On Nov 30, 2016, at 4:14 AM, ikuzar RABE <ikuzar9...@gmail.com> wrote:
> I work on Debian 8, with linux version 3.16.0-4-amd64, libpcap.1.8.1,
> gcc-4.9.2
> I write a little program in C langage which reads a pcap file, apply
> filter, and write the result into a new pcap file.
>
> The problem: all filters do not work (I use capture filters and not display
> filters).
By "display filter" you mean "*Wireshark* display filter". Those filters only
work in Wireshark and other programs that uses Wireshark's libwireshark; they
do *not* work in other programs, as those filters require the full Wireshark
dissection engine and filtering code, and that is *not* part of, for example,
libpcap.
> the first filter: *tcp port 80 and host 192.168.10.11* do not work whereas the
> second: *vlan 254*, *vlan 255*, etc. work fine. My traffic contains vlan
> 254, tcp, udp, port 80, port 443 and many ip address including
> 192.168.10.11. But when I apply the first one, the pcap result file
> contains nothing. (I opened it with wireshark).
If the traffic is in a VLAN, "tcp port 80 and host 192.168.10.11" won't work,
as the filter will, on Ethernet, look at the Ethernet type field at an offset
of 12 from the beginning of the packet, see 0x8100, and conclude that it's not
an IP packet because that's not 0x0800 or 0x86dd, and therefore conclude that
it's not TCP, either.
You'd need to do "vlan and tcp port 80 and host 192.168.10.11" to see port 80
traffic to/from 192.168.10.11 within a VLAN. To match both VLAN and non-VLAN
traffic, you'd have to do
(tcp port 80 and host 192.168.10.11) or (vlan and tcp port 80 and host
192.168.10.11)
> My program does not print any error except if the filter syntax is not
> correct.
> At the beginning I thought my filter syntax was wrong (I tried with display
> filter, i.e tcp.port==80 and ip.src==192.168.10..1) but pcap_compile does
> not accept it.
That's because wireshark display filters are not handled by libpcap at all.
Only libpcap's capture filters work.
> My questions:
> 1) According to me, I have to apply *capture filter* because I "capture"
> packets from pcap file. Am I wrong ? Have I to use *display filter *instead
> ?
The term "capture filter" is a Wireshark term, because Wireshark uses
libpcap/WinPcap to capture traffic, and thus uses libpcap filters when
capturing traffic, but uses a different filter syntax for filtering displayed
traffic (and other purposes).
Libpcap's filters are *NOT* used only when capturing traffic with other
programs; libpcap supports them when reading files, and those are the filters
used when reading files in tcpdump.
> 2) is it correct to compile filter with pcap_t issued from
> pcap_open_offline() ?
Yes, it is correct.
> May be I have to do it before dumping, i.e with
> pcap_t issued from pcap_open_dead() ?
The filter acts on packets that you're capturing or reading, so, when you
compile it, you should use the pcap_t for the device from which you're
capturing or the file from which you're reading, which, in this case, is the
pcap_t from pcap_open_offline().
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
