On Wednesday 24 October 2001 04:10 pm, Guy Harris wrote: > > What are the ramifications of not ever calling pcap_setfilter? Since I'm > > looking at a plugin to a main program, I don't know if there will be a > > call to pcap_setfilter... I'd jsut want to call bpf_filter with the > > packet that snort hands me and the precompiled expression. > > Do you mean "what are the ramifications of my plugin not ever calling > pcap_setfilter?", or "what are the ramifications of the program not ever > calling pcap_setfilter?"
the program not ever calling pcap_setfilter. > If you're just a plugin to snort, snort is presumably doing the > capturing; whether pcap_setfilter is called in the program is up to > snort, and your plugin probably cannot affect whether it'll be called. True, snort is doing the capturing. And no, I do not want to effet a call to pcap_setfilter. That is snort's responsibility. My question should have been 'is it ok from libpcap's perspective to compile the rule, and then call bpf_filter (with the packet data that snort has provided me) without ever having called pcap_setfilter'? -- I grabbed this section from your first response, snipped it prematurely-- >> which means that if you compile more than one filter expression before >> calling "pcap_setfilter()", you should compile the one being handed to >> "pcap_setfilter()" *last*. These few lines are what generated my questions over not ever calling pcap_setfilter. I read this to be trouble for me. I figure that the main body of snort code will do it's interface stuff last. That is likely to mean that the plugins filter compilation will not be the last before a pcap_setfilter. (there is a pcap_setfilter called no matter what in snort). > > I don't know whether snort will call it; if snort wants to see every > single packet on the wire, it won't call pcap_setfilter (or will call it > with an expression generated by compiling an empty string, which > generates a filter that accepts all packets; if it doesn't ever call > pcap_setfilter, it won't work with some buggy Linux libpcaps, as they > don't bind the interface until pcap_setfilter is set, so it may always > call pcap_setfilter). If snort *doesn't* want to see every single > packet on the wire, it probably will call pcap_setfilter. Thanks for all your help Guy, Mark > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use > mailto:[EMAIL PROTECTED]?body=unsubscribe - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
