On Nov 17, 2011, at 3:43 AM, Fernando Gont wrote:
> Is it possible to call pcap_compile() more than once on the same libpcap
> descriptor (pcap_t *)?
If it doesn't work, that's a bug. pcap_compile() should
1) use the pcap_t only to get information such as the link-layer header
type and snapshot length, and not *modify* it
and
2) should reset its internal state before doing any other work.
pcap_compile() is *NOT*, however, thread-safe, so if your program is
multi-threaded, you'll need to make sure only one thread of control is running
in pcap_compile() at any time.
> What I'm trying to do is caputuring some packets with a specific libpcap
> filter, and then reuse the same descriptor to capture packets with a
> *different* libpcap filter.
That involves calling *both* pcap_compile() *and* pcap_setfilter(). Note that
changing the filter can cause packets captured with the old filter but not yet
read to be discarded.
> (FWIW, in one of the calls to pcap_compile() I'm getting "snaplen of 0
> rejects all packets"...)
What calls did you make to get the pcap_t * you passed to pcap_compile() in
that case?-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
