Revision history [back]
If you look at the compiled BPF (using the Compile BPFs button in the Capture Options dialog) for each filter you can compare the result. The examples shown are for my WiFi interface:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
If you look at the compiled BPF (using the Compile BPFs button in the Capture Options dialog) dftest) for each filter you can compare the result. The examples shown are for my WiFi interface:result:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
If you look at the compiled BPF (using dftest) for each filter you can compare the result:
tcp && ((port 56 && host 1.2.3.4) or (port 57 && host 1.2.3.5))
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0
and the second, with the errant trailing paren removed:
(tcp && port 56 && host 1.2.3.4) or (tcp && port 57 && host 1.2.3.5)
(000) ldh [12]
(001) jeq #0x86dd jt 25 jf 2
(002) jeq #0x800 jt 3 jf 25
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 25
(005) ldh [20]
(006) jset #0x1fff jt 25 jf 7
(007) ldxb 4*([14]&0xf)
(008) ldh [x + 14]
(009) jeq #0x38 jt 12 jf 10
(010) ldh [x + 16]
(011) jeq #0x38 jt 12 jf 16
(012) ld [26]
(013) jeq #0x1020304 jt 24 jf 14
(014) ld [30]
(015) jeq #0x1020304 jt 24 jf 16
(016) ldh [x + 14]
(017) jeq #0x39 jt 20 jf 18
(018) ldh [x + 16]
(019) jeq #0x39 jt 20 jf 25
(020) ld [26]
(021) jeq #0x1020305 jt 24 jf 22
(022) ld [30]
(023) jeq #0x1020305 jt 24 jf 25
(024) ret #262144
(025) ret #0