Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 6912] Capture filters for higher level protocols don't wor

Date: Mon, 5 Mar 2012 11:15:13 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6912

Guy Harris <guy@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
           Platform|x86                         |All
         Resolution|                            |INVALID
            Summary|Capture filters for higher  |Capture filters for higher
                   |level protocols don't work  |level protocols don't work
                   |when there is PPP or PPPoE  |when there are VLAN tags or
                   |encapsulation               |PPPoE encapsulation
         OS/Version|Linux (other)               |All

--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx> 2012-03-05 11:15:13 PST ---
This is a libpcap issue, not an issue with code in Wireshark; the packet in
question has VLAN tags and is a PPPoE Session packet, so a filter that would
capture it would be "vlan and pppoes and ip".

A filter such as "ip or (vlan and ip) or (vlan and pppoes and ip)" would also
match non-VLAN-encapsulated packets and VLAN-encapsulated packets that aren't
using PPPoE.

That filter would require extra processing per packet if there *aren't*
VLAN-encapsulated or PPPoE packets, so the libpcap filter compiler doesn't
default to adding those checks.

Fixing it "right" would involve additions to the BPF machine language and thus
changes to the Linux/*BSD/Mac OS X/etc. in-kernel BPF interpreters.

(I'm not sure what a "PPP encapsulation" is.  For traffic on a PPP interface,
the filters do work.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.