Hi Bernd,
On Thu, 9 Jun 2011, Bernd Bornkessel wrote:
The working filter is:
vlan and (dst net 192.76.141.0/24 or dst net 194.55.246.0/23 or dst net
195.246.160/19 or dst net 88.215.224.0/19 or dst net 62.93.212.0/23 or
dst net 62.93.246.0/23 or dst net 88.215.192.0/19)
The non-working are:
vlan and ((vlan 365 or vlan 1337) and (dst net 192.76.141.0/24 or dst
net 194.55.246.0/23 or dst net 195.246.160/19 or dst net 88.215.224.0/19
or dst net 62.93.212.0/23 or dst net 62.93.246.0/23 or dst net
88.215.192.0/19))
((vlan 365 or vlan 1337) and (dst net 192.76.141.0/24 or dst net
194.55.246.0/23 or dst net 195.246.160/19 or dst net 88.215.224.0/19 or
dst net 62.93.212.0/23 or dst net 62.93.246.0/23 or dst net
88.215.192.0/19))
I think you may be falling victim to this (from man pcap-filter(7)):
vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN packet. If
[vlan_id] is specified, only true if the packet has the specified vlan_id.
Note that the first vlan keyword encountered in expression changes the
decoding offsets for the remainder of expression on the assumption that
the packet is a VLAN packet. The vlan [vlan_id] expression may be used
more than once, to filter on VLAN hierarchies. Each use of that
expression increments the filter offsets by 4.
Therefore I don't think you can use the "vlan" keyword more than once in
the same expression (unless you have vlan hierarchies). This appears to be
a limitation (and a rather "unusual" one) of libpcap, not pmacct.
If they really want to support nested vlans (and I would seriously
question the sanity of anyone who used them) I would respectfully suggest
that they modify the "vlan" keyword to not change the filter offset, and
create a new keyword like "nested-vlan" which does.
Cheers, Chris.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
