This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter coding for MDSHDR

0

Hi All,

I am trying to code capture filters for packets based on the mds header. The BPF opcode generated to filter the Dst Index is as follows.

{ 0x20, 0, 0, 0x00000013 },
{ 0x54, 0, 0, 0x0ffc0000 },
{ 0x15, 0, 1, 0x01000000 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },

the filter not only filters packets with Dst Index 0x40 but also 0x3c0

the packets look like

0       0       0       0       0       bc      6b      6b      6b      6b      6b      6b      fc      fc      80      8
0       46      fe      71      0       1       0       0       c9      ef      0       0       1e      e7      2       ff
ff      fd      0       ff      ff      fd      22      38      0       0       6c      0       0       0       51      13
ff      ff      0       0       0       0       14      0       0       0       2       0       0       0       0       0
0       c8      0       0       0       0       0       0       0       0       0       0       0       0       0       0
0       14      0       0       0       50      0       0       0       d0      0       1       4       2f      3       0
0       0       57      d5

and

0       0       0       0       ee      0       0       0       0       0       0       a       fc      fc      91      6
0       e2      ff      7f      0       40      0       1       0       0       0       10      1       0       20      ff
fa      4       0       ff      fa      4       1       0       0       2       0       0       0       0       ff      ff
ff      ff      0       0       0       0       0       0       0       0       0       0       0       13      0       0
0       5       9       5c      84      18      0       0       0       0       0       0       0       0       0       0
0       0       0       0       0       0       0       ff      fa      4       0       ff      fa      4       0       0
c       37      0       0       0       0       0       0       0       0       0       0       0       1       0       0
0       0       6       8       20      0       6       8       20      0       0       7a      49      0       8       b9
52      7c      74      d3      2b      7f      2b      d6      6e      8f      bd      17      a4      9a      1c      76
dd      84      3b      39      d4      9f      2b      ba      6c      88      db      67      aa      e3      21      fd
60      95      d0      8b      14      fb      61      83      8b      1f      9a      2f      b9      b6      a5      96
3a      e0      cf      e       7f      fa      c8      ec      83      a3      53      2d      86      74      2a      e6
a       fa      71      1e      f6      d3      a1      81      f2      3b      b0      ab      f1      56      41      2b
36      10      39      b6      a       1       a2      8d      a4      f5      bb      2b      6a      e5      11      74

It is kind of strange that the BPF code matched 1000000 and f000000 at the same time.

Could you kindly help me out? May be I am missing something basic.

Thanks and Regards, Aparna N

asked 05 Nov '14, 20:25

Aparna's gravatar image

Aparna
6558
accept rate: 0%

edited 06 Nov '14, 01:58

grahamb's gravatar image

grahamb ♦
19.8k330206