(The mailing list for libpcap is [email protected] - think of it as also being "libpcap-workers", "libpcap-users", and "tcpdump-users". However, I'll answer this here.
On Jun 16, 2013, at 10:05 AM, Gal Sagie <[email protected]> wrote: > I want to achieve the following : > > 1) I have a raw packet buffer, i want to search if they match a certain BPF > filter (i dont care about the device or how i received this packet buffer) > just want > to know it match or doesn't match. > > The code i tried : > • pkt = pointer to packet data > • char errbuf[PCAP_ERRBUF_SIZE]; > • pcap_t* pc = pcap_create("any",&errbuf); That's one thing you're doing wrong. If you're not going to capture on a device or pseudo-device, don't open it. If you have a packet with a given type of link-layer headers, there is no guarantee that you will even *have* a device that will provide the same type of link-layer headers, and that is what you will need in order to compile a filter with pcap_compile() and have it work on your packet. So: pcap_t *pc = pcap_open_dead(linktype, 65536); struct bpf_program fp; int res = pcap_compile(pc,&fp,"ip",0,0); pcap_close(pc); /* not needed any more */ struct pcap_pkthdr hdr; memset(&hdr,0,sizeof(hdr)); hdr.caplen = pkt->pkt_len; hdr.len = pkt->pkt_len; u_char* data = (unsigned char *)pkt->data; int match = pcap_offline_filter(&fp, &hdr ,data); printf("Packet Match = %d\r\n",match); You will *HAVE* to choose a value for linktype yourself; there is no value that can possibly work for all packets, because the BPF program generated by pcap_compile() *HAS* to know what link-layer headers, if any, are at the beginning of the packet - there is none that will simultaneously work on packets with Ethernet headers (DLT_EN10MB) and packets with 802.11 headers (DLT_IEEE802_11) and packets with PPP headers (DLT_PPP) and packets with no link-layer headers (DLT_RAW, where the packets begin with IPv4 or IPv6 headers) and packets with a "radiotap" header followed by an 802.11 header (DLT_IEEE802_11_RADIO) and packets with the "fake" headers provided by the "any" device (DLT_LINUX_SLL - packets captured on the "any" device have those, rather than the native headers for the particular device from which a particular packet was captured). See http://www.tcpdump.org/linktypes.html for a list of the link-layer header types available. The DLT_ values are the ones you would use in the call to pcap_open_dead(). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
