This is worthy of an issue on the libpcap Github issues.
After the first pppoes
, the packet is no longer considered to be Ethernet (type 0x0800) so the second ether
is not valid. What's needed is support for pppoes src
and pppoes dst
or some other work around.
To look at inside of a capture filter, use dumpcap -d to dump the byte code for the filter:
~$ dumpcap.exe -i 5 -d -f "( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 )"
Capturing on 'Ethernet'
(000) ld [2]
(001) jeq #0x1 jt 2 jf 12
(002) ldh [0]
(003) jeq #0x0 jt 4 jf 12
(004) ldh [12]
(005) jeq #0x8864 jt 6 jf 12
(006) ldh [20]
(007) jeq #0x21 jt 8 jf 12
(008) ldb [41]
(009) and #0xf
(010) jeq #0x1 jt 11 jf 12
(011) ret #262144
(012) ret #0
The check of [12]
for #0x8864
is looking for pppoes
in the Ethernet Type
bytes.
After the pppoes
it is no longer considered Ethernet 0x0800
so the second ether src
fails.
~$ dumpcap.exe -i 5 -d -f "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 ) or (ether src 00:00:00:00:00:01))"
Capturing on 'Ethernet'
dumpcap: Invalid capture filter "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01
) or (ether src 00:00:00:00:00:01))" for interface '\Device\NPF_xxx'.
That string isn't a valid capture filter (ethernet addresses supported only on ethernet/FDDI/toke
n ring/802.11/ATM LANE/Fibre Channel).
See the User's Guide for a description of the capture filter syntax.
If libpcap supported frame
protocol to look at byte level then a lower level filter for the src and dst addresses could be created but it doesn't so you can't.
(pcap-filter.7 - syntax for capture filters)