Re: Filter works in tcpdump, but not in my libpcap

[ness <nessup () gmail com>]

> It probably isn't of direct relevance, but it at least indicates what 
> type of machine you're running on, which limits the set of operating 
> systems you're likely to be using; you didn't mention that, but the OS 
> *is* of great relevance here.
>
> Is it OS X, Linux, Windows, or some non-OS X BSD-flavored OS?

Airport Extreme has been known to work only on Mac OS X (so I assumed 
you would catch on), but I'm still at fault for not stating my OS in 
the first place anyway. I'm running OS X 10.3.9.

> That could make it appear as if you're not capturing any traffic.
>
> When capturing without the filter, you would probably get enough 
> packets per second that the "store buffer" would fill up fairly 
> quickly, so you wouldn't have much of a delay before seeing the 
> packets.

That clears up a lot.

> Linux doesn't support a read timeout, and packets are seen immediately.
>
> Tcpdump uses a to_ms value of 1000, so you wait no longer than a 
> second after a packet arrives to see that packet.  You should probably 
> do the same.
>
> (No, you can't adjust the store buffer size.  That's not the right way 
> to handle this in any case; a to_ms value of 0 is rarely, if ever, the 
> right value to supply to pcap_open_live().)

After applying what you've suggested, the filter I talked about 
previously in my last message still remains broken. No packets are 
being captured by it whatsoever.

I think it's important to restate that the filter works fine and 
captures packets until "ether[2] == 0xBF" is in the filter string. 
After that, it simply does not capture any packets I'm pretty sure it 
should.

> By the way:
>
> >   strcpy( filter, "(ether[0] == 0x00 && ether[1] == 0x09 && ether[2] 
> > == 0xbf)"
> >           " || (ether[6] == 0x00 && ether[7] == 0x09 && ether[8] == 
> > 0xbf)" );
>
> you can just pass a string constant to pcap_compile(); you don't have 
> to copy that string constant to a char array first.

Yes, this was purposely done since I was experimenting with other 
filters that required sprintf string concatenation.

Cheers, ness.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.