pcap filter expressions and OS X

[Joel Eames <joeleames () fastmail fm>]

Hi,

I'm having a problem running one of the simple example programs outlined in the pcap tutorial at http://www.tcpdump.org/pcap.htm. Here is my code:
#include <pcap.h>
#include <stdio.h>

int main()
{
char *dev, errbuf[PCAP_ERRBUF_SIZE];
pcap_t *handle;
struct bpf_program filter;
char filter_app[] = "port 23";
bpf_u_int32 mask;
bpf_u_int32 net;
struct pcap_pkthdr header;
const u_char *packet;
dev = pcap_lookupdev(errbuf);
pcap_lookupnet(dev, &net, &mask, errbuf);
handle = pcap_open_live(dev, BUFSIZ, 1, 0, errbuf);
pcap_compile(handle, &filter, filter_app, 0, net);
pcap_setfilter(handle, &filter);
packet = pcap_next(handle, &header);
printf("Caught a packet with length of [%d]\n", header.len);
pcap_close(handle);
return(0);
}

Whenever I execute it, it gives a bus error straight after it's identified the network device. I ran it through gdb which gives the following output:
[Switching to process 885 thread 0xb03]
Reading symbols for shared libraries . done
Reading symbols for shared libraries ... done
Trying en0
Using en0

Program received signal EXC_BAD_ACCESS, Could not access memory.
pcap_snapshot (p=0x0) at /Volumes/Stuff/SandBox/justin/justin/src/libpcap/libpcap/pcap.c:126
126     /Volumes/Stuff/SandBox/justin/justin/src/libpcap/libpcap/pcap.c: No such file or directory.
in /Volumes/Stuff/SandBox/justin/justin/src/libpcap/libpcap/pcap.c

I also commented out all of the code after the declarations and proceeded to uncomment each line one by one. The bus error reappeared when I uncommented the line "pcap_compile(handle, &filter, filter_app, 0, net);", which to me suggests that pcap is having a problem compiling the filter expression.

In the tutorial I noted a particular comment: 
"It has been my experience that this filter does not work  across all operating systems.  In my test environment, I found that OpenBSD  2.9 with a default kernel does support this type of filter, but FreeBSD 4.3 with  a default kernel does not.  Your mileage may vary."

If this is the case then what should I be using for the filter expression? If not, then I am at a loss as to what could be causing this error.

I am running OS X 10.2.6 and have tried both the default Apple distribution of libpcap and that provided at http://www.tcpdump.org/ (0.7.2). To compile the code I'm using the command "gcc -Wall test.c -o test -lpcap".

Any advice would be much appreciated, thanks.

Regards,
Joel.