tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug in Pcap Compile?

From: Guy Harris <guy () alum mit edu>
Date: Thu, 24 Jun 2010 01:09:38 -0700

On Jun 23, 2010, at 5:37 PM, Steve Scott wrote:


When  I use this pcap compile string, my gcc compiler builds the executable, but the pcap compile fails at run time:

"\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)"


The backslashes are unnecessary.  If I do

        tcpdump -d "\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)" 

on OS X (with bash as the shell), I get

        tcpdump: illegal token: \

If I do

        tcpdump -d "(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)"

I get

        (000) ldh [12]
        (001) jeq #0x86dd jt 10 jf 2
        (002) jeq #0x800 jt 3 jf 10
        (003) ldb [23]
        (004) jeq #0x6 jt 6 jf 5
        (005) jeq #0x11 jt 6 jf 10
        (006) ld [26]
        (007) jeq #0xac131202 jt 9 jf 8
        (008) jeq #0xac131203 jt 9 jf 10
        (009) ret #65535
        (010) ret #0

(on an Ethernet device).

If I do

        tcpdump -d \\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\) 

the shell complains:

        -bash: syntax error near unexpected token `(' 

And if I do

        tcpdump -d \(tcp or udp\) and \(src host 172.19.18.2 or src host 172.19.18.3\) 

I get the same program as before.  If I do

        echo \(tcp or udp\) and \(src host 172.19.18.2 or src host 172.19.18.3\) 

I get

        (tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)

which means the string you pass to pcap_compile should be

        "(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)"

The only purpose the backslashes serve is to escape the parentheses from the shell; they are not necessary in order to 
escape the parentheses from the C compiler, so you should leave them out if you're writing a program that calls 
pcap_compile().


Is this a bug in the pcap compiler?


No, it's a bug in your program.  Remove the backslashes from the C string.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: