Re: filters do not work in my program

[Guy Harris <guy () alum mit edu>]

On Nov 30, 2016, at 4:14 AM, ikuzar RABE <ikuzar9295 () gmail com> wrote:

> I work on Debian 8, with linux version 3.16.0-4-amd64, libpcap.1.8.1,
> gcc-4.9.2
> I write a little program in C langage which reads a pcap file, apply
> filter, and write the result into a new pcap file.
>
> The problem: all filters do not work (I use capture filters and not display
> filters).

By "display filter" you mean "*Wireshark* display filter".  Those filters only work in Wireshark and other programs 
that uses Wireshark's libwireshark; they do *not* work in other programs, as those filters require the full Wireshark 
dissection engine and filtering code, and that is *not* part of, for example, libpcap.

> the first filter: *tcp port 80 and host 192.168.10.11* do not work whereas the
> second: *vlan 254*, *vlan 255*, etc. work fine. My traffic contains vlan
> 254, tcp, udp, port 80, port 443 and many ip address including
> 192.168.10.11. But when I apply the first one, the pcap result file
> contains nothing. (I opened it with wireshark).

If the traffic is in a VLAN, "tcp port 80 and host 192.168.10.11" won't work, as the filter will, on Ethernet, look at 
the Ethernet type field at an offset of 12 from the beginning of the packet, see 0x8100, and conclude that it's not an 
IP packet because that's not 0x0800 or 0x86dd, and therefore conclude that it's not TCP, either.

You'd need to do "vlan and tcp port 80 and host 192.168.10.11" to see port 80 traffic to/from 192.168.10.11 within a 
VLAN.  To match both VLAN and non-VLAN traffic, you'd have to do

        (tcp port 80 and host 192.168.10.11) or (vlan and tcp port 80 and host 192.168.10.11)

> My program does not print any error except if the filter syntax is not
> correct.
> At the beginning I thought my filter syntax was wrong (I tried with display
> filter, i.e tcp.port==80 and ip.src==192.168.10..1) but pcap_compile does
> not accept it.

That's because wireshark display filters are not handled by libpcap at all.  Only libpcap's capture filters work.

> My questions:
> 1) According to me, I have to apply *capture filter* because I "capture"
> packets from pcap file. Am I wrong ? Have I to use *display filter *instead
> ?

The term "capture filter" is a Wireshark term, because Wireshark uses libpcap/WinPcap to capture traffic, and thus uses 
libpcap filters when capturing traffic, but uses a different filter syntax for filtering displayed traffic (and other 
purposes).

Libpcap's filters are *NOT* used only when capturing traffic with other programs; libpcap supports them when reading 
files, and those are the filters used when reading files in tcpdump.

> 2) is it correct to compile filter with pcap_t issued from
> pcap_open_offline() ?

Yes, it is correct.

> May be I have to do it before dumping, i.e with
> pcap_t issued from pcap_open_dead() ?

The filter acts on packets that you're capturing or reading, so, when you compile it, you should use the pcap_t for the 
device from which you're capturing or the file from which you're reading, which, in this case, is the pcap_t from 
pcap_open_offline().
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers