Ethereal-dev: Re: [Ethereal-dev] Error in display filter grammar?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>
Date: Sat, 8 May 2004 14:32:31 -0500
On Saturday 08 May 2004 09:05, Olivier Biot wrote:
> Hi list,
>
> I often have captures where HTTP traffic runs on non-standard ports.
> In order to find the missing packets, I would intuitively use the
> following display filter:
>
>     !(http or tcp.reassembled_in) and tcp contains "HTTP/1."
>
> However this seems to be understood as:
>
>     ((!http) or tcp.reassembled_in) and tcp contains "HTTP/1."
>
> The only workaround I have today is writing:
>
>     !http and !tcp.reassembled_in and tcp contains "HTTP/1."
>
> I think it has to do with the following rule in grammar.lemon:
>
>     expr(X) ::= LPAREN expr(Y) RPAREN.
>     {
>         X = Y;
>     }
>
> Anyone a clue?
>

I ran your expression through dftest:
$ ./dftest '!(http or tcp.reassembled_in) and tcp contains "HTTP/1."'

and it comes up with this:

00000 CHECK_EXISTS      http
00001 IF-TRUE-GOTO      3
00002 CHECK_EXISTS      tcp.reassembled_in
00003 NOT
00004 IF-FALSE-GOTO     9
00005 READ_TREE         tcp -> reg#0
00006 IF-FALSE-GOTO     9
00007 PUT_FVALUE        <FT_PROTOCOL> -> reg#1
00008 ANY_CONTAINS      reg#0 contains reg#1
00009 RETURN

The dfvm opcodes appear to be correct. The "NOT" in line #3 will negate either 
the "CHECK_EXISTS http" or the "CHECK_EXISTS tcp.reassembled_In".

--gilbert