I am processing a hybrid pcap file using libpcap and filter expression. The
pcap file is hybrid with ipv4 & ipv6 packets. The code fragment is as follows:
/*----------------------------------------------------------------------------*/
pcap_t * fp;
string pcapfilename = "g00.pcap";
string pcap_filter = "tcp dst port 80";
struct bpf_program filtercode;
// open pcap file
if ((fp = pcap_open_offline(pcapfilename.c_str(), errbuf)) == NULL)
{
cout << "file open failed" << endl;
return 0;
}
//set filter string if (pcap_filter.length() > 0)
{
u_int32_t netmask = 0xffffffff;
struct bpf_program filtercode;
if (pcap_compile(fp, &filtercode, pcap_filter.c_str(), 1, netmask) < 0)
{
cout << "compile filter code error " << pcap_geterr(fp) << endl;
pcap_close(fp);
return 0;
}
if (pcap_setfilter(fp, &filtercode) < 0)
{
cout << "set filter error " << pcap_geterr(fp) << endl;
pcap_close(fp);
return 0;
}
}
// read packets while((ret = pcap_next_ex(fp, &hdr, &pData)) > 0) //!!!
notice here !!!
{
cout << "I got it!!!" << endl;
}
/*----------------------------------------------------------------------------*/
I'm assure that the pcap file has many packets with tcp dest port 80, but I
got nothing while I try to read it out.
While I traced into the program, I got the "ret" is -2, it means the end of
file is encountered.
I used another pcap file with pure ipv4 packets to test above code, it ran
correctly and I got the right packets as expected.
Is this a bug?
2011-12-30
homeryan
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe