 | 1 | initial version |
If you look at the compiled BPF for each filter you can compare the result:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
| | 2 | No.2 Revision |
If you look at the compiled BPF (using dftest) for each filter you can compare the result:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
| | 3 | No.3 Revision |
If you look at the compiled BPF (using dftest) the Compile BPFs button in the Capture Options dialog) for each filter you can compare the result:result. The examples shown are for my WiFi interface:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0