Hi, All
I have a question regarding the use of filter strings to capture
ranges of ips. Let's say I want to capture traffic whose source or
destination is an ip in the range 10.0.1.50 to 10.0.1.60. The syntax I've
figured out is:
( ip [ 15 : 1 ] >= 50 and ip [ 15 : 1 ] <= 60 ) or ( ip [ 19 : 1 ] >= 50 and
ip [ 19 : 1 ] <= 60 )
This is not having the desired effect. If I attempt a telnet from my box
(10.0.1.56) to a test box (10.0.1.117) capturing the packets with ethereal
using the above filter string I capture only the reply packets from the test
box( src = 10.0.1.117) to my box (dest = 10.0.1.56). But, and this is the
part I just don't understand, I also capture packets whose source is
10.0.1.55 and 10.0.1.53. Why would it capture those packets but not the ones
I had sent? Do I have the offsets for src and dest ips relative to the ip
layer all wrong?
There's more, though! The above string is merely a substring of the
following, which is what is actually used in our application:
ip and src 10.0.1.117 and not ( tcp port 5004 ) and not ( ( ( ip [ 15 : 1 ]
>= 50 ) and not ( ip [ 15 : 1 ] <= 60 ) ) or ( ( ip [ 19 : 1 ] >= 50 ) and (
ip [ 19 : 1 ] <= 60 ) ) )
This filter string captures the replies from 10.0.1.117 to 10.0.1.56 when
attempting to telnet - shouldn't there be no capture of that connection at
all given the above string?
I have read the tcpdump manpage and quite frankly I'd rather not try to
delve into programming of the BPF pseudo-machine. Any help would be greatly
appreciated!
BTW: kudos on winpcap - it's a solid piece!
Cheers,
Richard
-----------------------------------------------------------------------
Richard Jagodzinski
Research & Development
Non-Elephant Encryption Systems Inc.
(403) 232 6001
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================
