> What are the ramifications of not ever calling pcap_setfilter? Since I'm > looking at a plugin to a main program, I don't know if there will be a call > to pcap_setfilter... I'd jsut want to call bpf_filter with the packet that > snort hands me and the precompiled expression.
Do you mean "what are the ramifications of my plugin not ever calling pcap_setfilter?", or "what are the ramifications of the program not ever calling pcap_setfilter?" If you're just a plugin to snort, snort is presumably doing the capturing; whether pcap_setfilter is called in the program is up to snort, and your plugin probably cannot affect whether it'll be called. I don't know whether snort will call it; if snort wants to see every single packet on the wire, it won't call pcap_setfilter (or will call it with an expression generated by compiling an empty string, which generates a filter that accepts all packets; if it doesn't ever call pcap_setfilter, it won't work with some buggy Linux libpcaps, as they don't bind the interface until pcap_setfilter is set, so it may always call pcap_setfilter). If snort *doesn't* want to see every single packet on the wire, it probably will call pcap_setfilter. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
