On Jun 30, 2011, at 10:30 AM, V K wrote:
> And once packet is read using pcap_next(), I want to check that packet
> against all filters and mark the filter that matches the packet
>
> Is there a way one could compile multiple filters,
Have separate "struct bpf_program" structures for each filter, and call
pcap_compile() for each filter.
> read the packets
pcap_next(), or whatever
> and for each packet check true/false for individual filter matches ?
bpf_filter()
Not document, but it's in libpcap:
u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
First argument is the bf_insns member of the "struct bpf_program" for the
filter, second argument points to the raw packet data, third argument is "len"
from the struct pcap_pkthdr for the packet, fourth argument is "caplen" from
the struct pcap_pkthdr for the packet. It returns 0 if the packet doesn't
match the filter and a non-zero value if it does.
> This would extend itself to a "live" capture program as well, where _ALL_
> packets would be sniffed (without any filter) and as each packet is read, it
> is then compared against individual filters to find the matching one
Same answer.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
