Re: When will a packet filter be ignored/unused?

[Guy Harris <guy () alum mit edu>]

On Mar 18, 2010, at 8:20 AM, Eloy Paris wrote:

> "pcap_create() and pcap_activate() were not available in versions of
> libpcap prior to 1.0; if you are writing an application that must work on versions of libpcap prior to 1.0, either 
> use pcap_open_live() to get a handle for a live capture or, if you want to be able to use the additional capabilities 
> offered by using pcap_create() and pcap_activate(), use an autoconf(1) script or some other configuration script to 
> check whether the libpcap 1.0 APIs are available and use them only if they are."

That pretty much sums it up.  If you want to be able to control open-time-only properties *not* supported by 
pcap_open_live(), such as monitor mode and capture buffer size (for *some* packet capture mechanism the buffer size 
could be set after the device is opened, but BPF is not such a mechanism, so we needed something that could set it 
before the open finishes), you would have to use pcap_create() and pcap_activate().

> Guess that's what happens when you read the documentation once and never go back to it after new library versions are 
> released.

Note that the man pages were reorganized for libpcap 1.0.0 - instead of a single big pcap(3) man page that documents 
everything, there's a pcap(3PCAP) man page that discusses libpcap as a whole, and individual man pages for particular 
routines.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.