Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"(vlan and ...) or (...)" filter is not working #1211

Open
frkn4129 opened this issue Jul 31, 2023 · 3 comments
Open

"(vlan and ...) or (...)" filter is not working #1211

frkn4129 opened this issue Jul 31, 2023 · 3 comments
Labels
BPF related generic support VLAN Tagged frames requiring different filtering to match

Comments

@frkn4129
Copy link

tcpdump -r EYt4nIkBtM5AQXuy1s24.pcap '( vlan and host 10.10.100.101 and host 10.1.40.100 and port 56486 and port 53 ) or (host 10.10.100.101 and host 10.1.40.100 and port 53 and port 56486)'

I want to create filters with and without VLANs. Despite using 'or' in between, the filter results are empty. However, when I use it like this: 'tcpdump -r /home/suricap/2023-07-31/log.pcap.1690809649 'host 10.1.40.206 and host 10.59.1.32 and port 58877 and port 443', I receive packets. Even though I use 'or' in between, why can't I find packets with the general filter? What am I doing wrong?

tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 1.1.1k FIPS 25 Mar 2021
@guyharris guyharris transferred this issue from the-tcpdump-group/tcpdump Jul 31, 2023
@infrastation
Copy link
Member

Please see this answer in the FAQ. In short, if you rewrite the filter to test without a VLAN and then to test the same after a VLAN header, it should work as expected.

@guyharris
Copy link
Member

Yeah, "or" is a problem with any of the tests that shift the offset; see also #158, for example.

The filter compiler was written in an era without variable-length link-layer headers, without VLANs, and without IPv6, and it needs restructuring to handle that.

@guyharris guyharris changed the title filter is not working "(vlan and ...) or (...)" filter is not working Jul 31, 2023
@rscheff
Copy link

rscheff commented Oct 16, 2023

Indeed, the hardcoded offset shift whenever a "vlan" tag is parsed, but not undone when moving out of that clause seems to be an interesting source for BPF problems, where the filter expression would seem correct, but compiles with the wrong offsets...

Thus adding a special case for a lone "host " is not really possible. sigh. maybe the offset adjustment should be carried when generating the BPF expression, and adjusted accordingly when emitting the BPF atomics?

@guyharris guyharris added the VLAN Tagged frames requiring different filtering to match label Jan 21, 2024
guyharris added a commit that referenced this issue Aug 9, 2024
@guyharris
pcap_findalldevs(3PCAP): *alldevsp is set to NULL on error. [skip ci]
aa3af1d 
I.e., if pcap_findalldevs() fails, there is no partically-constructed
list that its caller needs to free.

Ping #1211; this fixes the documentation to match the way the code
has worked insce pcap_findalldevs() was added as an API.
guyharris added a commit that referenced this issue Aug 9, 2024
@guyharris
pcap_findalldevs(3PCAP): *alldevsp is set to NULL on error. [skip ci]
505b1e6 
I.e., if pcap_findalldevs() fails, there is no partically-constructed
list that its caller needs to free.

Ping #1211; this fixes the documentation to match the way the code
has worked insce pcap_findalldevs() was added as an API.

(cherry picked from commit aa3af1d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BPF related generic support VLAN Tagged frames requiring different filtering to match
Milestone
No milestone
Development

No branches or pull requests
4 participants
@infrastation @guyharris @rscheff @frkn4129