--- Begin Message ---
Hello All,
I seem to be having an odd issue with tcpdump, or my understanding of
it, and I would like to request clarification. I hope this is an
appropriate place to do so, and that I'm not doing something foolish.
Thanks in advance, issue description follows:
Consider the following pcap, synthetically generated for this test. It
is a simple SYN and RST:
# tcpdump -nr test2.pcap
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571,
win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0
22:50:08.054140 IP 10.0.2.2.80 > 10.0.2.15.44128: Flags [R.], seq 0, ack
3067912572, win 0, length 0
Now, consider the following filters:
# grep . fgood fextra
fgood:not ((host 10.0.2.2) and (host 10.0.2.1 or (host 10.0.2.15 or net
192.168.1.0/24)))
fextra:not ((host 10.0.2.2) and (host 10.0.2.1 or (net 192.168.1.0/24 or host
10.0.2.15)))
It would seem to me that the logical "or" is commuted, which should make
these two expressions equivalent. However, the resulting output of
supplying these two filters with the pcap to tcpdump is not equivalent.
The "good" filter passes no packets, because the negated expression
evaluates to true, as both sides of the "and" are fulfilled:
# tcpdump -nr test2.pcap -F fgood
reading from file test2.pcap, link-type EN10MB (Ethernet)
#
The "extra" filter passes a packet for some reason (the SYN):
# tcpdump -nr test2.pcap -F fextra
reading from file test2.pcap, link-type EN10MB (Ethernet)
22:50:08.053719 IP 10.0.2.15.44128 > 10.0.2.2.80: Flags [S], seq 3067912571,
win 29200, options [mss 1460,sackOK,TS val 44286743 ecr 0,nop,wscale 7], length 0
#
Can someone explain to me why these two filters would not be equivalent?
The files used in this test can be obtained by running the following
command:
echo
"H4sIAKOAF2AAA+3Vv0vDQBQH8Ne0aumig1AHh8OpWa53lx+nILSLi1MRcW60VQdpShpR1D/A2X9Ai6uTSOdC/wJRcBFXZ/8D7xrEtqLVIS3q+8DlmpfwvTTHa2keYscU6TjdWRmcu5+5zZgjGRNcqrqUzAHixP9oAPuN0AsIgcD3w6/uG3b9l6L5sNoIBa1vefW41tAb7Nr2p/svpBvtvysd4QpgnLuWBYTF9UC9/vn+33eumwakeiopSKhj/ShbfrgFWIVoPM2fP78crK3Dqb2RhhWA5c29IhQn24UMGNNqGFdlKLUem8c648IIZuYKAEZq4iZlpDPGZSer64lkckonn9ypAIhGlBnld5NzADp5oa1TdTqUVLai0k9KswBnrVG+ob+N5rd3fL8S6xrD+p+L9/63ubqPM2lJ7P9RqPkhyeV2/UZIOKOMCipM4tUqpK/GCfGDgZKjS7WqKiypM3eRcsrywjaJaWbG/a3Qd6n+rx6GgRfnGsP733nrfyltS///q1Ps/1H4Uf9/7HZd7v9VMLH9EUIIIYQQQgghhBBCCCGEEBqXV397ZmIAKAAA"
|base64 -d |tar -xvz
Thanks, I hope this venue is appropriate! I looked on the pcap-filter
man page, but probably missed something!
Eldon
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
