> My question should have been 'is it ok from libpcap's perspective to compile > the rule, and then call bpf_filter (with the packet data that snort has > provided me) without ever having called pcap_setfilter'?
Yes. The only problem with the global variable is if the program calls pcap_compile more than once and hands the result of any compilation other than the *last* one to pcap_setfilter. I know of no other potential problems with multiple calls to pcap_compile or bpf_filter. > -- I grabbed this section from your first response, snipped it prematurely-- > > >> which means that if you compile more than one filter expression before > >> calling "pcap_setfilter()", you should compile the one being handed to > >> "pcap_setfilter()" *last*. > > These few lines are what generated my questions over not ever calling > pcap_setfilter. I read this to be trouble for me. I figure that the main body > of snort code will do it's interface stuff last. That is likely to mean that > the plugins filter compilation will not be the last before a pcap_setfilter. > (there is a pcap_setfilter called no matter what in snort). You don't *want* the plugin's filter compilation to be the last one before pcap_setfilter. You want the compilation of the filter handed to pcap_setfilter to be the last one before pcap_setfilter. So if the plugin's filter compilation happens before snort's filter compilation of the filter to be handed to pcap_setfilter, that's not a bug, that's a feature. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
