tcpdump mailing list archives
Re: Query about running many, many, rules
From: Guy Harris <guy () alum mit edu>
Date: Wed, 19 Jun 2013 11:12:27 -0700
On Jun 19, 2013, at 10:44 AM, Alan DeKok <aland () deployingradius com> wrote:
However... I can't do this right now. There's pcap_open_live() for interfaces. There's pcap_open_offline() for files. There's no interface which says "here's a packet, run the rule against it".
$ man pcap_offline_filter PCAP_OFFLINE_FILTER(3PCAP) PCAP_OFFLINE_FILTER(3PCAP) NAME pcap_offline_filter - check whether a filter matches a packet SYNOPSIS #include <pcap/pcap.h> int pcap_offline_filter(struct bpf_program *fp, const struct pcap_pkthdr *h, const u_char *pkt) DESCRIPTION pcap_offline_filter() checks whether a filter matches a packet. fp is a pointer to a bpf_program struct, usually the result of a call to pcap_compile(). h points to the pcap_pkthdr structure for the packet, and pkt points to the data in the packet. RETURN VALUE pcap_offline_filter() returns the return value of the filter program. This will be zero if the packet doesn't match the filter and non-zero if the packet matches the filter. SEE ALSO pcap(3PCAP), pcap_compile(3PCAP) Older versions of libpcap don't have that, but they might have bpf_filter(), in which case you can make your own pcap_offline_filter() routine: int pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h, const u_char *pkt) { const struct bpf_insn *fcode = fp->bf_insns; if (fcode != NULL) return (bpf_filter(fcode, pkt, h->len, h->caplen)); else return (0); } Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp; all it cares about is "caplen", which tells it how much packet data there is, and "len", which tells it what the length is for the "len" value and the "less" and "greater" tests), and pass that and a pointer to the raw packet data to pcap_offline_filter(). To compile a filter, you could create a pcap_t with pcap_open_dead() (unless you have a *really* old version of libpcap), passing it the appropriate DLT_ value for the particular set of link-layer headers and possible metadata headers your packets have (if they have more than one, you'll need multiple filters and run the appropriate one for each packet) and a snapshot length (all you're doing with the filter is getting a "yes or no" answer, so just pass in a non-zero value). _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Query about running many, many, rules Alan DeKok (Jun 19)
- Re: Query about running many, many, rules Guy Harris (Jun 19)
- Re: Query about running many, many, rules Alan DeKok (Jun 19)
- Re: Query about running many, many, rules Guy Harris (Jun 19)