Ethereal-users: [Ethereal-users] Capture filter bug.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Thu, 22 Feb 2001 15:59:37 -0600
Okay, here's an interesting one.

I'm capturing on a *very* highly-utilized link (~100Mb all the time).
Suppose I have traffic from two class B networks, 128.128.0.0/16 and
161.161.0.0/16, running through this link.

If I use the following capture filter:
    net 161.161.0.0/16

or:
    net 161.161.0.0 mask 255.255.0.0

(equivalent filters), and start a capture, the capture begins before the
filter is applied, and I get ~100 frames of just anything.  After about 0.01
or 0.02 seconds, the filter is applied and only matching traffic passes the
filter.

This problem seems new to me.  Does this have to do with libpcap-0.6.2 (as
opposed to 0.5), or the linux kernel (2.4.1 instead of 2.2.16)?  This didn't
happen before, using the same version of ethereal (0.8.15) on the same
machine.

...at least, not that I noticed.

Display filters, of course, work fine, and by duplicating the capture filter
in the display filter, saving to a file, and reopening, I can get the
original intended result, but that's a pain.  (whining)

Ideas?  Comments?  Flames?

--J