ((host 10.0.2.2) and (host 10.0.2.1  or (net 192.168.1.0/24 or host 
10.0.2.15)))

It would seem to me that the logical "or" is commuted, which should make
these two expressions equivalent.  However, the resulting output of
supplying these two filters with the pcap to tcpdump is not equivalent.
The "good" filter passes no packets, because the negated expression
evaluates to true, as both sides of the "and" are fulfilled:

# tcpdump -nr test2.pcap -F fgood
reading from file test2.pcap, link-type EN10MB (Ethernet)
#

The "extra" filter passes a packet for some reason (the SYN):
# tcpdump -nr test2.pcap -F fextra
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571, 
win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0
# 

Can someone explain to me why these two filters would not be equivalent?
The files used in this test can be obtained by running the following
command:

echo

"H4sIAKOAF2AAA+3Vv0vDQBQH8Ne0aumig1AHh8OpWa53lx+nILSLi1MRcW60VQdpShpR1D/A2X9Ai6uTSOdC/wJRcBFXZ/8D7xrEtqLVIS3q+8DlmpfwvTTHa2keYscU6TjdWRmcu5+5zZgjGRNcqrqUzAHixP9oAPuN0AsIgcD3w6/uG3b9l6L5sNoIBa1vefW41tAb7Nr2p/svpBvtvysd4QpgnLuWBYTF9UC9/vn+33eumwakeiopSKhj/ShbfrgFWIVoPM2fP78crK3Dqb2RhhWA5c29IhQn24UMGNNqGFdlKLUem8c648IIZuYKAEZq4iZlpDPGZSer64lkckonn9ypAIhGlBnld5NzADp5oa1TdTqUVLai0k9KswBnrVG+ob+N5rd3fL8S6xrD+p+L9/63ubqPM2lJ7P9RqPkhyeV2/UZIOKOMCipM4tUqpK/GCfGDgZKjS7WqKiypM3eRcsrywjaJaWbG/a3Qd6n+rx6GgRfnGsP733nrfyltS///q1Ps/1H4Uf9/7HZd7v9VMLH9EUIIIYQQQgghhBBCCCGEEBqXV397ZmIAKAAA"
|base64 -d |tar  -xvz


Thanks, I hope this venue is appropriate! I looked on the pcap-filter
man page, but probably missed something!

Eldon
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers