"(vlan and ...) or (...)" filter is not working

[frkn4129]

tcpdump -r EYt4nIkBtM5AQXuy1s24.pcap '( vlan and host 10.10.100.101 and host 10.1.40.100 and port 56486 and port 53 ) or (host 10.10.100.101 and host 10.1.40.100 and port 53 and port 56486)'

I want to create filters with and without VLANs. Despite using 'or' in between, the filter results are empty. However, when I use it like this: 'tcpdump -r /home/suricap/2023-07-31/log.pcap.1690809649 'host 10.1.40.206 and host 10.59.1.32 and port 58877 and port 443', I receive packets. Even though I use 'or' in between, why can't I find packets with the general filter? What am I doing wrong?

tcpdump version 4.99.1 libpcap version 1.10.1 (with TPACKET_V3) OpenSSL 1.1.1k FIPS 25 Mar 2021

[infrastation]

Please see this answer in the FAQ. In short, if you rewrite the filter to test without a VLAN and then to test the same after a VLAN header, it should work as expected.

[guyharris]

Yeah, "or" is a problem with any of the tests that shift the offset; see also #158, for example.

The filter compiler was written in an era without variable-length link-layer headers, without VLANs, and without IPv6, and it needs restructuring to handle that.

[rscheff]

Indeed, the hardcoded offset shift whenever a "vlan" tag is parsed, but not undone when moving out of that clause seems to be an interesting source for BPF problems, where the filter expression would seem correct, but compiles with the wrong offsets...

Thus adding a special case for a lone "host " is not really possible. sigh. maybe the offset adjustment should be carried when generating the BPF expression, and adjusted accordingly when emitting the BPF atomics?