Wireshark · Ethereal-users: Re: [Ethereal-users] capture filter and greater than operand

[MH <procana@xxxxxxxxxxxxxx>]

On Thu, Jul 14, 2005 at 07:13:32AM -0400, John Que wrote:
> Hello,
> Thnks;
> 
> I had mad the following tests , and 
> these are my results : 
> since I am using udp and not tcp I had tried with udp[2:2] and not tcp[2:2]
> 
> when the filter is udp[2:2] > 8000 it works - give all packets sent to port
> larger than 8000.
> also udp[2:2] < 8000 gives the expected results.
> 
> When with conjunction with another  than qualifier - it does ***NOT*** work.
> like 
> udp[2:2] > 8000 and udp[2:2] <8010
> or 
> (udp[2:2] > 8000 and udp[2:2] <8010)
> or 
> ( (udp[2:2] > 8000) and (udp[2:2] <8010) )
> 
> I don't have a clue why joining both conditions does not work.
> 
> Does anybody know ? 
> 
> Regards,
> John
>

Hi John,

The syntax for the filter string is correct.  What is strange is that
(I suspect) depending on your version of libpcap your results will be
entirely different.  On one of my linux boxes, this filter was basically
broken.  There was no data captured. This was very perplexing as the syntax
is correct.  I then tested this on one of my OpenBSD boxes and it worked
perfectly.  I tested it on an older linux box that had an older version of pcap.
The filter worked.  The difference between the linux systems was the version of libpcap.
So, I then tested this again on the first linux system but I back reved libpcap
to an older version (0.7.2) and compiled tcpdump against this version.
The filter worked as expected. It seems this issue is caused by libpcap.
The filter worked on an *older* version of libpcap (0.7.2-) but 0.8+ didn't
like it.

Can you reproduce this behavior?

Hope this helps,
Mike