WinPcap filter string syntax error

Question

I am attempting to generate a WinPcap filter from a configuration UI. Right now I have a filter string that looks like this ip && (((ip.src == 10.10.10.10 && (tcp.port == 10 || udp.port == 10)) && (ip.dst == 20.20.20.20 && (tcp.port == 20 || udp.port == 20)))). This filter is valid when I enter it into Wireshark, but when I attempt to compile it via WinPcap I get a syntax error. I have compiled a simple filter (ip and tcp) without an issue, so I know it has something to do with this filter string. Any ideas?

Answer 1

You might need to specify the protocol instead of just putting ip. For example

(ip.proto == TCP) && ...

So the filter option you are using is conforming to the wireshark syntax. You'll need to use the BPF format for capturing data to be able to switch back and forth between wireshark and WinPcap. You can test out your filters using the 'Capture Options' on the specific interface you wish to collect on.

Your wireshark filter would be translated to the following BPF code:

ip && (((ip src 10.10.10.10 && (port 10)) && (ip dst 20.20.20.20 && (port 20))))

See the FilterCaptures section in Wireshark and Filter expression syntax on WinPcaps page for more details.