Hello, This might seem a bit of a strange request, but if you can humor me for a moment, I'll explain myself.
I'd like to call bpf_filter() directly with a pre- pcap_compile(d) expression in some code that I'm working on. My question isn't whether it's possible, because I've successfully tested it, but whether it's safe to do so. Any chance the syntax for it will change? Any reason not to do what I'm suggesting? Is calling bpf_filter directly portable? Here's what I'm thinking. I'd like to extend snort to allow it to understand bpf filter expressions in some of the rules that it uses. (I've needed the ability to do single bit comparisons a few times and I could find no easy way of doing it). What I'm suggesting would allow different filter expressions to be applied to different packets. I would imagine that only few rules might use it. The idea is that each time snort receives a packet (no filter applied in the main snort code), it calls each plugin with the packet data. Snort gets around to calling this plugin and since the expression is already compiled (at snort start up), all that needs to be done is call bpf_filter to test the packet data against the precompiled filter expression (if it exists). Anybody have any thoughts on this? thanks Mark - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
