-----Original Message----- From: tcpdump-workers-ow...@lists.tcpdump.org [mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of Guy Harris Sent: Sunday, February 05, 2012 2:32 AM To: tcpdump-workers@lists.tcpdump.org Subject: Re: [tcpdump-workers] question regarding bpf_program
On Feb 4, 2012, at 12:02 PM, Prashant Batra (prbatra) wrote: > I want to use "pcap_compile" to get a bpf filter from a string. And then > I want to use the filter in the form of sock_filter to set as a socket > option to capture the packets specified by the filter. I want to receive > the filtered packets using PF_PACKET family socket. I think there's a library that can set filters on PF_PACKET sockets. I think it's called "libpcap". :-) > But what I have observed is that the filter obtained using pcap_compile > (printed using bpf_dump) does not match the one using tcpdump -d option. The code generated by pcap_compile() depends on the link-layer header type for the network device for which you're compiling it. You're probably compiling for a different network interface than the one that was used by tcpdump. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. [Prashant] Thanks, but I used the same device to check this. I will be happy to unsubscribe, but there is no mailing-list on tcpdump/libpcap users. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
