Re: Pcap filters for saved capture files?

[Guy Harris <guy () alum mit edu>]

Nick Chorley wrote:

> I'm using libpcap in programs I'm writing and I already have saved capture
> files. I've seen many examples of using pcap_compile() and pcap_setfilter()
> for capturing live packets, but none for use with offline files. The last
> argument to pcap_compile() seems to be an IP address, but obviously if
> you're opening a file, there's no device and hence no address.

To quote the top-of-tree version of the libpcap man page:

	int pcap_compile(pcap_t *p, struct bpf_program *fp, const char *str, 
int optimize, bpf_u_int32 netmask);

                ...

        "pcap_compile()" is used to compile the string "str"
into a filter program.  "program" is a pointer to a "bpf_program" struct 
and is filled in by "pcap_compile()".  "optimize" controls whether 
optimization on the resulting code is performed.  "netmask" specifies 
the IPv4 netmask of the network on which packets are being captured; it 
 is used only when checking for IPv4 broadcast addresses in the filter 
program.  If the netmask of the network on which packets are being 
captured isn't known to the program, or if packets are being captured on 
the Linux "any" pseudo-interface that can capture on more than one 
network, a value of 0 can be supplied; tests for IPv4 broadcast addreses 
won't be done correctly, but all other tests in the filter program will 
be OK.  A return of -1 indicates an error in which case "pcap_geterr()" 
may be used to display the error text.

I.e., it's a network mask, not a full IP address, and, if you don't know 
what the network mask was for the interface on which the capture was 
done, you can just specify 0, which just means that filters that check 
for IPv4 broadcast addresses won't work.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.