tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pcap filters for saved capture files?

From: "Nick Chorley" <nick.chorley () gmail com>
Date: Mon, 6 Aug 2007 20:17:26 +0100
On 06/08/2007, Guy Harris <guy () alum mit edu> wrote:


Nick Chorley wrote:


I'm using libpcap in programs I'm writing and I already have saved

capture

files. I've seen many examples of using pcap_compile() and

pcap_setfilter()

for capturing live packets, but none for use with offline files. The

last

argument to pcap_compile() seems to be an IP address, but obviously if
you're opening a file, there's no device and hence no address.


To quote the top-of-tree version of the libpcap man page:

        int pcap_compile(pcap_t *p, struct bpf_program *fp, const char
*str,
int optimize, bpf_u_int32 netmask);

                ...

        "pcap_compile()" is used to compile the string "str"
into a filter program.  "program" is a pointer to a "bpf_program" struct
and is filled in by "pcap_compile()".  "optimize" controls whether
optimization on the resulting code is performed.  "netmask" specifies
the IPv4 netmask of the network on which packets are being captured; it
  is used only when checking for IPv4 broadcast addresses in the filter
program.  If the netmask of the network on which packets are being
captured isn't known to the program, or if packets are being captured on
the Linux "any" pseudo-interface that can capture on more than one
network, a value of 0 can be supplied; tests for IPv4 broadcast addreses
won't be done correctly, but all other tests in the filter program will
be OK.  A return of -1 indicates an error in which case "pcap_geterr()"
may be used to display the error text.

I.e., it's a network mask, not a full IP address, and, if you don't know
what the network mask was for the interface on which the capture was
done, you can just specify 0, which just means that filters that check
for IPv4 broadcast addresses won't work.



Oh, thanks very much! Some of the tutorials I have seen refer to  that
parameter as an IP address.. grr.

Thanks again,

NC

-

This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: