Ethereal-dev: Re: [ethereal-dev] 0.7.7: Problems filtering ip.addr with < or > operators

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Fri, 29 Oct 1999 16:54:45 -0500
On Fri, Oct 29, 1999 at 03:56:59PM -0500, a.pfaller@xxxxxxxxxx wrote:
> 
> 
> Linux 2.2.12, gtk 1.2.3

On an Intel platform, right? I'm guessing that you are using
a little-endian platform.

> I am unable to get the relational filter operators (<,>,<=,>=) to
> produce any resonable results.
> 
> E.g. trying to color code any IP packet leaving my local subnet
> (192.168.1.0/24) with the filter
> "ip.addr < 192.168.1.0 || ip.addr > 192.168.1.255"
> produces wrong results.
> 
> I have tried to locate the reason and currently I suspect this to be
> a byte ordering problem in the data delivered to
> check_relation_numeric() since the "==" and "!=" operator work as
> expected.

Right. The ipv4 address mechanism in the display filter routines store
the address as 32-bit unsigned ints in network order, not host order.
On a little-endian machine, you'll be out of luck when using < and >
(and <= and >=), since network order is big-endian.

I have recently been thinking about how to represent subnets within
the display filter routines, so that something like:

	ip.addr ne 192.168.1.0/24

would match a packet with either IP address not on your Class-C subnet.

Would that be a viable solution?
 
> Thanks for your work on ethereal.
> 
> Andreas (a.pfaller@xxxxxxxxxx)

--gilbert