Re: [WinPcap-users] filtering ip ranges / bpf error ?

[winpcap]

Hi Daniel.   The byte order is verified to be ok. I also wrote that when i statet, that : A : 10.0.0.10 = 167772170 B : 10.0.0.12 = 167772172   This should capture only trafic originating from A or B. This works as supposed to. ( ip [12:4] = A or ip [12:4] = B )   To verify it again, i tried your suggestion:   Normal byte order : ( ip [12:4] = 167772172 ) This works and captures only packets from B.   Opposite byte order : ( ip [12:4] = 201326602 ) This doesnt work and captures nothing.   This is why i think there is an error in my logic (filter string) or in the bpf system: And since the filter string looks ok to anybody who has seen it, i think its a bpf/parser bug.   Filter string: ( ( ip [12:4] >= A ) and ( ip [12:4] <= B ) )   Btw, my system is windows xp, running 3.0 winpcap, and using ethereal to test the filterstrings.   J. Thomsen ----- Original Message ----- From: Daniel To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:52 AM Subject: Re: [WinPcap-users] filtering ip ranges / bpf error ? I wrote my answer without testing it myself. Maybe byte order is messed up, since on A it won't really matter, swapping 10.0.0.10 to other byte order will still give 10.0.0.10, so it could capture A, and not the others. Try that.   Daniel ----- Original Message ----- From: winpcap To: [EMAIL PROTECTED] Sent: Sunday, August 31, 2003 1:43 PM Subject: Re: [WinPcap-users] filtering ip ranges / bpf error ? Hi Daniel.   Thanks for the answer. I have been playing with it some, and now i think i have found and error in the bpf logic or parser.   Here are my finding. Offcause i might be doing the following wrong, but please correct me if so.   Since i have taken it home to play with here, i will use other ip's as in my first email.   A : 10.0.0.10 = 167772170 B : 10.0.0.12 = 167772172   This should capture only trafic originating from A or B. This works as supposed to.   ( ip [12:4] = A or ip [12:4] = B )   This should capture any trafic originating from any address starting at A and ending at B, including both A and B and any addresses in between, like 10.0.0.11 here.   ( ip [12:4] >= A and ip [12:4] <= B )   But it doesnt work. It captures only trafic from A. Rewriting it like this doesnt help, still doesnt work.   ( ( ip [12:4] >= A ) and ( ip [12:4] <= B ) )   As a test, i negated it to see what happens. And it negates the error, and captures anything but A.   To try and find out if it is the "equal" to signs that i have wrong, i tried again like this:   ( ( ip [12:4] > A-1 ) and ( ip [12:4] < B+1 ) )   The error is still there, and this is where my logic stops :/ I also found a mail from the archives describing the same problem:   http://www.mail-archive.com/[EMAIL PROTECTED]/msg01175.html   Hopefully someone can confirm if i am doing this wrong, or if this is really a bug in the bpf system.   Regards, J. Thomsen   From: Daniel To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 8:10 PM Subject: Re: [WinPcap-users] filetring ip ranges Filtering from 192.168.1.1 - 192.168.1.15 could be done (I think) like this:   You convert your starting range and finishing range to long ips (use inet_addr): 192.168.1.1 becomes: 16885952 192.168.1.15 becomes: 251766976   When compiling the filter you pass this string "(ip[12:4] >= 16885952) and (ip[12:4] <= 16885952)". I could have made a mistake somewhere but you can figure out I hope.   ip[12:4] accesses the source IP address in the IP header. If you want to filter destination IP addresses, you access the 16th byte, so ip[16:4]. The 4 in the [12:4] means IP version 4 (or 4 bytes per addr). For IPv6, it would be different story...   Hope it helps, Daniel   ----- Original Message ----- From: Nitesh Gupta To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 3:14 AM Subject: Re: [WinPcap-users] filetring ip ranges Hi   I posted the same question some time ago but could't get a reply.  An answer to this question could be very helpful to me too.   Thanks, Nitesh winpcap <[EMAIL PROTECTED]> wrote: Hi all.   I have tried to make the bpf filter accept port ranges, like 192.168.1.1 - 192.168.1.15, but i cant get it to work, nor can i find examples on this, or how it could be done.   I checked the manual's for tcp dump, but i didnt find anything usefull. (But maybe i read that like the devil reads the bible ?)   I hope someone can give me an example on how to do this. Have a nice weekend all.   /Regards J. Thomsen   Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software