Ethereal-users: Re: [Ethereal-users] capture filter and greater than operand

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Que <qwejohn@xxxxxxxxx>
Date: Thu, 14 Jul 2005 10:39:12 -0400
Hello, 
 I see in "help about" of ethereal  the following:

Compiled with GTK+ 2.2.1, with GLib 2.4.6, with libpcap 0.8.3, with libz 1.1.4,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build doesn't support the "matches" operator for Ethereal filter
syntax.

Running with libpcap version 0.8.3 on Linux 2.4.20-8.

maybe I will check it with an older version of libpcap.

The problem is reproducible and consistent. 
I did never succeeded to join filters in capture filter when trying as 
I had depicted in my previous messsage.


Regards,
John


On 7/14/05, MH <procana@xxxxxxxxxxxxxx> wrote:
> On Thu, Jul 14, 2005 at 07:13:32AM -0400, John Que wrote:
> > Hello,
> > Thnks;
> >
> > I had mad the following tests , and
> > these are my results :
> > since I am using udp and not tcp I had tried with udp[2:2] and not tcp[2:2]
> >
> > when the filter is udp[2:2] > 8000 it works - give all packets sent to port
> > larger than 8000.
> > also udp[2:2] < 8000 gives the expected results.
> >
> > When with conjunction with another  than qualifier - it does ***NOT*** work.
> > like
> > udp[2:2] > 8000 and udp[2:2] <8010
> > or
> > (udp[2:2] > 8000 and udp[2:2] <8010)
> > or
> > ( (udp[2:2] > 8000) and (udp[2:2] <8010) )
> >
> > I don't have a clue why joining both conditions does not work.
> >
> > Does anybody know ?
> >
> > Regards,
> > John
> >
> 
> Hi John,
> 
> The syntax for the filter string is correct.  What is strange is that
> (I suspect) depending on your version of libpcap your results will be
> entirely different.  On one of my linux boxes, this filter was basically
> broken.  There was no data captured. This was very perplexing as the syntax
> is correct.  I then tested this on one of my OpenBSD boxes and it worked
> perfectly.  I tested it on an older linux box that had an older version of pcap.
> The filter worked.  The difference between the linux systems was the version of libpcap.
> So, I then tested this again on the first linux system but I back reved libpcap
> to an older version (0.7.2) and compiled tcpdump against this version.
> The filter worked as expected. It seems this issue is caused by libpcap.
> The filter worked on an *older* version of libpcap (0.7.2-) but 0.8+ didn't
> like it.
> 
> Can you reproduce this behavior?
> 
> Hope this helps,
> Mike
> 
>