Re: question regarding bpf_program

["Prashant Batra (prbatra)" <prbatra () cisco com>]

-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris
Sent: Sunday, February 05, 2012 2:32 AM
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] question regarding bpf_program


On Feb 4, 2012, at 12:02 PM, Prashant Batra (prbatra) wrote:

> I want to use "pcap_compile" to get a bpf filter from a string. And
then
> I want to use the filter in the form of sock_filter to  set as a
socket
> option to capture the packets specified by the filter. I want to
receive
> the filtered packets using PF_PACKET family socket.

I think there's a library that can set filters on PF_PACKET sockets.  I
think it's called "libpcap". :-)

> But what I have observed is that the filter obtained using
pcap_compile
> (printed using bpf_dump) does not match the one using tcpdump -d
option.

The code generated by pcap_compile() depends on the link-layer header
type for the network device for which you're compiling it.  You're
probably compiling for a different network interface than the one that
was used by tcpdump. -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

[Prashant] Thanks, but I used the same device to check this. I will be
happy to unsubscribe, but there is no mailing-list on tcpdump/libpcap
users.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.