Thanks Loris and Guy for your answers.

Loris Degioanni wrote:
host localhost and port 2404
but this will filter the packets with the loopback IP address.

Guy Harris wrote:
...which won't capture packets sent over "real" interfaces, as they won't have the loopback interface as source or destination.
he means he only wants to see traffic to or from the machine running the WinPcap-based application, then he should not run in promiscuous mode; a filter that includes "not broadcast and not multicast"

I explained my goal not too well.

I am sniffing the communication of an embedded appliance.
The appliance act as a server on TCP port 2404.
It also receives UDP multicast packets (from many hosts) on UDP port 2405.

For troubleshooting, I want to sniff the traffic
1- with the appliance vendor MAC as source or dest
2- UDP multicast
3- ICMP from/to the sniffing computer (it uses PING to test the appliance and the hosts connected to the appliance TCP server).

The sniffing computer can have many IP on one NIC, and also many NICs installed.
So I think the simplest solution to filter its PING is something like "ICMP && localhost"
(with localhost NOT resolved as

I need to run in promiscous mode, and my current BPFilter is:
(ether[0:4] >> 8 == 0x0090C2) || (ether[6:4] >> 8 == 0x0090C2) || (ip multicast) || icmp

My application further accept/discard packets using other rules.

ciao, Massimo

This is the WinPcap users list. It is archived at

To unsubscribe use mailto: [EMAIL PROTECTED]

Reply via email to