Ask Your Question
0

BPF boolean logic

asked 2020-05-22 19:18:21 +0000

balderman gravatar image

updated 2020-05-22 19:18:55 +0000

Are the 2 filters below identical?

  1. tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
  2. (tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5))
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-05-22 20:22:51 +0000

grahamb gravatar image

updated 2020-05-22 20:24:52 +0000

If you look at the compiled BPF (using the Compile BPFs button in the Capture Options dialog) for each filter you can compare the result. The examples shown are for my WiFi interface:

tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))

(000) ldh      [12]
(001) jeq      #0x86dd          jt 25   jf 2
(002) jeq      #0x800           jt 3    jf 25
(003) ldb      [23]
(004) jeq      #0x6             jt 5    jf 25
(005) ldh      [20]
(006) jset     #0x1fff          jt 25   jf 7
(007) ldxb     4*([14]&0xf)
(008) ldh      [x + 14]
(009) jeq      #0x38            jt 12   jf 10
(010) ldh      [x + 16]
(011) jeq      #0x38            jt 12   jf 16
(012) ld       [26]
(013) jeq      #0x1020304       jt 24   jf 14
(014) ld       [30]
(015) jeq      #0x1020304       jt 24   jf 16
(016) ldh      [x + 14]
(017) jeq      #0x39            jt 20   jf 18
(018) ldh      [x + 16]
(019) jeq      #0x39            jt 20   jf 25
(020) ld       [26]
(021) jeq      #0x1020305       jt 24   jf 22
(022) ld       [30]
(023) jeq      #0x1020305       jt 24   jf 25
(024) ret      #262144
(025) ret      #0

and the second, with the errant trailing paren removed:

(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)

(000) ldh      [12]
(001) jeq      #0x86dd          jt 25   jf 2
(002) jeq      #0x800           jt 3    jf 25
(003) ldb      [23]
(004) jeq      #0x6             jt 5    jf 25
(005) ldh      [20]
(006) jset     #0x1fff          jt 25   jf 7
(007) ldxb     4*([14]&0xf)
(008) ldh      [x + 14]
(009) jeq      #0x38            jt 12   jf 10
(010) ldh      [x + 16]
(011) jeq      #0x38            jt 12   jf 16
(012) ld       [26]
(013) jeq      #0x1020304       jt 24   jf 14
(014) ld       [30]
(015) jeq      #0x1020304       jt 24   jf 16
(016) ldh      [x + 14]
(017) jeq      #0x39            jt 20   jf 18
(018) ldh      [x + 16]
(019) jeq      #0x39            jt 20   jf 25
(020) ld       [26]
(021) jeq      #0x1020305       jt 24   jf 22
(022) ld       [30]
(023) jeq      #0x1020305       jt 24   jf 25
(024) ret      #262144
(025) ret      #0
edit flag offensive delete link more

Comments

So it looks identical... thanks.

balderman gravatar imagebalderman ( 2020-05-22 20:30:00 +0000 )edit

Note: You can also check the compiled BPF using dumpcap or tcpdump.

Examples:

dumpcap.exe -d -f "(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)"  
tcpdump -d "tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))"
cmaynard gravatar imagecmaynard ( 2020-05-22 22:31:27 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-22 19:18:21 +0000

Seen: 429 times

Last updated: May 22 '20