(The mailing list for libpcap is tcpdump-workers () lists tcpdump org -
think of it as also being "libpcap-workers", "libpcap-users", and
"tcpdump-users". However, I'll answer this here.
On Jun 16, 2013, at 10:05 AM, Gal Sagie <gal.sagie () gmail com> wrote:
I want to achieve the following :
1) I have a raw packet buffer, i want to search if they match a certain
BPF filter (i dont care about the device or how i received this packet
buffer) just want
to know it match or doesn't match.
The code i tried :
• pkt = pointer to packet data
• char errbuf[PCAP_ERRBUF_SIZE];
• pcap_t* pc = pcap_create("any",&errbuf);
That's one thing you're doing wrong. If you're not going to capture on a
device or pseudo-device, don't open it.
If you have a packet with a given type of link-layer headers, there is no
guarantee that you will even *have* a device that will provide the same
type of link-layer headers, and that is what you will need in order to
compile a filter with pcap_compile() and have it work on your packet.
pcap_t *pc = pcap_open_dead(linktype, 65536);
struct bpf_program fp;
int res = pcap_compile(pc,&fp,"ip",0,0);
pcap_close(pc); /* not needed any more */
struct pcap_pkthdr hdr;
hdr.caplen = pkt->pkt_len;
hdr.len = pkt->pkt_len;
u_char* data = (unsigned char *)pkt->data;
int match = pcap_offline_filter(&fp, &hdr ,data);
printf("Packet Match = %d\r\n",match);
You will *HAVE* to choose a value for linktype yourself; there is no value
that can possibly work for all packets, because the BPF program generated
by pcap_compile() *HAS* to know what link-layer headers, if any, are at the
beginning of the packet - there is none that will simultaneously work on
packets with Ethernet headers (DLT_EN10MB) and packets with 802.11 headers
(DLT_IEEE802_11) and packets with PPP headers (DLT_PPP) and packets with no
link-layer headers (DLT_RAW, where the packets begin with IPv4 or IPv6
headers) and packets with a "radiotap" header followed by an 802.11 header
(DLT_IEEE802_11_RADIO) and packets with the "fake" headers provided by the
"any" device (DLT_LINUX_SLL - packets captured on the "any" device have
those, rather than the native headers for the particular device from which
a particular packet was captured).
for a list of the link-layer header types available. The DLT_ values are
the ones you would use in the call to pcap_open_dead().
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org