tcpdump mailing list archives
Re: Bug in Pcap Compile?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 24 Jun 2010 01:09:38 -0700
On Jun 23, 2010, at 5:37 PM, Steve Scott wrote:
When I use this pcap compile string, my gcc compiler builds the executable, but the pcap compile fails at run time: "\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)"
The backslashes are unnecessary. If I do tcpdump -d "\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)" on OS X (with bash as the shell), I get tcpdump: illegal token: \ If I do tcpdump -d "(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)" I get (000) ldh [12] (001) jeq #0x86dd jt 10 jf 2 (002) jeq #0x800 jt 3 jf 10 (003) ldb [23] (004) jeq #0x6 jt 6 jf 5 (005) jeq #0x11 jt 6 jf 10 (006) ld [26] (007) jeq #0xac131202 jt 9 jf 8 (008) jeq #0xac131203 jt 9 jf 10 (009) ret #65535 (010) ret #0 (on an Ethernet device). If I do tcpdump -d \\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\) the shell complains: -bash: syntax error near unexpected token `(' And if I do tcpdump -d \(tcp or udp\) and \(src host 172.19.18.2 or src host 172.19.18.3\) I get the same program as before. If I do echo \(tcp or udp\) and \(src host 172.19.18.2 or src host 172.19.18.3\) I get (tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3) which means the string you pass to pcap_compile should be "(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)" The only purpose the backslashes serve is to escape the parentheses from the shell; they are not necessary in order to escape the parentheses from the C compiler, so you should leave them out if you're writing a program that calls pcap_compile().
Is this a bug in the pcap compiler?
No, it's a bug in your program. Remove the backslashes from the C string.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Bug in Pcap Compile? Steve Scott (Jun 23)
- Re: Bug in Pcap Compile? Guy Harris (Jun 24)
- Re: Bug in Pcap Compile? Erwin van Eijk (Jun 24)