On Thu, Mar 18, 2010 at 7:33 AM, Eloy Paris <[email protected]> wrote:
> On 03/17/10 18:45, Guy Harris wrote: > > On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote: >> >> I've done some experimentation and determined that apparently I >>> must call pcap_activate before calling pcap_setfilter. >>> >> >> Yes. >> >> That is counter intuitive, so I wonder if it is by design or not. >>> >> >> It may change at some point. It is, however, currently a requirement >> (on all platforms). It is also a requirement that the pcap_t be >> activated before you call pcap_compile(); lifting *that* restriction >> would require that we be able to get the link-layer type for the >> device before activating it, which may or may not be easy to do. >> >> I will update the documentation to indicate that the operations in >> question (pcap_datalink(), pcap_compile(), pcap_setfilter()) require >> that the pcap_t be activated *and* make what code changes are >> necessary to arrange that they fail on un-activated pcap_t's.- >> > > Is this new in libpcap 1.1? If not then I guess my uses of libpcap through > the years, on a handful of different platforms, have been working by magic > since I've never called pcap_activate() in my life. I do see a man page for > pcap_activate() in libpcap 1.0.0, though. > > If applications using libpcap services have always been required to call > pcap_activate() then I'd be curious to know why things have worked without > doing so (at least for me). To be honest, the first time I heard about > pcap_activate() was when Jim and Guy brought it up in this discussion. > See 'man pcap' and 'man pcap_create'. You don't need pcap_activate() if you use pcap_open_live(). I think the main reason I switched from using pcap_open_live to using pcap_create/pcap_activate was due to speculation on my part that the former could start delivering packets before the filter was set. Now I discover that the filter can't be installed until after pcap_activate, so the point is moot. Perhaps someone can clarify this point for me. When is filtering done? If it is only done as one of the last steps to deliver a packet as a result of the application calling pcap_next_ex (or pcap_loop/dispatch) then I can see how you can guarantee that the first packets will be filtered as intended. But this would imply that unfiltered packets must be buffered, only to be discarded later. Thanks, Jim Lloyd - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
