tcpdump mailing list archives

Re: Query about running many, many, rules

From: Guy Harris <guy () alum mit edu>
Date: Wed, 19 Jun 2013 11:12:27 -0700


On Jun 19, 2013, at 10:44 AM, Alan DeKok <aland () deployingradius com> wrote:

 However... I can't do this right now.  There's pcap_open_live() for
interfaces.  There's pcap_open_offline() for files.  There's no
interface which says "here's a packet, run the rule against it".


$ man pcap_offline_filter
PCAP_OFFLINE_FILTER(3PCAP)                          PCAP_OFFLINE_FILTER(3PCAP)

NAME
       pcap_offline_filter - check whether a filter matches a packet

SYNOPSIS
       #include <pcap/pcap.h>

       int pcap_offline_filter(struct bpf_program *fp,
               const struct pcap_pkthdr *h, const u_char *pkt)

DESCRIPTION
       pcap_offline_filter()  checks whether a filter matches a packet.  fp is
       a pointer to a bpf_program struct, usually the  result  of  a  call  to
       pcap_compile().   h points to the pcap_pkthdr structure for the packet,
       and pkt points to the data in the packet.

RETURN VALUE
       pcap_offline_filter() returns the return value of the  filter  program.
       This  will  be zero if the packet doesn't match the filter and non-zero
       if the packet matches the filter.

SEE ALSO
       pcap(3PCAP), pcap_compile(3PCAP)

Older versions of libpcap don't have that, but they might have bpf_filter(), in which case you can make your own 
pcap_offline_filter() routine:

        int
        pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h,
            const u_char *pkt)
        {  
                const struct bpf_insn *fcode = fp->bf_insns;

                if (fcode != NULL)
                        return (bpf_filter(fcode, pkt, h->len, h->caplen));
                else
                        return (0);
        }

Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp; all it cares about is "caplen", which tells 
it how much packet data there is, and "len", which tells it what the length is for the "len" value and the "less" and 
"greater" tests), and pass that and a pointer to the raw packet data to pcap_offline_filter().

To compile a filter, you could create a pcap_t with pcap_open_dead() (unless you have a *really* old version of 
libpcap), passing it the appropriate DLT_ value for the particular set of link-layer headers and possible metadata 
headers your packets have (if they have more than one, you'll need multiple filters and run the appropriate one for 
each packet) and a snapshot length (all you're doing with the filter is getting a "yes or no" answer, so just pass in a 
non-zero value). 
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Query about running many, many, rules Alan DeKok (Jun 19)
- Re: Query about running many, many, rules Guy Harris (Jun 19)
  - Re: Query about running many, many, rules Alan DeKok (Jun 19)