tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Query about running many, many, rules

From: Alan DeKok <aland () deployingradius com>
Date: Wed, 19 Jun 2013 15:44:34 -0400
Guy Harris wrote:

Older versions of libpcap don't have that,


  Ah, that's why I couldn't find it.


Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp; all it cares about is "caplen", which 
tells it how much packet data there is, and "len", which tells it what the length is for the "len" value and the 
"less" and "greater" tests), and pass that and a pointer to the raw packet data to pcap_offline_filter().

To compile a filter, you could create a pcap_t with pcap_open_dead() (unless you have a *really* old version of 
libpcap), passing it the appropriate DLT_ value for the particular set of link-layer headers and possible metadata 
headers your packets have (if they have more than one, you'll need multiple filters and run the appropriate one for 
each packet) and a snapshot length (all you're doing with the filter is getting a "yes or no" answer, so just pass in 
a non-zero value). 


  Thanks.

  Alan DeKok.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: