Wireshark mailing list archives
Re: Running BPF filters on raw packet data (no devices)
From: Gal Sagie <gal.sagie () gmail com>
Date: Mon, 17 Jun 2013 07:39:33 +0300
Thanks Guy, that worked! On Sun, Jun 16, 2013 at 8:28 PM, Guy Harris <guy () alum mit edu> wrote:
(The mailing list for libpcap is tcpdump-workers () lists tcpdump org - think of it as also being "libpcap-workers", "libpcap-users", and "tcpdump-users". However, I'll answer this here. On Jun 16, 2013, at 10:05 AM, Gal Sagie <gal.sagie () gmail com> wrote:I want to achieve the following : 1) I have a raw packet buffer, i want to search if they match a certainBPF filter (i dont care about the device or how i received this packet buffer) just wantto know it match or doesn't match. The code i tried : • pkt = pointer to packet data • char errbuf[PCAP_ERRBUF_SIZE]; • pcap_t* pc = pcap_create("any",&errbuf);That's one thing you're doing wrong. If you're not going to capture on a device or pseudo-device, don't open it. If you have a packet with a given type of link-layer headers, there is no guarantee that you will even *have* a device that will provide the same type of link-layer headers, and that is what you will need in order to compile a filter with pcap_compile() and have it work on your packet. So: pcap_t *pc = pcap_open_dead(linktype, 65536); struct bpf_program fp; int res = pcap_compile(pc,&fp,"ip",0,0); pcap_close(pc); /* not needed any more */ struct pcap_pkthdr hdr; memset(&hdr,0,sizeof(hdr)); hdr.caplen = pkt->pkt_len; hdr.len = pkt->pkt_len; u_char* data = (unsigned char *)pkt->data; int match = pcap_offline_filter(&fp, &hdr ,data); printf("Packet Match = %d\r\n",match); You will *HAVE* to choose a value for linktype yourself; there is no value that can possibly work for all packets, because the BPF program generated by pcap_compile() *HAS* to know what link-layer headers, if any, are at the beginning of the packet - there is none that will simultaneously work on packets with Ethernet headers (DLT_EN10MB) and packets with 802.11 headers (DLT_IEEE802_11) and packets with PPP headers (DLT_PPP) and packets with no link-layer headers (DLT_RAW, where the packets begin with IPv4 or IPv6 headers) and packets with a "radiotap" header followed by an 802.11 header (DLT_IEEE802_11_RADIO) and packets with the "fake" headers provided by the "any" device (DLT_LINUX_SLL - packets captured on the "any" device have those, rather than the native headers for the particular device from which a particular packet was captured). See http://www.tcpdump.org/linktypes.html for a list of the link-layer header types available. The DLT_ values are the ones you would use in the call to pcap_open_dead(). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
-- Best Regards , The G.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Running BPF filters on raw packet data (no devices) Gal Sagie (Jun 16)
- Re: Running BPF filters on raw packet data (no devices) Guy Harris (Jun 16)
- Re: Running BPF filters on raw packet data (no devices) Gal Sagie (Jun 16)
- Re: Running BPF filters on raw packet data (no devices) Guy Harris (Jun 16)