tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Filter works in tcpdump, but not in my libpcap implementation?

From: ness <nessup () gmail com>
Date: Sat, 30 Dec 2006 09:49:26 -0700
Hi-
I am coding an app that is supposed to capture packets based on the first 3 bytes of the ethernet header -- the destination MAC OUI -- and bytes 7 through 9 -- the source MAC OUI. In other words, I am sniffing for any packets that have to do with a host whose ethernet address begins with 0x00, 0x09, and 0xbf. Executing the below filter...
(ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf) || (ether[6] == 0x00 && ether[7] == 0x09 && ether[8] == 0xbf)
... in tcpdump worked flawlessly and suited to my needs, so I began to transition the filter to my application. Once implemented, I ran the filter, and libpcap reported absolutely no error in the process of compiling or adding the filter in my app.
Then I fed my computer with packets that should have interested my BPF filter, but on the contrary, no packets were captured by my application. At first I thought it was a programming flaw of my own, so I removed the filter completely and sniffed for any packets that libpcap could grab... it caught everything, and my callback function was informed of the received packets.
So I added my filter back in--and still, no packets. Then I copied and pasted the same filter in tcpdump--worked perfectly.
Below are a few interesting snippets of my code pertaining to libpcap. All of the code is running on the main thread. Tcpdump and my implementation both ran on an Airport Extreme card with WEP, but I doubt that serves any relevance. 

static pcap_t *pcap;
...

  char filter[128];
  struct bpf_program fp;

  memset( filter, '\0', sizeof(filter) );
  memset( pcap_errbuf, 0, sizeof(pcap_errbuf) );
if( (pcap = pcap_open_live( dev, 65535, 1, 0, pcap_errbuf )) == NULL ) { 
    return (-1);
  }
strcpy( filter, "(ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf)" " || (ether[6] == 0x00 && ether[7] == 0x09 && ether[8] == 0xbf)" ); 
  if( pcap_compile( pcap, &fp, filter, 0, netmask ) == -1 ) {
    return (-1);
  }
  if( pcap_setfilter( pcap, &fp ) == -1 ) {
    return (-1);
    }
...
  pcap_loop( pcap, -47, (void *)packethandler, NULL );
...
void
packethandler( u_char *user, const struct pcap_pkthdr *pkthdr,
               const u_char *packet )
{
  printf( "got packet\n" );
}

Any ideas to why my app isn't capturing packets it should be?

Happy holidays,
--ness

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: