The libpcap project

when we use a BPF filter, the order in the filter influences the result:
here we have a file (deux_pack.dmp) with only 2 packets with FIN flag
we apply a filter which looks for a specific value in the data (
tcp[20]=0xff ) or a FIN flag

when we do this in this order we obtain no packets after filtering (file
test.dmp)

when we first check the flags and then the value (we change the order in
the bpf filter), we obtain our packets (test2.dmp)

see the tcpdump commands below, and the nb of packets in the files (with
capinfos command)

do you have any explanations?

Thanks


********
tcpdump -r deux_pack.dmp -w test.dmp "tcp[20] = 0xff or (tcp[tcpflags] &
tcp-fin != 0)"
reading from file deux_pack.dmp, link-type EN10MB (Ethernet)
********
tcpdump -r deux_pack.dmp -w test2.dmp "(tcp[tcpflags] & tcp-fin != 0) or
tcp[20] = 0xff"
reading from file deux_pack.dmp, link-type EN10MB (Ethernet)
********
capinfos deux_pack.dmp test2.dmp test.dmp
File name: deux_pack.dmp
File type: libpcap (tcpdump, Ethereal, etc.)
Number of packets: 2
File size: 164 bytes
Data size: 120 bytes
Capture duration: 0.000901 seconds
Start time: Thu May 24 09:00:00 2007
End time: Thu May 24 09:00:00 2007
Data rate: 133187.74 bytes/s
Data rate: 1065501.94 bits/s
Average packet size: 60.00 bytes

File name: test2.dmp
File type: libpcap (tcpdump, Ethereal, etc.)
Number of packets: 2
File size: 164 bytes
Data size: 120 bytes
Capture duration: 0.000901 seconds
Start time: Thu May 24 09:00:00 2007
End time: Thu May 24 09:00:00 2007
Data rate: 133187.74 bytes/s
Data rate: 1065501.94 bits/s
Average packet size: 60.00 bytes

File name: test.dmp
File type: libpcap (tcpdump, Ethereal, etc.)
Number of packets: 0
File size: 24 bytes
Data size: 0 bytes
Capture duration: 0.000000 seconds
Start time: Thu Jan 1 01:00:00 1970
End time: Thu Jan 1 01:00:00 1970
Data rate: nan bytes/s
Data rate: nan bits/s
Average packet size: nan bytes