Guy Harris wrote: > Older versions of libpcap don't have that, Ah, that's why I couldn't find it.
> Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp; > all it cares about is "caplen", which tells it how much packet data there is, > and "len", which tells it what the length is for the "len" value and the > "less" and "greater" tests), and pass that and a pointer to the raw packet > data to pcap_offline_filter(). > > To compile a filter, you could create a pcap_t with pcap_open_dead() (unless > you have a *really* old version of libpcap), passing it the appropriate DLT_ > value for the particular set of link-layer headers and possible metadata > headers your packets have (if they have more than one, you'll need multiple > filters and run the appropriate one for each packet) and a snapshot length > (all you're doing with the filter is getting a "yes or no" answer, so just > pass in a non-zero value). Thanks. Alan DeKok. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
