Ask Your Question

Revision history [back]

Why does dumpcap -d and Wireshark -> Capture Options -> Compile BPFs produce different output for the same capture filter?

I was testing compiled BPF for a capture filter from the tshark filter options broken with NapaTech NIC question, and in the process discovered that the compiled BPF that dumpcap produces differs from the compiled BPF that Wireshark produces, so I was wondering why that is.

To use an example capture filter, I'll stick with the one from the question that led us here, namely "vlan and ip and host 10.239.81.123".

Here's the contents of the "Compiled Filter Output" from Wireshark:

(000) ldh      [12]
(001) jeq      #0x8100          jt 4    jf 2
(002) jeq      #0x88a8          jt 4    jf 3
(003) jeq      #0x9100          jt 4    jf 11
(004) ldh      [16]
(005) jeq      #0x800           jt 6    jf 11
(006) ld       [30]
(007) jeq      #0xaef517b       jt 10   jf 8
(008) ld       [34]
(009) jeq      #0xaef517b       jt 10   jf 11
(010) ret      #262144
(011) ret      #0

And here's the dumpcap -d' output:

(000) ld       #0x0
(001) st       M[0]
(002) st       M[1]
(003) ldb      [-4092]
(004) jeq      #0x1             jt 12   jf 5
(005) ld       #0x4
(006) st       M[0]
(007) st       M[1]
(008) ldh      [12]
(009) jeq      #0x8100          jt 12   jf 10
(010) jeq      #0x88a8          jt 12   jf 11
(011) jeq      #0x9100          jt 12   jf 22
(012) ldx      M[1]
(013) ldh      [x + 12]
(014) jeq      #0x800           jt 15   jf 22
(015) ldx      M[0]
(016) ld       [x + 26]
(017) jeq      #0xaef517b       jt 21   jf 18
(018) ldx      M[0]
(019) ld       [x + 30]
(020) jeq      #0xaef517b       jt 21   jf 22
(021) ret      #262144
(022) ret      #0

Here's the dumpcap -v output:

Dumpcap (Wireshark) 4.4.8 (v4.4.8-0-g0d289c003bfb).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with libpcap, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Npcap version 1.83, based on libpcap version 1.10.5, with
LC_TYPE=C, binary plugins supported.

And for completeness, here's the Wireshark: Help -> About Wireshark information:

Version 4.4.8 (v4.4.8-0-g0d289c003bfb).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Qt 6.5.3, with Npcap version 1.83, based on libpcap version 1.10.5,
with PCRE2 10.43 2024-02-16, with c-ares 1.27.0, with GnuTLS 3.8.4, with Gcrypt
1.10.2-unknown, with nghttp2 1.62.1, with nghttp3 0.14.0, with brotli 1.0.9,
with LZ4 1.9.4, with Zstandard 1.5.6, without AirPcap, with dark display mode,
without HiDPI, with QPA plugin "windows", with LC_TYPE=English_United
States.utf8, binary plugins supported.

Why does dumpcap -d and Wireshark -> Capture Options -> Compile BPFs produce different output for the same capture filter?

I was testing compiled BPF for a capture filter from the tshark filter options broken with NapaTech NIC question, and in the process discovered that the compiled BPF that dumpcap produces differs from the compiled BPF that Wireshark produces, so I was wondering why that is.

To use an example capture filter, I'll stick with the one from the question that led us here, namely "vlan and ip and host 10.239.81.123".

Here's the contents of the "Compiled Filter Output" from Wireshark:

(000) ldh      [12]
(001) jeq      #0x8100          jt 4    jf 2
(002) jeq      #0x88a8          jt 4    jf 3
(003) jeq      #0x9100          jt 4    jf 11
(004) ldh      [16]
(005) jeq      #0x800           jt 6    jf 11
(006) ld       [30]
(007) jeq      #0xaef517b       jt 10   jf 8
(008) ld       [34]
(009) jeq      #0xaef517b       jt 10   jf 11
(010) ret      #262144
(011) ret      #0

And here's the dumpcap -d' output:

(000) ld       #0x0
(001) st       M[0]
(002) st       M[1]
(003) ldb      [-4092]
(004) jeq      #0x1             jt 12   jf 5
(005) ld       #0x4
(006) st       M[0]
(007) st       M[1]
(008) ldh      [12]
(009) jeq      #0x8100          jt 12   jf 10
(010) jeq      #0x88a8          jt 12   jf 11
(011) jeq      #0x9100          jt 12   jf 22
(012) ldx      M[1]
(013) ldh      [x + 12]
(014) jeq      #0x800           jt 15   jf 22
(015) ldx      M[0]
(016) ld       [x + 26]
(017) jeq      #0xaef517b       jt 21   jf 18
(018) ldx      M[0]
(019) ld       [x + 30]
(020) jeq      #0xaef517b       jt 21   jf 22
(021) ret      #262144
(022) ret      #0

Here's the dumpcap -v output:

Dumpcap (Wireshark) 4.4.8 (v4.4.8-0-g0d289c003bfb).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with libpcap, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Npcap version 1.83, based on libpcap version 1.10.5, with
LC_TYPE=C, binary plugins supported.

And for completeness, here's the Wireshark: Help -> About Wireshark information:

Version 4.4.8 (v4.4.8-0-g0d289c003bfb).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with AMD Ryzen 7 2700
Eight-Core Processor (with SSE4.2), with 16314 MB of physical memory, with GLib
2.80.0, with Qt 6.5.3, with Npcap version 1.83, based on libpcap version 1.10.5,
with PCRE2 10.43 2024-02-16, with c-ares 1.27.0, with GnuTLS 3.8.4, with Gcrypt
1.10.2-unknown, with nghttp2 1.62.1, with nghttp3 0.14.0, with brotli 1.0.9,
with LZ4 1.9.4, with Zstandard 1.5.6, without AirPcap, with dark display mode,
without HiDPI, with QPA plugin "windows", with LC_TYPE=English_United
States.utf8, binary plugins supported.