On May 5, 2011, at 11:07 AM, Darren Reed wrote: > There are also libpcap issues here that need to be resolved. At present, > using any filter with a PPI device fails to match any packet that doesn't > have a DLT of DLT_IEEE802_11.
...which is one of the things wrong with PPI. pcap-ng makes the link-layer type part of the record header, rather than part of the record data, so you don't have to special-case the filtering routine (so that, for PPI, the filter routine would pull the link-layer type out and run different filter programs based on the link-layer type) or have the BPF compiler generate, for PPI, code that switches off the link-layer type and includes code to do the filtering for all possible link-layer types. pcap-ng, and the first of those strategies for PPI, would require a routine that sets the filter on a pcap_t to a string, so that code can be generated while reading the savefile as each link-layer type is discovered (unless you generate code for every possible link-layer type and stash it away "just in case", but even that requires a different API).- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
