Hope that wasn't too painful for you Guy. You shed a great deal of light on the issue for me.
Thanks alot! Mark On Wednesday 24 October 2001 04:45 pm, Guy Harris wrote: > > My question should have been 'is it ok from libpcap's perspective to > > compile the rule, and then call bpf_filter (with the packet data that > > snort has provided me) without ever having called pcap_setfilter'? > > Yes. > > The only problem with the global variable is if the program calls > pcap_compile more than once and hands the result of any compilation > other than the *last* one to pcap_setfilter. > > I know of no other potential problems with multiple calls to > pcap_compile or bpf_filter. > > > -- I grabbed this section from your first response, snipped it > > prematurely-- > > > > >> which means that if you compile more than one filter expression before > > >> calling "pcap_setfilter()", you should compile the one being handed to > > >> "pcap_setfilter()" *last*. > > > > These few lines are what generated my questions over not ever calling > > pcap_setfilter. I read this to be trouble for me. I figure that the main > > body of snort code will do it's interface stuff last. That is likely to > > mean that the plugins filter compilation will not be the last before a > > pcap_setfilter. (there is a pcap_setfilter called no matter what in > > snort). > > You don't *want* the plugin's filter compilation to be the last one > before pcap_setfilter. > > You want the compilation of the filter handed to pcap_setfilter to be > the last one before pcap_setfilter. > > So if the plugin's filter compilation happens before snort's filter > compilation of the filter to be handed to pcap_setfilter, that's not a > bug, that's a feature. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
