Re: [WinPcap-users] Re: Capture Filter on port - strange behavior

Fri, 06 May 2005 11:52:39 -0700

You said in your previous mail that you were using WinPCap 3.0. Did you try 3.1b4 too? Do you have the same results?

Loris


James Garrison wrote: 
I tried doing the capture using only the example files
incuded in the PCap developer's kit, compiled under cygwin,
and got exactly the same results.

./pf -i "\Device\NPF_{31D5255E-54E4-482B-B31C-58CA451DBFFE}" \
    -o test.dat -p "port 25"

The resulting capture file contains only one side of the
conversation.  However,

./pf -i "\Device\NPF_{31D5255E-54E4-482B-B31C-58CA451DBFFE}" \
    -o test2.dat

contains both sides.  I converted the output into text by
copying the raw capture files to a Linux (RH Fedora Core 3)
system and using "tcpdump -r".  In the listings below
10.56.8.41 is my client system, and 67.97.236.234 is the
smtp server.  The server is one network hop away and physically
in the room next door.

test.dat - captured using "port 25" as a filter

10.56.8.41.3607 > 67.97.236.234.smtp: S 4157222901:4157222901(0) win 65535 <mss 1360,nop,nop,sackOK>
10.56.8.41.3607 > 67.97.236.234.smtp: . ack 459380354 win 65535
10.56.8.41.3607 > 67.97.236.234.smtp: P 0:19(19) ack 119 win 65417
10.56.8.41.3607 > 67.97.236.234.smtp: P 19:29(10) ack 404 win 65132
10.56.8.41.3607 > 67.97.236.234.smtp: P 29:149(120) ack 433 win 65103
10.56.8.41.3607 > 67.97.236.234.smtp: P 149:232(83) ack 555 win 64981
10.56.8.41.3607 > 67.97.236.234.smtp: P 232:309(77) ack 884 win 64652
10.56.8.41.3607 > 67.97.236.234.smtp: P 309:548(239) ack 1183 win 64353
10.56.8.41.3607 > 67.97.236.234.smtp: P 548:581(33) ack 1244 win 64292
10.56.8.41.3607 > 67.97.236.234.smtp: P 581:628(47) ack 1283 win 64253
10.56.8.41.3607 > 67.97.236.234.smtp: P 628:663(35) ack 1322 win 64214
10.56.8.41.3607 > 67.97.236.234.smtp: P 663:726(63) ack 1381 win 65535
10.56.8.41.3607 > 67.97.236.234.smtp: P 726:778(52) ack 1446 win 65470
10.56.8.41.3607 > 67.97.236.234.smtp: P 778:805(27) ack 1499 win 65417
10.56.8.41.3607 > 67.97.236.234.smtp: P 805:1510(705) ack 1566 win 65350
10.56.8.41.3607 > 67.97.236.234.smtp: P 1510:1534(24) ack 1566 win 65350
10.56.8.41.3607 > 67.97.236.234.smtp: P 1534:1561(27) ack 1659 win 65257
10.56.8.41.3607 > 67.97.236.234.smtp: . ack 1748 win 65169
10.56.8.41.3607 > 67.97.236.234.smtp: P 1561:1584(23) ack 1748 win 65169
10.56.8.41.3607 > 67.97.236.234.smtp: F 1584:1584(0) ack 1748 win 65169 


test2.dat - captured with no filter specified

10.56.8.41.3810 > 67.97.236.234.smtp: S 1079252123:1079252123(0) win 65535 <mss 1360,nop,nop,sackOK>
67.97.236.234.smtp > 10.56.8.41.3810: S 581786450:581786450(0) ack 1079252124 win 17680 <mss 1460,nop,nop,sackOK>
10.56.8.41.3810 > 67.97.236.234.smtp: . ack 1 win 65535
67.97.236.234.smtp > 10.56.8.41.3810: P 1:119(118) ack 1 win 17680
10.56.8.41.3810 > 67.97.236.234.smtp: P 1:20(19) ack 119 win 65417
67.97.236.234.smtp > 10.56.8.41.3810: P 119:404(285) ack 20 win 17661
10.56.8.41.3810 > 67.97.236.234.smtp: P 20:30(10) ack 404 win 65132
67.97.236.234.smtp > 10.56.8.41.3810: P 404:433(29) ack 30 win 17651
10.56.8.41.3810 > 67.97.236.234.smtp: P 30:150(120) ack 433 win 65103
67.97.236.234.smtp > 10.56.8.41.3810: P 433:555(122) ack 150 win 17531
10.56.8.41.3810 > 67.97.236.234.smtp: P 150:233(83) ack 555 win 64981
67.97.236.234.smtp > 10.56.8.41.3810: P 555:884(329) ack 233 win 17448
10.56.8.41.3810 > 67.97.236.234.smtp: P 233:310(77) ack 884 win 64652
67.97.236.234.smtp > 10.56.8.41.3810: P 884:1183(299) ack 310 win 17371
10.56.8.41.3810 > 67.97.236.234.smtp: P 310:549(239) ack 1183 win 64353
67.97.236.234.smtp > 10.56.8.41.3810: P 1183:1244(61) ack 549 win 17132
10.56.8.41.3810 > 67.97.236.234.smtp: P 549:582(33) ack 1244 win 64292
67.97.236.234.smtp > 10.56.8.41.3810: P 1244:1283(39) ack 582 win 17099
10.56.8.41.3810 > 67.97.236.234.smtp: P 582:629(47) ack 1283 win 64253
67.97.236.234.smtp > 10.56.8.41.3810: P 1283:1322(39) ack 629 win 17052
10.56.8.41.3810 > 67.97.236.234.smtp: P 629:664(35) ack 1322 win 64214
67.97.236.234.smtp > 10.56.8.41.3810: P 1322:1381(59) ack 664 win 17017
10.56.8.41.3810 > 67.97.236.234.smtp: P 664:727(63) ack 1381 win 65535
67.97.236.234.smtp > 10.56.8.41.3810: P 1381:1446(65) ack 727 win 16954
10.56.8.41.3810 > 67.97.236.234.smtp: P 727:779(52) ack 1446 win 65470
67.97.236.234.smtp > 10.56.8.41.3810: P 1446:1499(53) ack 779 win 16902
10.56.8.41.3810 > 67.97.236.234.smtp: P 779:806(27) ack 1499 win 65417
67.97.236.234.smtp > 10.56.8.41.3810: P 1499:1566(67) ack 806 win 16875
10.56.8.41.3810 > 67.97.236.234.smtp: P 806:1508(702) ack 1566 win 65350
67.97.236.234.smtp > 10.56.8.41.3810: P 1566:1657(91) ack 1508 win 17680
10.56.8.41.3810 > 67.97.236.234.smtp: P 1508:1535(27) ack 1657 win 65259
67.97.236.234.smtp > 10.56.8.41.3810: P 1657:1745(88) ack 1535 win 17653
67.97.236.234.smtp > 10.56.8.41.3810: F 1745:1745(0) ack 1535 win 17653
10.56.8.41.3810 > 67.97.236.234.smtp: . ack 1746 win 65171
10.56.8.41.3810 > 67.97.236.234.smtp: P 1535:1558(23) ack 1746 win 65171
10.56.8.41.3810 > 67.97.236.234.smtp: F 1558:1558(0) ack 1746 win 65171
67.97.236.234.smtp > 10.56.8.41.3810: R 1746:1746(0) ack 1558 win 0
67.97.236.234.smtp > 10.56.8.41.3810: R 581788196:581788196(0) win 0 


My system is a Dell Latitude C840 with an integrated 3COM 3C920
(3C905C-TX) network adapter.  The OS is Windows XP SP2 with all
current patches.




==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/winpcap-users@winpcap.polito.it/

To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to