Capture filter - tcpdump man page - syntax error?

Question

I have found a capture filter in the tcpdump man page (and replicated in several other places) that does not make sense. The filter is:

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst 192.168

Unless I misunderstand - the last part (and not src and dst net) is incorrect. The "not" would only negate src - dst would not be negated.

Isn't this how that filter would actually have to be entered?

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not (src or dst net 192.168)

I've searched the net for over an hour and can't find the explanation - any help at all would be very much appreciated.

Answer 1

Isn't this how that filter would actually have to be entered?
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not (src or dst net 192.168)

If you print the BPF code for both of these statements, you'll see, that they are the same, meaning the filter is identical.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net 192.168' -d
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not (src and dst net 192.168)' -d

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 16
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 16
(004) ldh      [20]
(005) jset     #0x1fff          jt 16   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]
(008) jset     #0x3             jt 9    jf 16
(009) ld       [26]
(010) and      #0xffff0000
(011) jeq      #0xc0a80000      jt 12   jf 15
(012) ld       [30]
(013) and      #0xffff0000
(014) jeq      #0xc0a80000      jt 16   jf 15
(015) ret      #65535
(016) ret      #0

Without further checking, I would say, that's due to the precedence of the not operator. See man page of pcap-filter(7).

Regards
Kurt