libpcap filter works in tcpdump, but not in my app?
libpcap filter works in tcpdump, but not in my app?
- Subject: libpcap filter works in tcpdump, but not in my app?
- From: ness <email@hidden>
- Date: Fri, 29 Dec 2006 23:39:10 -0700
Hi-
I am coding an app that is supposed to capture packets based on the
first 3 bytes of the ethernet header -- the destination MAC OUI -- and
bytes 7 through 9 -- the source MAC OUI. In other words, I am sniffing
for any packets that have to do with a host whose ethernet address
begins with 0x00, 0x09, and 0xbf. Executing the below filter...
(ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf) || (ether[6]
== 0x00 && ether[7] == 0x09 && ether[8] == 0xbf)
... in tcpdump worked flawlessly and suited to my needs, so I began to
transition the filter to my application. Once implemented, I ran the
filter, and libpcap reported absolutely no error in the process of
compiling or adding the filter in my app.
Then I fed my computer with packets that should have interested my BPF
filter, but on the contrary, no packets were captured by my
application. At first I thought it was a programming flaw of my own, so
I removed the filter completely and sniffed for any packets that
libpcap could grab... it caught everything, and my callback function
was informed of the received packets.
So I added my filter back in--and still, no packets. Then I copied and
pasted the same filter in tcpdump--worked perfectly.
Below are a few interesting snippets of code pertaining to libpcap. All
of the code is running on the main thread.
static pcap_t *pcap;
...
char filter[128];
struct bpf_program fp;
memset( filter, '\0', sizeof(filter) );
memset( pcap_errbuf, 0, sizeof(pcap_errbuf) );
if( (pcap = pcap_open_live( dev, 65535, 1, 0, pcap_errbuf )) == NULL
) {
return (-1);
}
strcpy( filter, "(ether[0] == 0x00 && ether[1] == 0x09 && ether[2] ==
0xbf)"
" || (ether[6] == 0x00 && ether[7] == 0x09 && ether[8] ==
0xbf)" );
if( pcap_compile( pcap, &fp, filter, 0, netmask ) == -1 ) {
return (-1);
}
if( pcap_setfilter( pcap, &fp ) == -1 ) {
return (-1);
}
...
pcap_loop( pcap, -47, (void *)packethandler, NULL );
...
void
packethandler( u_char *user, const struct pcap_pkthdr *pkthdr,
const u_char *packet )
{
printf( "got packet\n" );
}
Any ideas to why my app isn't capturing packets it should?
Happy holidays,
--ness
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden