Hi Guy, Thank you for your recommendations. I turned off optimization, and windump is working for this port range condition.
Regards, Alex Narinsky -----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 3:38 PM To: Alex Narinsky Cc: 'Leonid Rodniansky'; 'Ron Ben-natan'; 'Ury Segal' Subject: [SPAM] Re: [SPAM] Re: [WinPcap-users] Can I specify a range of ports for windump On Thu, Apr 22, 2004 at 02:47:34PM -0400, Alex Narinsky wrote: > C:\Documents and Settings\Nir Carmel>c:\download\windump -h > c:\download\windump version current-cvs.tcpdump.org, based on tcpdump > version current-cvs.tcpdump.org > WinPcap version 3.0 alpha, based on libpcap version > current-cvs.tcpdump.org OK, that's probably a very recent version of libpcap, which might have the BPF optimizer bug in question. > Output from using option -h on LINUX: > > [EMAIL PROTECTED] tcpdumpExp]# tcpdump -h > tcpdump version 3.7.2 > libpcap version 0.7.2 That's older, and might not have the bug. > Output from using option -d on WINDOWS > C:\Documents and Settings\Nir Carmel>c:\download\windump -d > "tcp[0:2]>=79 and tcp[0:2]<=81" > c:\download\windump: listening on > \Device\NPF_{DC24F406-DA63-4976-A5EA-7F39DDC0AC43} > (000) ldh [12] > (001) jeq #0x800 jt 2 jf 12 > (002) ldb [23] > (003) jeq #0x6 jt 4 jf 12 > (004) ldh [20] > (005) jset #0x1fff jt 12 jf 6 > (006) ldxb 4*([14]&0xf) > (007) ldh [x + 14] > (008) ldx #0x4f > (009) jge x jt 10 jf 12 > (010) jgt x jt 12 jf 11 > (011) ret #96 > (012) ret #0 That looks like the buggy code... > Output from using option -d on LINUX > > tcpdump -d "tcp[0:2]>=79 and tcp[0:2]<=81" > (000) ldh [12] > (001) jeq #0x800 jt 2 jf 11 > (002) ldb [23] > (003) jeq #0x6 jt 4 jf 11 > (004) ldh [20] > (005) jset #0x1fff jt 11 jf 6 > (006) ldxb 4*([14]&0xf) > (007) ldh [x + 14] > (008) jge #0x4f jt 9 jf 11 > (009) jgt #0x51 jt 11 jf 10 > (010) ret #96 > (011) ret #0 ...and that looks like the valid older code. > Also, since I compiled the source code for pcap maybe I can make changes > in the source code, what do you think? You could - but you'd have to know what to fix, if you want to fix that. I haven't had time to look at it (or at the other optimizer bugs on the SourceForge site). > A range of ports is the only condition we need There's also a patch on the SourceForge site for a port range operator; I don't know whether it generates code that would cause the same problem for the optimizer, however. If so, the optimizer would need to be fixed. Note that this is an optimizer bug - if you run tcpdump/WinDump with the "-O" (capital-O) flag, which turns off the optimizer, that expression should work. ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
