BPF boolean logic
Are the 2 filters below identical?
- tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
- (tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5))
add a comment
If you look at the compiled BPF (using the Compile BPFs button in the Capture Options dialog) for each filter you can compare the result. The examples shown are for my WiFi interface:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
Asked: 2020-05-22 19:18:21 +0000
Seen: 427 times
Last updated: May 22 '20
