Red Hat Bugzilla – Bug 154118
Colorfilter expressions matching incorrectly in ethereal-gnome
Last modified: 2007-11-30 17:11:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Description of problem:
Color filter expressions falsely match packets where no match should occur.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Start a clean (no existing .ethereal directory) instance of ethereal.
2. Open the attached (short) capture file.
3. Open the Color Filter dialog and create a new filter named "mysrc" with an
expression "ip.src==220.127.116.11 && tcp" and a background color "green".
4. Click on "Apply".
Actual Results: In addition to the correct packets (2 and 5), packets 3 and 6, which have neither
the correct source IP address nor the correct protocol, will be displayed with a
Expected Results: Only packets 2 and 4 should be colored.
With multiple, complex color filter expressions there are some strange
interactions. This is the simplest example I have found.
Created attachment 112819 [details]
Capture file, 6 packets, from tcpdump.
Expected results section should read: "Only packets 2 and 5 should be colored."
I've discussed it with ethereal developers and here's a conclusion. It's
generaly not a bug.
ip.src==18.104.22.168 means, for ethereal, "in this packet there is a
source field inside an IP header that equals 22.214.171.124"; it does not
mean "the first IP header in this packet has a source field that equals
126.96.36.199". In your capture packets 3 and 6 are ICMP, and the ICMP
payload includes IP headers with those values.
As a practical tip, "ip.src==188.8.131.52 && tcp &&!icmp" should give
the results you are looking for.
Thanks _very_ much for investigating that. I never would have guessed that
ethereal would dig down into the returned IP header within the ICMP message
and match on the fields within that header. That level of unexpected
sophistication is actually pretty scary, but it explains all of the strange
behavior I've been seeing.