tcpdump mailing list archives
Re: Stopping packet capture on a libpcap descriptor
From: Guy Harris <guy () alum mit edu>
Date: Wed, 30 Nov 2011 11:02:59 -0800
On Nov 30, 2011, at 2:40 AM, Fernando Gont wrote:
Could you suggest a good reference for BPF syntax? -- So far I've only used pcap_compile() and hence didn't really get into BPF.
Well, for reference purposes, there's the original BPF paper: http://www.tcpdump.org/papers/bpf-usenix93.pdf and the bpf.h header file. However, pcap-linux.c in libpcap already has a filter with just "ret 0" that it uses while flushing packets that matched the old filter when changing to a new filter: static struct sock_filter total_insn = BPF_STMT(BPF_RET | BPF_K, 0); static struct sock_fprog total_fcode = { 1, &total_insn }; It's using Linux-specific data structures (for use when making Linux calls), but the equivalent using BPF data structures would be static struct bpf_insn total_insn = BPF_STMT(BPF_RET | BPF_K, 0); static struct bpf_program total_fcode = { 1, &total_insn };
In anycase, I guess one could achive the same sort of result (albeit with a sloppy filter that rejects e.g., everything that's Ethernet when one is capturing on ethernet).
Unfortunately, there's no way to "reject everything that's Ethernet" - the filter can only look at the packet data, and there's no "this is Ethernet" bit in Ethernet packets (and it'd always be set in any case :-)).- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Stopping packet capture on a libpcap descriptor Fernando Gont (Nov 27)
- Re: Stopping packet capture on a libpcap descriptor Guy Harris (Nov 29)
- Re: Stopping packet capture on a libpcap descriptor Fernando Gont (Nov 30)
- Re: Stopping packet capture on a libpcap descriptor Guy Harris (Nov 30)
- Re: Stopping packet capture on a libpcap descriptor Fernando Gont (Nov 30)
- Re: Stopping packet capture on a libpcap descriptor Guy Harris (Nov 29)