Running BPF filters on raw packet data (no devices)

[Gal Sagie <gal.sagie () gmail com>]

Hello,

I want to achieve the following :

1) I have a raw packet buffer, i want to search if they match a certain BPF
filter (i dont care about the device or how i received this packet buffer)
just want
   to know it match or doesn't match.

The code i tried :

   1.  pkt = pointer to packet data
   2.         char errbuf[PCAP_ERRBUF_SIZE];
   3.         pcap_t* pc = pcap_create("any",&errbuf);
   4.         int active = pcap_activate(pc);
   5.
   6.         struct bpf_program fp;
   7.         int res = pcap_compile(pc,&fp,"ip",0,0);
   8.
   9.         struct pcap_pkthdr hdr;
   10.         memset(&hdr,0,sizeof(hdr));
   11.         hdr.caplen = pkt->pkt_len;
   12.         hdr.len = pkt->pkt_len;
   13.
   14.         u_char* data = (unsigned char *)pkt->data
   15.
   16.        int match = pcap_offline_filter(&fp, &hdr ,data);
   17.        printf("Packet Match = %d\r\n",match);


   That doesn't work.... (it doesn't fail but return "0" on match every
   time even that the packet is IP packet as i debugged it)

   Any ideas ? what am i doing wrong? or how else can i achieve the same
   results?
   Thanks in advance!

   Gal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe