tcpdump mailing list archives
Re: about pcap rules
From: Guy Harris <guy () alum mit edu>
Date: Thu, 17 Aug 2006 15:34:11 -0700
Hui.Ning () utstar com wrote:
when given a rule consisting of a set of sub rules to pcap, if a packet matches the rule, how do I know which sub rule it matches?
libpcap will not tell you that. As far as it's concerned - and as far as the kernel is concerned, on those platforms where the packet filtering is done in the kernel - there are no subrules, there's just one big program that either says "matches" or "doesn't match".
You would have to look at the packet yourself to determine which subrule matched.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- about pcap rules Hui . Ning (Aug 17)
- Re: about pcap rules Guy Harris (Aug 17)
- <Possible follow-ups>
- About pcap rules Alexander Dupuy (Aug 21)
- Re: About pcap rules Gregor Maier (Aug 22)
- Re: About pcap rules Jefferson Ogata (Aug 24)