tcpdump mailing list archives
Re: A broken filter...
From: Dan Joumaa <nessup () gmail com>
Date: Mon, 03 Apr 2006 17:09:10 -0700
Hannes Gredler wrote:
Dan Joumaa wrote:Hello,I am trying to capture all ethernet packets with the source host's first 3 octets being 00, 09, and bf. It was suggested that I used this filter: "ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf." When packets are sent that should match, nothing comes through. When I remove the filter, I'm able to receive the packets, along with every other packet.What's wrong with my filter?perhaps the filter is alright and the data is wrong ;-) -> i.e. an idea that come sinto mind is that the packets come in using 802.1Q (VLAN) encaps ... can you provide some more information about your capturing interface ? /hannes - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
hey again,I'm trying to capture data off a switched network. Specifically, I'm trying to get ARP packets. I've done this before, but this doesn't work. My init code looks perfectly fine:
char *dev;
char errbuf[PCAP_ERRBUF_SIZE+1];
bpf_u_int32 mask;
char filter[] = "ether[6] = 0x00 && ether[7] = 0x09 && ether[8] = 0xbf";
struct bpf_program fp;
...get net mask and dev...
if( (pcap = pcap_open_live( dev, BUFSIZ, 1, 0, errbuf )) == NULL ) {
(void)fprintf( stderr, "Failed to open a pcap session because
%s.\n",
errbuf );
(void)free( dev );
return (false);
}
(void)free( dev );
(void)setuid( getuid( ) ); // give the user back ownership
if( pcap_compile( pcap, &fp, filter, 0, mask ) < 0 ) {
(void)fprintf( stderr, "Failed to compile the filter.\n" );
(void)pcap_close( pcap );
return (false);
}
if( pcap_setfilter( pcap, &fp ) < 0 ) {
(void)fprintf( stderr, "Failed to activate the filter because
%s.\n",
errbuf );
(void)pcap_close( pcap );
return (false);
}
...
(void)pcap_loop( pcap, -1, (void *)packetCaptured, NULL );
any idea on whats going wrong here?
--ness
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: A broken filter... Hannes Gredler (Apr 02)
- Re: A broken filter... Dan Joumaa (Apr 03)
- Re: A broken filter... Dan Joumaa (Apr 04)