Re: question regarding bpf_program

[Guy Harris <guy () alum mit edu>]

On Feb 4, 2012, at 12:02 PM, Prashant Batra (prbatra) wrote:

> I want to use "pcap_compile" to get a bpf filter from a string. And then
> I want to use the filter in the form of sock_filter to  set as a socket
> option to capture the packets specified by the filter. I want to receive
> the filtered packets using PF_PACKET family socket.

I think there's a library that can set filters on PF_PACKET sockets.  I think it's called "libpcap". :-)

> But what I have observed is that the filter obtained using pcap_compile
> (printed using bpf_dump) does not match the one using tcpdump -d option.

The code generated by pcap_compile() depends on the link-layer header type for the network device for which you're 
compiling it.  You're probably compiling for a different network interface than the one that was used by tcpdump. -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.