Re: Calling pcap_compile() more than once on the same pcap_t *

[Guy Harris <guy () alum mit edu>]

On Nov 17, 2011, at 3:43 AM, Fernando Gont wrote:

> Is it possible to call pcap_compile() more than once on the same libpcap
> descriptor (pcap_t *)?

If it doesn't work, that's a bug.  pcap_compile() should

        1) use the pcap_t only to get information such as the link-layer header type and snapshot length, and not 
*modify* it

and

        2) should reset its internal state before doing any other work.

pcap_compile() is *NOT*, however, thread-safe, so if your program is multi-threaded, you'll need to make sure only one 
thread of control is running in pcap_compile() at any time.

> What I'm trying to do is caputuring some packets with a specific libpcap
> filter, and then reuse the same descriptor to capture packets with a
> *different* libpcap filter.

That involves calling *both* pcap_compile() *and* pcap_setfilter().  Note that changing the filter can cause packets 
captured with the old filter but not yet read to be discarded.

> (FWIW, in one of the calls to pcap_compile() I'm getting "snaplen of 0
> rejects all packets"...)

What calls did you make to get the pcap_t * you passed to pcap_compile() in that case?-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.