tcpdump mailing list archives
Re: When will a packet filter be ignored/unused?
From: Jim Lloyd <jlloyd () silvertailsystems com>
Date: Thu, 18 Mar 2010 08:02:05 -0700
On Thu, Mar 18, 2010 at 7:33 AM, Eloy Paris <peloy () chapus net> wrote:
On 03/17/10 18:45, Guy Harris wrote: On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote:I've done some experimentation and determined that apparently Imust call pcap_activate before calling pcap_setfilter.Yes. That is counter intuitive, so I wonder if it is by design or not.It may change at some point. It is, however, currently a requirement (on all platforms). It is also a requirement that the pcap_t be activated before you call pcap_compile(); lifting *that* restriction would require that we be able to get the link-layer type for the device before activating it, which may or may not be easy to do. I will update the documentation to indicate that the operations in question (pcap_datalink(), pcap_compile(), pcap_setfilter()) require that the pcap_t be activated *and* make what code changes are necessary to arrange that they fail on un-activated pcap_t's.-Is this new in libpcap 1.1? If not then I guess my uses of libpcap through the years, on a handful of different platforms, have been working by magic since I've never called pcap_activate() in my life. I do see a man page for pcap_activate() in libpcap 1.0.0, though. If applications using libpcap services have always been required to call pcap_activate() then I'd be curious to know why things have worked without doing so (at least for me). To be honest, the first time I heard about pcap_activate() was when Jim and Guy brought it up in this discussion.
See 'man pcap' and 'man pcap_create'. You don't need pcap_activate() if you use pcap_open_live(). I think the main reason I switched from using pcap_open_live to using pcap_create/pcap_activate was due to speculation on my part that the former could start delivering packets before the filter was set. Now I discover that the filter can't be installed until after pcap_activate, so the point is moot. Perhaps someone can clarify this point for me. When is filtering done? If it is only done as one of the last steps to deliver a packet as a result of the application calling pcap_next_ex (or pcap_loop/dispatch) then I can see how you can guarantee that the first packets will be filtered as intended. But this would imply that unfiltered packets must be buffered, only to be discarded later. Thanks, Jim Lloyd - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- When will a packet filter be ignored/unused? Jim Lloyd (Mar 16)
- Re: When will a packet filter be ignored/unused? Darren Reed (Mar 16)
- Re: When will a packet filter be ignored/unused? Michael Richardson (Mar 16)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 17)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 18)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)