 | 1 | initial version |
Wireshark and dumpcap both call `pcap_compile(). I don't have an answer why the output is different.
Have you tried reversing the filter logic?
$ dumpcap -c 5 -i 1 -f "not (icmp or (vlan and icmp)) and (ether[len - 4:4] == 0x1d10c0da)" -d Capturing on 'ens160' (000) ld #0x0 (001) st M[0] (002) st M[1] (003) ldh [12] (004) jeq #0x800 jt 5 jf 7 (005) ldb [23] (006) jeq #0x1 jt 28 jf 7 (007) ldb [vlanp] (008) jeq #0x1 jt 16 jf 9 (009) ld #0x4 (010) st M[0] (011) st M[1] (012) ldh [12] (013) jeq #0x8100 jt 16 jf 14 (014) jeq #0x88a8 jt 16 jf 15 (015) jeq #0x9100 jt 16 jf 22 (016) ldx M[1] (017) ldh [x + 12] (018) jeq #0x800 jt 19 jf 22 (019) ldx M[0] (020) ldb [x + 23] (021) jeq #0x1 jt 28 jf 22 (022) ld #pktlen (023) sub #4 (024) tax (025) ld [x + 0] (026) jeq #0x1d10c0da jt 27 jf 28 (027) ret #262144 (028) ret #0
| | 2 | No.2 Revision |
Wireshark and dumpcap both call `pcap_compile(). I don't have an answer why the output is different.
Update: see the 2nd answer for path through the two compiles.
Have you tried reversing the filter logic?
$ dumpcap -c 5 -i 1 -f "not (icmp or (vlan and icmp)) and (ether[len - 4:4] == 0x1d10c0da)" -d Capturing on 'ens160' (000) ld #0x0 (001) st M[0] (002) st M[1] (003) ldh [12] (004) jeq #0x800 jt 5 jf 7 (005) ldb [23] (006) jeq #0x1 jt 28 jf 7 (007) ldb [vlanp] (008) jeq #0x1 jt 16 jf 9 (009) ld #0x4 (010) st M[0] (011) st M[1] (012) ldh [12] (013) jeq #0x8100 jt 16 jf 14 (014) jeq #0x88a8 jt 16 jf 15 (015) jeq #0x9100 jt 16 jf 22 (016) ldx M[1] (017) ldh [x + 12] (018) jeq #0x800 jt 19 jf 22 (019) ldx M[0] (020) ldb [x + 23] (021) jeq #0x1 jt 28 jf 22 (022) ld #pktlen (023) sub #4 (024) tax (025) ld [x + 0] (026) jeq #0x1d10c0da jt 27 jf 28 (027) ret #262144 (028) ret #0
