Re: Multiple filter compilation/filtering in offline mode ??

[Guy Harris <guy () alum mit edu>]

On Jun 30, 2011, at 10:30 AM, V K wrote:

> And once packet is read using pcap_next(), I want to check that packet
> against all filters and mark the filter that matches the packet
>
> Is there a way one could compile multiple filters,

Have separate "struct bpf_program" structures for each filter, and call pcap_compile() for each filter.

> read the packets

pcap_next(), or whatever

> and for each packet check true/false for individual filter matches ?

bpf_filter()

Not document, but it's in libpcap:

        u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);

First argument is the bf_insns member of the "struct bpf_program" for the filter, second argument points to the raw 
packet data, third argument is "len" from the struct pcap_pkthdr for the packet, fourth argument is "caplen" from the 
struct pcap_pkthdr for the packet.  It returns 0 if the packet doesn't match the filter and a non-zero value if it does.

> This would extend itself to a "live" capture program as well, where _ALL_
> packets would be sniffed (without any filter) and as each packet is read, it is then compared against individual 
> filters to find the matching one

Same answer.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.