tcpdump mailing list archives
Multiple filter compilation/filtering in offline mode ??
From: V K <vik.kaul () yahoo com>
Date: Thu, 30 Jun 2011 10:30:04 -0700 (PDT)
Folks I have pcap traces which I am reading via the pcap_ C API. ( pcap_open_offline() and pcap_next()...) What I want to do is to have several filters say filter1: (ip.proto==TCP && tcp.dstport==100012) filter2: (ip.proto==UDP && (udp.srcport==60035 | udp.dstport==10000)) filter3: <something> .. and so on And once packet is read using pcap_next(), I want to check that packet against all filters and mark the filter that matches the packet Is there a way one could compile multiple filters, read the packets and for each packet check true/false for individual filter matches ? I presume I can have several compiled filters, but how do I apply them one at a time to a packet that has already been read from the offline pcap file Alternately, is there another way to do this using the existing pcap_ libraries ? This would extend itself to a "live" capture program as well, where _ALL_ packets would be sniffed (without any filter) and as each packet is read, it is then compared against individual filters to find the matching one Any pointers are welcome Thanks vk - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Multiple filter compilation/filtering in offline mode ?? V K (Jun 30)
- Re: Multiple filter compilation/filtering in offline mode ?? Guy Harris (Jun 30)