Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Running BPF filters on raw packet data (no devices)
From: Gal Sagie <gal.sagie () gmail com>
Date: Mon, 17 Jun 2013 07:39:33 +0300

Thanks Guy, that worked!


On Sun, Jun 16, 2013 at 8:28 PM, Guy Harris <guy () alum mit edu> wrote:

(The mailing list for libpcap is tcpdump-workers () lists tcpdump org -
think of it as also being "libpcap-workers", "libpcap-users", and
"tcpdump-users".  However, I'll answer this here.

On Jun 16, 2013, at 10:05 AM, Gal Sagie <gal.sagie () gmail com> wrote:

I want to achieve the following :

1) I have a raw packet buffer, i want to search if they match a certain
BPF filter (i dont care about the device or how i received this packet
buffer) just want
   to know it match or doesn't match.

The code i tried :
      •  pkt = pointer to packet data
      •         char errbuf[PCAP_ERRBUF_SIZE];
      •         pcap_t* pc = pcap_create("any",&errbuf);

That's one thing you're doing wrong.  If you're not going to capture on a
device or pseudo-device, don't open it.

If you have a packet with a given type of link-layer headers, there is no
guarantee that you will even *have* a device that will provide the same
type of link-layer headers, and that is what you will need in order to
compile a filter with pcap_compile() and have it work on your packet.

So:

        pcap_t *pc = pcap_open_dead(linktype, 65536);

        struct bpf_program fp;
        int res = pcap_compile(pc,&fp,"ip",0,0);
        pcap_close(pc);         /* not needed any more */

        struct pcap_pkthdr hdr;
        memset(&hdr,0,sizeof(hdr));
        hdr.caplen = pkt->pkt_len;
        hdr.len = pkt->pkt_len;

        u_char* data = (unsigned char *)pkt->data;

        int match = pcap_offline_filter(&fp, &hdr ,data);
        printf("Packet Match = %d\r\n",match);

You will *HAVE* to choose a value for linktype yourself; there is no value
that can possibly work for all packets, because the BPF program generated
by pcap_compile() *HAS* to know what link-layer headers, if any, are at the
beginning of the packet - there is none that will simultaneously work on
packets with Ethernet headers (DLT_EN10MB) and packets with 802.11 headers
(DLT_IEEE802_11) and packets with PPP headers (DLT_PPP) and packets with no
link-layer headers (DLT_RAW, where the packets begin with IPv4 or IPv6
headers) and packets with a "radiotap" header followed by an 802.11 header
(DLT_IEEE802_11_RADIO) and packets with the "fake" headers provided by the
"any" device (DLT_LINUX_SLL - packets captured on the "any" device have
those, rather than the native headers for the particular device from which
a particular packet was captured).

See

        http://www.tcpdump.org/linktypes.html

for a list of the link-layer header types available.  The DLT_ values are
the ones you would use in the call to pcap_open_dead().
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe




-- 
Best Regards ,

The G.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]