On Wed, Feb 20, 2002 at 02:10:29PM -0500, Wild, Andrew wrote:
> using tcpdump with this command line works just fine:
>
> tcpdump -i hme1 -X -s 1550 port 5190 and 'tcp[20:2] = 10754' and '(tcp[26:4]
> = 0x00040007 or tcp[26:4] = 0x00040006)'
>
> using my own routing with the pcap_compile() function returns an error.
>
> char filter[] = "port 5190 and 'tcp[20:2] = 10754' and '(tcp[26:4] =
> 0x00040007 or tcp[26:4] = 0x00040006)'"
...and rightfully so; that expression is not a valid expression to hand
to "pcap_compile()". The single-quote character ' isn't legal in filter
expressions.
tcpdump, if you run it with the command line
tcpdump -i hme1 -X -s 1550 port 5190 and 'tcp[20:2] = 10754' and
'(tcp[26:4] = 0x00040007 or tcp[26:4] = 0x00040006)'
doesn't hand that expression to "pcap_compile()", because the shell
doesn't hand that expression to tcpdump!
Instead, what it hands to tcpdump is a list of arguments:
arg 1: -i
arg 2: hme1
arg 3: -X
arg 4: -s
arg 5: 1550
arg 6: port
arg 7: 5190
arg 8: and
arg 10: tcp[20:2] = 10754
arg 11: and
arg 12: (tcp[26:4] = 0x00040007 or tcp[26:4] = 0x00040006)
The single-quote characters are processed by the shell, telling it that
1) it shouldn't treat the [, ], (, and ) characters specially;
2) it shouldn't treat spaces specially;
so that it passes, for example, the string "tcp[20:2] = 10754" as a
single argument, rather than treating "[20:2]" as some sort of file name
wildcard match, and treating "tcp[20:2]", "=", and "10754" as separate
arguments.
tcpdump glues all the arguments following the command line flags - i.e.,
starting with "port" - together, with blanks separating them, generating
the string
port 5190 and tcp[20:2] = 10754 and (tcp[26:4] = 0x00040007 or
tcp[26:4] = 0x00040006)
so that's the string you should hand to "pcap_compile()":
char filter[] = "port 5190 and tcp[20:2] = 10754 and (tcp[26:4] = 0x00040007 or
tcp[26:4] = 0x00040006)";
(Note that your tcpdump command would have worked as
tcpdump -i hme1 -X -s 1550 'port 5190 and tcp[20:2] = 10754 and
(tcp[26:4] = 0x00040007 or tcp[26:4] = 0x00040006)'
i.e., with the *entire* expression in quotes, and would also have worked
as
tcpdump -i hme1 -X -s 1550 port 5190 and 'tcp[20:2]' = 10754 and
'(tcp[26:4]' = 0x00040007 or 'tcp[26:4]' = '0x00040006)'
i.e., with only those tokens that need quoting quoted.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
