Hi All
I found out that my previous posting below had an error in byte ordering. I have corrected that still I do not get the expected result.
I guess I have confirmed that there IS an error in parsing the Filter String.
Here are my findings.
I am interested in capturing packets that have destination IP between 192.168.0.3 and 192.168.0.7
A=3232235523 (192.168.0.3)B=3232235527 (192.168.0.7)
(1)
ip and ip[16:4]= A and ip[16:4]= B
This string captures packets destined to A only.
(2)
ip and ip[16:4]= B and ip[16:4]= A
This string captures packets destined to B only.
(3)
ip and ip[16:4]= A
This string captures packets whose IP is A or above IP addresses (as expected).
(4)
ip and ip[16:4]=B
This string captures packets destined to B or below IP addresses. (as expected)
I guess my analysis does prove that there is some problem in parsing the filter string. Please let me know what you all think about this. If I am wrong somewhere please let me know. If my findings do prove a parsing error then can this problem be solved?
ThanksNitesh
Nitesh Gupta [EMAIL PROTECTED] wrote:
Hi
I have a similar problem but it is quiet possible that I am doing some silly mistake.
I am instead trying to capture all those ip packets whose destination IP address is in between 192.168.0.1 and 192.168.0.5. The following _expression_ does not allow any IP packets to be captured.
(ip proto \tcp or arp) and (not ether src 00:c1:26:0e:5e:24) and (ip[16:4] = 16820416) and (ip[16:4] = 83929280)
(ip proto \tcp or arp) is used so that only ip and arp packets are captured.
(not ether src 00:c1:26:0e:5e:24) is used so that packets sent by the NIC itself is not captured back. The ether address is the address of the NIC itself.
Please help me finding out the problem.
Thanks
Nitesh
Hi Daniel.
The byte order is verified to be ok. I also wrote that when i statet, that :
A : 10.0.0.10 = 167772170B : 10.0.0.12 = 167772172
This should capture only trafic originating fromA or B. This works as supposed to.
( ip [12:4] = A or ip [12:4] = B )
To verify it again, i tried your suggestion:
Normal byte order : ( ip [12:4] = 167772172 )
This works and captures only packets from B.
Opposite byte order : ( ip [12:4] = 201326602 )
This doesnt work and captures nothing.
This is why i think there is an error in my logic (filter string)
or in the bpf system: And since the filter string looks ok to
anybody who has seen it, i think its a bpf/parser bug.
Filter string:
( ( ip [12:4] = A ) and ( ip [12:4] = B ) )
Btw, my system is windows xp, running3.0 winpcap,
and using ethereal to test the filterstrings.
J. Thomsen
- Original Message -
From: Daniel
To: [EMAIL PROTECTED]
Sent: Monday, September 01, 2003 1:52 AM
Subject: Re: [WinPcap-users] filtering ip ranges / bpf error ?
I wrote my answer without testing it myself.
Maybe byte order is messed up, since on A it won't really matter, swapping 10.0.0.10 to
other byte order will still give 10.0.0.10, so it could capture A, and not the others. Try that.
Daniel
- Original Message -
From: winpcap
To: [EMAIL PROTECTED]
Sent: Sunday, August 31, 2003 1:43 PM
Subject: Re: [WinPcap-users] filtering ip ranges / bpf error ?
Hi Daniel.
Thanks for the answer.I have been playing with it some, and now i thinki have found and error in the bpf logic or parser.
Here are my finding. Offcause i might be doing thefollowing wrong, but please correct me if so.
Since i have taken it home to play with here, i willuse other ip's as in my first email.
A : 10.0.0.10 = 167772170B : 10.0.0.12 = 167772172
This should capture only trafic originating fromA or B. This works as supposed to.
( ip [12:4] = A or ip [12:4] = B )
This should capture any trafic originating from anyaddress starting at A and ending at B, including bothA and B and any addresses in between, like 10.0.0.11 here.
( ip [12:4] = A and ip [12:4] = B )
But it doesnt work. It captures only trafic from A.Rewriting it like this doesnt help, still doesnt work.
( ( ip [12:4] = A ) and ( ip [12:4] = B ) )
As a test, i negated it to see what happens. And it negatesthe error, and captures anything but A.
To try and find out if it is the "equal" to signs that i havewrong, i tried again like this:
( ( ip [12:4] A-1 ) and ( ip [12:4] B+1 ) )
The error is still there, and this is where my logic stops :/I also found a mail from the archives describing the same problem:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg01175.html
Hopefully someone can confirm if i am doing this wrong, or if this is reallya bug in the bpf system.
Regards,J. Thomsen
From: Daniel
To: [EMAIL PROTECTED]
Sent: Saturday, August 30, 2003 8:10 PM
Subject: Re: [WinPcap-users] filetring ip ranges
Filtering from 192.168.1.1 - 192.168.1.15 could be done (I think) like this:
You convert your starting range and finishing range to long ips (use inet_addr):
192.168.1.1 becomes: 16885952
192.168.1.15 becomes: 251766976
When compiling the filter you pass this string