Re: about pcap rules

[Guy Harris <guy () alum mit edu>]

Hui.Ning () utstar com wrote:

> when given a rule consisting of a set of sub rules to pcap,  if a packet 
> matches the rule, how do I know which sub rule it matches? 

libpcap will not tell you that.  As far as it's concerned - and as far 
as the kernel is concerned, on those platforms where the packet 
filtering is done in the kernel - there are no subrules, there's just 
one big program that either says "matches" or "doesn't match".

You would have to look at the packet yourself to determine which subrule 
matched.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.