expression rejects all packets
Bill Fenner
fenner at research.att.com
Wed Sep 12 18:33:50 PDT 2001
I'm still not 100% clear what the problem is. pcap_compile()
resets the off_linktype and off_nl fields before compiling the
expression, so a "vlan" qualifier in an earlier expression can't
affect future calls to pcap_compile(). Multiple "vlan" qualifiers
in the same expression set the offsets to the same constant
offset.
The only bug I'm aware of is that the "vlan" qualifier is positional
and so affects all expressions after it, so if you use the expression
"( vlan and ip ) or ip" (trying to match non-trunked IP packets as well as
VLAN-trunked) you end up getting just trunked packets; you need to use
"ip or ( vlan and ip )".
Actually, I take it back -- after composing this email, I decided to
double-check the compiler, and there's an optimizer bug that affects
the first construct I described:
mango% ./xprtest vlan and ip or ip
(000) ldh [12]
(001) ldh [16]
(002) jeq #0x800 jt 3 jf 4
(003) ret #96
(004) ret #0
Disabling the optimizer results in a correct (but redundant) expression.
Perhaps you're running into something like this?
Bill
More information about the Bro
mailing list