Re: Multiple pcap filters on interface

[Guy Harris <guy () alum mit edu>]

On Oct 7, 2008, at 1:07 PM, Jim Mellander wrote:

> All of the above are attempts to overcome the 'one filter per  
> interface
> per process' model that I believe libpcap imposes - or am I wrong?  Is
> there something I've overlooked?

Depends on what you mean by "imposes".

If you want to do filtering in the kernel, kernel packet filtering  
mechanisms limit you to one filter expression, so it's imposed by the  
way (BPF, socket filters, etc.) work, not by libpcap; libpcap's  
filtering API matches that, so the one-filter limitation on having  
libpcap do the filtering for you also applies on platforms where  
filtering isn't done in the kernel.

If you want to do filtering in userland, you can, as you've noted for  
mechanism 1, use the bpf_filter() routine in libpcap to apply a filter  
to a packet you've already received.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.