Hi All
I found out that my previous posting below had an error in byte ordering. I have corrected that still I do not get the expected result.
I guess I have confirmed that there IS an error in parsing the Filter String.
Here are my findings.
I am interested in capturing packets that have destination IP between 192.168.0.3 and 192.168.0.7
A=3232235523 (192.168.0.3)
B=3232235527 (192.168.0.7)
B=3232235527 (192.168.0.7)
(1)
ip and ip[16:4]>= A and ip[16:4]<= B
This string captures packets destined to A only.
(2)
ip and ip[16:4]<= B and ip[16:4]>= A
This string captures packets destined to B only.
(3)
ip and ip[16:4]>= A
This string captures packets whose IP is A or above IP addresses (as expected).
(4)
ip and ip[16:4]<=B
This string captures packets destined to B or below IP addresses. (as expected)
I guess my analysis does prove that there is some problem in parsing the filter string. Please let me know what you all think about this. If I am wrong somewhere please let me know. If my findings do prove a parsing error then can this problem be solved?
Thanks
Nitesh
Nitesh
Nitesh Gupta <[EMAIL PROTECTED]> wrote:
HiI have a similar problem but it is quiet possible that I am doing some silly mistake.I am instead trying to capture all those ip packets whose destination IP address is in between 192.168.0.1 and 192.168.0.5. The following _expression_ does not allow any IP packets to be captured.(ip proto \tcp or arp) and (not ether src 00:c1:26:0e:5e:24) and (ip[16:4] >= 16820416) and (ip[16:4] <= 83929280)(ip proto \tcp or arp) is used so that only ip and arp packets are captured.(not ether src 00:c1:26:0e:5e:24) is used so that packets sent by the NIC itself is not captured back. The ether address is the address of the NIC itself.Please help me finding out the problem.ThanksNiteshHi Daniel.The byte order is verified to be ok. I also wrote that when i statet, that :A : 10.0.0.10 = 167772170
B : 10.0.0.12 = 167772172This should capture only trafic originating from
A or B. This works as supposed to.( ip [12:4] = A or ip [12:4] = B )To verify it again, i tried your suggestion:Normal byte order : ( ip [12:4] = 167772172 )This works and captures only packets from B.Opposite byte order : ( ip [12:4] = 201326602 )This doesnt work and captures nothing.This is why i think there is an error in my logic (filter string)or in the bpf system: And since the filter string looks ok toanybody who has seen it, i think its a bpf/parser bug.Filter string:( ( ip [12:4] >= A ) and ( ip [12:4] <= B ) )Btw, my system is windows xp, running 3.0 winpcap,and using ethereal to test the filterstrings.J. Thomsen----- Original Message -----From: DanielSent: Monday, September 01, 2003 1:52 AMSubject: Re: [WinPcap-users] filtering ip ranges / bpf error ?I wrote my answer without testing it myself.Maybe byte order is messed up, since on A it won't really matter, swapping 10.0.0.10 toother byte order will still give 10.0.0.10, so it could capture A, and not the others. Try that.Daniel----- Original Message -----From: winpcapSent: Sunday, August 31, 2003 1:43 PMSubject: Re: [WinPcap-users] filtering ip ranges / bpf error ?Hi Daniel.Thanks for the answer.
I have been playing with it some, and now i think
i have found and error in the bpf logic or parser.Here are my finding. Offcause i might be doing the
following wrong, but please correct me if so.Since i have taken it home to play with here, i will
use other ip's as in my first email.A : 10.0.0.10 = 167772170
B : 10.0.0.12 = 167772172This should capture only trafic originating from
A or B. This works as supposed to.( ip [12:4] = A or ip [12:4] = B )This should capture any trafic originating from any
address starting at A and ending at B, including both
A and B and any addresses in between, like 10.0.0.11 here.( ip [12:4] >= A and ip [12:4] <= B )But it doesnt work. It captures only trafic from A.
Rewriting it like this doesnt help, still doesnt work.( ( ip [12:4] >= A ) and ( ip [12:4] <= B ) )As a test, i negated it to see what happens. And it negates
the error, and captures anything but A.To try and find out if it is the "equal" to signs that i have
wrong, i tried again like this:( ( ip [12:4] > A-1 ) and ( ip [12:4] < B+1 ) )The error is still there, and this is where my logic stops :/
I also found a mail from the archives describing the same problem:Hopefully someone can confirm if i am doing this wrong, or if this is really
a bug in the bpf system.Regards,
J. ThomsenFrom: DanielSent: Saturday, August 30, 2003 8:10 PMSubject: Re: [WinPcap-users] filetring ip rangesFiltering from 192.168.1.1 - 192.168.1.15 could be done (I think) like this:You convert your starting range and finishing range to long ips (use inet_addr):192.168.1.1 becomes: 16885952192.168.1.15 becomes: 251766976When compiling the filter you pass this string "(ip[12:4] >= 16885952) and (ip[12:4] <= 16885952)".I could have made a mistake somewhere but you can figure out I hope.ip[12:4] accesses the source IP address in the IP header. If you want to filter destination IP addresses,you access the 16th byte, so ip[16:4]. The 4 in the [12:4] means IP version 4 (or 4 bytes per addr). For IPv6, it would bedifferent story...Hope it helps,Daniel----- Original Message -----From: Nitesh GuptaSent: Saturday, August 30, 2003 3:14 AMSubject: Re: [WinPcap-users] filetring ip rangesHiI posted the same question some time ago but could't get a reply. An answer to this question could be very helpful to me too.Thanks,Hi all.I have tried to make the bpf filter accept port ranges,like 192.168.1.1 - 192.168.1.15, but i cant get it to work,nor can i find examples on this, or how it could be done.I checked the manual's for tcp dump, but i didnt find anythingusefull. (But maybe i read that like the devil reads the bible ?)I hope someone can give me an example on how to do this.Have a nice weekend all./Regards J. Thomsen
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
