Ask Your Question
0

Why does "dumpcap -d" and "Wireshark -> Capture Options -> Compile BPFs" produce different output for the same capture filter?

asked 2025-08-23 04:12:13 +0000

cmaynard gravatar image

updated 2025-08-23 04:18:35 +0000

I was testing compiled BPF for a capture filter from the tshark filter options broken with NapaTech NIC question, and in the process discovered that the compiled BPF that dumpcap produces differs from the compiled BPF that Wireshark produces, so I was wondering why that is.

To use an example capture filter, I'll stick with the one from the question that led us here, namely "vlan and ip and host 10.239.81.123".

Here's the contents of the "Compiled Filter Output" from Wireshark:

(000) ldh      [12]
(001) jeq      #0x8100          jt 4    jf 2
(002) jeq      #0x88a8          jt 4    jf 3
(003) jeq      #0x9100          jt 4    jf 11
(004) ldh      [16]
(005) jeq      #0x800           jt 6    jf 11
(006) ld       [30]
(007) jeq      #0xaef517b       jt 10   jf 8
(008) ld       [34]
(009) jeq      #0xaef517b       jt 10   jf 11
(010) ret      #262144
(011) ret      #0

And here's the dumpcap -d' output:

(000) ld       #0x0
(001) st       M[0]
(002) st       M[1]
(003) ldb      [-4092]
(004) jeq      #0x1             jt 12   jf 5
(005) ld       #0x4
(006) st       M[0]
(007) st       M[1]
(008) ldh      [12]
(009) jeq      #0x8100          jt 12   jf 10
(010) jeq      #0x88a8          jt 12   jf 11
(011) jeq      #0x9100          jt 12   jf 22
(012) ldx      M[1]
(013) ldh      [x + 12]
(014) jeq      #0x800           jt 15   jf 22
(015) ldx      M[0]
(016) ld       [x + 26]
(017) jeq      #0xaef517b       jt 21   jf 18
(018) ldx      M[0]
(019) ld       [x + 30]
(020) jeq      #0xaef517b       jt 21   jf 22
(021) ret      #262144
(022) ret      #0

Here's the dumpcap -v output:

Dumpcap (Wireshark) 4.4.8 (v4.4.8-0-g0d289c003bfb).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with libpcap, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Npcap version 1.83, based on libpcap version 1.10.5, with
LC_TYPE=C, binary plugins supported.

And for completeness, here's the Wireshark: Help -> About Wireshark information:

Version 4.4.8 (v4.4.8-0-g0d289c003bfb).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0 ...
(more)
edit retag flag offensive close merge delete

Comments

Note: As a point of reference, bpfexam produces the same BPF output as Wireshark does, at least when you look at the optimized code.

cmaynard gravatar imagecmaynard ( 2025-08-23 04:17:44 +0000 )edit

Somewhat related is your own issue https://gitlab.com/wireshark/wireshar...

What difference, if any, does giving -O to tcpdump and not giving -O make with that same filter? It might be that dumpcap is using the non-optimized filter.

johnthacker gravatar imagejohnthacker ( 2025-08-23 11:56:16 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-08-23 12:28:18 +0000

johnthacker gravatar image

updated 2025-08-23 12:33:52 +0000

It appears that the difference is that show_filter_code in dumpcap is calling open_capture_device which eventually calls pcap_create and creates a real pcap_t (it's the same thing called when actually capturing.) Whereas the other places call pcap_open_dead which "open a fake pcap_t for compiling filters or opening a capture for output"

edit: Apparently the dumpcap version is correct (superior), see: https://github.com/the-tcpdump-group/...

The extra instructions involve the SKF_AD_VLAN_TAG_PRESENT BPF extension that can test whether or not a VLAN tag is present, instead of assuming that it is and always adding the 4 byte offset.

edit flag offensive delete link more

Comments

The extra instructions involve the SKF_AD_VLAN_TAG_PRESENT BPF extension that can test whether or not a VLAN tag is present, instead of assuming that it is and always adding the 4 byte offset.

...because, when doing a live capture on Linux, VLAN tags are usually (always?) removed from the raw packet data and put into metadata attached to the filter, so packets with VLAN tags have to be handled specially by the cBPF code (and libpcap has to, and does, shuffle the data before the VLAN tag backward and inserts the VLAN tag before handing the packet data to the read callback).

I think this is also required on at least some versions of Windows, and libpcap/Npcap do similar things there.

Guy Harris gravatar imageGuy Harris ( 2025-08-23 18:48:22 +0000 )edit

https://gitlab.com/wireshark/wireshar... will make it so that the actual filter is printed.

johnthacker gravatar imagejohnthacker ( 2025-08-24 15:23:17 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-08-23 04:12:13 +0000

Seen: 125 times

Last updated: Aug 23