libpcap icon indicating copy to clipboard operation
libpcap copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

Under what conditions are shifts defined in the filter language?

Open kbara opened this issue 9 years ago • 2 comments

Optimization breaks matching on these filters: 2147483648 >> 11 = 1048576 and 1 << 31 = 2147483648 and 4294967295 << 31 = 2147483648

1 == 1 and 1 << 31 = 0x80000000 and 3 << 31 = 0x80000000

The second is a minimized version of the first. Further minimization, by removing any clause or by making the 3 << 31 smaller, appear to make the problem disappear.

3 << 31 is valid C, assuming unsigned 32-bit types. Is it valid libpcap filter language?

kbara avatar May 17 '15 11:05 kbara

libpcap version 1.5.3

% tcpdump  -ntr ../tests/data/tcp-ack-66-bytes.pcap '1 == 1 and 1 << 31 = 0x80000000 and 3 << 31 = 0x80000000'
reading from file ../tests/data/tcp-ack-66-bytes.pcap, link-type EN10MB (Ethernet)
% 

% tcpdump -O -ntr ../tests/data/tcp-ack-66-bytes.pcap '1 == 1 and 1 << 31 = 0x80000000 and 3 << 31 = 0x80000000' 
reading from file ../tests/data/tcp-ack-66-bytes.pcap, link-type EN10MB (Ethernet)
IP 149.174.156.93.54192 > 178.79.150.233.80: Flags [.], ack 3209860838, win 31, options [nop,nop,TS val 2756387939 ecr 4173199779], length 0
``

kbara avatar May 17 '15 11:05 kbara

This reproduces as described on the current master branch.

infrastation avatar Jun 02 '22 20:06 infrastation

The optimizer bug is fixed by #972.

tenarchits avatar Mar 14 '23 00:03 tenarchits

#972 merged.

guyharris avatar Jan 21 '24 23:01 guyharris