Re: Stopping packet capture on a libpcap descriptor

[Guy Harris <guy () alum mit edu>]

On Nov 30, 2011, at 2:40 AM, Fernando Gont wrote:

> Could you suggest a good reference for BPF syntax? -- So far I've only
> used pcap_compile() and hence didn't really get into BPF.

Well, for reference purposes, there's the original BPF paper:

        http://www.tcpdump.org/papers/bpf-usenix93.pdf

and the bpf.h header file.

However, pcap-linux.c in libpcap already has a filter with just "ret 0" that it uses while flushing packets that 
matched the old filter when changing to a new filter:

        static struct sock_filter       total_insn
                = BPF_STMT(BPF_RET | BPF_K, 0);  
        static struct sock_fprog        total_fcode
                = { 1, &total_insn };

It's using Linux-specific data structures (for use when making Linux calls), but the equivalent using BPF data 
structures would be

        static struct bpf_insn          total_insn
                = BPF_STMT(BPF_RET | BPF_K, 0);  
        static struct bpf_program       total_fcode
                = { 1, &total_insn };

> In anycase, I guess one could achive the same sort of result (albeit
> with a sloppy filter that rejects e.g., everything that's Ethernet when
> one is capturing on ethernet).

Unfortunately, there's no way to "reject everything that's Ethernet" - the filter can only look at the packet data, and 
there's no "this is Ethernet" bit in Ethernet packets (and it'd always be set in any case :-)).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.