Why does "dumpcap -d" and "Wireshark -> Capture Options -> Compile BPFs" produce different output for the same capture filter?

asked 2025-08-23 04:12:13 +0000

cmaynard gravatar image

updated 2025-08-23 04:18:35 +0000

I was testing compiled BPF for a capture filter from the tshark filter options broken with NapaTech NIC question, and in the process discovered that the compiled BPF that dumpcap produces differs from the compiled BPF that Wireshark produces, so I was wondering why that is.

To use an example capture filter, I'll stick with the one from the question that led us here, namely "vlan and ip and host 10.239.81.123".

Here's the contents of the "Compiled Filter Output" from Wireshark:

(000) ldh      [12]
(001) jeq      #0x8100          jt 4    jf 2
(002) jeq      #0x88a8          jt 4    jf 3
(003) jeq      #0x9100          jt 4    jf 11
(004) ldh      [16]
(005) jeq      #0x800           jt 6    jf 11
(006) ld       [30]
(007) jeq      #0xaef517b       jt 10   jf 8
(008) ld       [34]
(009) jeq      #0xaef517b       jt 10   jf 11
(010) ret      #262144
(011) ret      #0

And here's the dumpcap -d' output:

(000) ld       #0x0
(001) st       M[0]
(002) st       M[1]
(003) ldb      [-4092]
(004) jeq      #0x1             jt 12   jf 5
(005) ld       #0x4
(006) st       M[0]
(007) st       M[1]
(008) ldh      [12]
(009) jeq      #0x8100          jt 12   jf 10
(010) jeq      #0x88a8          jt 12   jf 11
(011) jeq      #0x9100          jt 12   jf 22
(012) ldx      M[1]
(013) ldh      [x + 12]
(014) jeq      #0x800           jt 15   jf 22
(015) ldx      M[0]
(016) ld       [x + 26]
(017) jeq      #0xaef517b       jt 21   jf 18
(018) ldx      M[0]
(019) ld       [x + 30]
(020) jeq      #0xaef517b       jt 21   jf 22
(021) ret      #262144
(022) ret      #0

Here's the dumpcap -v output:

Dumpcap (Wireshark) 4.4.8 (v4.4.8-0-g0d289c003bfb).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with libpcap, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Npcap version 1.83, based on libpcap version 1.10.5, with
LC_TYPE=C, binary plugins supported.

And for completeness, here's the Wireshark: Help -> About Wireshark information:

Version 4.4.8 (v4.4.8-0-g0d289c003bfb).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0 ...
(more)
edit retag flag offensive close merge delete

Comments

Note: As a point of reference, bpfexam produces the same BPF output as Wireshark does, at least when you look at the optimized code.

cmaynard gravatar imagecmaynard ( 2025-08-23 04:17:44 +0000 )edit
add a comment