On 6 nov 2011, at 10:18, Marco Zuppone wrote:
> the point of my question was:
> What is the difference between 'not arp and port not 53' and 'not arp and not port 53'??
> Maybe is possible to reduce the problem to: what is the difference between 'not port xxx' and 'port not xxx' ?
> Both the syntaxes are accepted but I was wondering if there is a difference in the end result if the 'not' clause is before or after the 'port' one.
You can check the resulting BPF code of a capture filter in the Wireshark capture options. The BPF code are the machine code instructions for the BPF engine. You can also use tcpdump to generate them:
sake@MacSake:~$ tcpdump -d "ip and not port 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 14
(002) ldb [23]
(003) jeq #0x84 jt 6 jf 4
(004) jeq #0x6 jt 6 jf 5
(005) jeq #0x11 jt 6 jf 13
(006) ldh [20]
(007) jset #0x1fff jt 13 jf 8
(008) ldxb 4*([14]&0xf)
(009) ldh [x + 14]
(010) jeq #0x35 jt 14 jf 11
(011) ldh [x + 16]
(012) jeq #0x35 jt 14 jf 13
(013) ret #65535
(014) ret #0
sake@MacSake:~$ tcpdump -d "ip and port not 53"
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 14
(002) ldb [23]
(003) jeq #0x84 jt 6 jf 4
(004) jeq #0x6 jt 6 jf 5
(005) jeq #0x11 jt 6 jf 13
(006) ldh [20]
(007) jset #0x1fff jt 13 jf 8
(008) ldxb 4*([14]&0xf)
(009) ldh [x + 14]
(010) jeq #0x35 jt 14 jf 11
(011) ldh [x + 16]
(012) jeq #0x35 jt 14 jf 13
(013) ret #65535
(014) ret #0
sake@MacSake:~$
As you can see, both filters generate the same BPF code, so the filters are the same.
Hope this helps,
Cheers,
Sake
