Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Ethereal-dev] Filters do not match

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Soft Boy <etherealfilter@xxxxxxxxx>
Date: Wed, 24 Mar 2004 06:43:06 -0800 (PST)
Hi,

I am trying to make a tool by slightly modifying
ethereal. As an experiment I have changed the function
main() as shown below. The main function basically
calls the APIs used to compile the dfilter, create
dissector and run dfilter code. It has an ARP packet
and a read filter 'arp', passed as an command line
argument, which should match this packet. Similarly,
filters 'ip' and 'tcp' should not match this packet.
However, what I am getting is always NO match. Am I
missing anything here ?? 

Makefile have no change except that I have disbaled
the compiler optimization.

Any help will be appriciated.

thanks and regards,
SoftBoy

int
main(int argc, char *argv[])
{
  int                   opt;
  extern char           *optarg;
  gboolean              arg_error = FALSE;
  gboolean      	passed = TRUE;
  gchar                 *rfilter = NULL;
#ifdef HAVE_PCAP_OPEN_DEAD
  struct bpf_program	fcode;
#endif
  dfilter_t		*rfcode = NULL;
  frame_data		fdata;
  epan_dissect_t	*edt=NULL;
  struct wtap_pkthdr whdr;
  union wtap_pseudo_header pseudo_header;
  cb_args_t args;
  int err;
  struct pcap_pkthdr hdr;
  struct pcap_pkthdr *phdr=&hdr;
  guchar data[64]={
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 
	0x00, 0x0c, 0x29, 0x15, 0x9d, 0xa7,
	0x08, 0x06, 0x00, 0x01, 0x08, 0x00,
	0x06, 0x04, 0x00, 0x01, 0x00, 0x50,
	0x56, 0xc0, 0x00, 0x01, 0xc0, 0xa8, 
	0x3e, 0x01, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0xc0, 0xa8, 0x3e, 0x03
	};
  guchar *pd=&data;

  hdr.ts.tv_sec = 0;
  hdr.ts.tv_usec = 0;
  hdr.len = 42;
  hdr.caplen = 42;

  /* Register all dissectors; we must do this before
checking for the
     "-G" flag, as the "-G" flag dumps information
registered by the
     dissectors, and we must do it before we read the
preferences, in
     case any dissectors register preferences. */
 
epan_init(PLUGIN_DIR,register_all_protocols,register_all_protocol_handoffs);


  /* Now get our args */
  while ((opt = getopt(argc, argv,
"a:b:c:d:Df:F:hi:lLnN:o:pqr:R:s:St:T:vw:Vxy:z:")) !=
-1) {
    switch (opt) {
      case 'd':        /* Decode as rule */
        if (!add_decode_as(optarg))
          exit(1);
	break;
      case 'h':        /* Print help and exit */
	print_usage(TRUE);
	exit(0);
        break;
      case 'S':        /* show packets in real time */
        decode = TRUE;
        break;
      case 'T':        /* printing Type */
        if (strcmp(optarg, "text") == 0)
		print_format = PR_FMT_TEXT;
	else if (strcmp(optarg, "pdml") == 0)
		print_format = PR_FMT_PDML;
	else if (strcmp(optarg, "ps") == 0)
		print_format = PR_FMT_PS;
	else {
		fprintf(stderr, "tethereal: Invalid -T
parameter.\n");
		fprintf(stderr, "It must be \"ps\", \"text\" or
\"pdml\".\n");
		exit(1);
	}
	break;
      case 'v':        /* Show version and exit */
        printf("t" PACKAGE " " VERSION
#ifdef CVSVERSION
	    " (" CVSVERSION ")"
#endif
	    "\n%s\n%s\n",
	    comp_info_str->str, runtime_info_str->str);
        exit(0);
        break;
      default:
      case '?':        /* Bad flag - print usage
message */
        arg_error = TRUE;
        break;
    }
  }

  /* If no capture filter or read filter has been
specified, and there are
     still command-line arguments, treat them as the
tokens of a capture
     filter (if no "-r" flag was specified) or a read
filter (if a "-r"
     flag was specified. */
  if (optind < argc) {
      rfilter = get_args_as_string(argc, argv,
optind);
  }

  if (rfilter != NULL) {
    if (!dfilter_compile(rfilter, &rfcode)) {
      fprintf(stderr, "tethereal: %s\n",
dfilter_error_msg);
      epan_cleanup();
#ifdef HAVE_PCAP_OPEN_DEAD
      {
        pcap_t *p;

        p = pcap_open_dead(DLT_EN10MB,
MIN_PACKET_SIZE);
        if (p != NULL) {
          if (pcap_compile(p, &fcode, rfilter, 0, 0)
!= -1) {
            fprintf(stderr,
              "  Note: That display filter code looks
like a valid capture filter;\n"
              "        maybe you mixed them up?\n");
          }
          pcap_close(p);
        }
      }
#endif
      exit(2);
    }
  }
  cfile.rfcode = rfcode;

  /* Initialize all data structures used for
dissection. */
  init_dissection();

  ld.linktype       = WTAP_ENCAP_UNKNOWN;
  ld.pdh            = NULL;

  /* Convert from libpcap to Wiretap format.
     If that fails, ignore the packet
(wtap_process_pcap_packet has
     written an error message). */
  pd = wtap_process_pcap_packet(ld.linktype, phdr, pd,
&pseudo_header,
				&whdr, &err);
  if (pd == NULL) {
    return -1;
  }

  args.cf = &cfile;
  args.pdh = ld.pdh;

  if (cfile.rfcode) {
  	fill_in_fdata(&fdata, &cfile, &whdr, 0);
	  edt = epan_dissect_new(TRUE, TRUE);
	  epan_dissect_prime_dfilter(edt, cfile.rfcode);
	  epan_dissect_run(edt, &pseudo_header, pd, &fdata,
NULL);
	  passed = dfilter_apply_edt(cfile.rfcode, edt);
  }
  printf("The filter has %s passed",
(passed?"":"NOT"));
 
  if (edt != NULL)
    epan_dissect_free(edt);
  if (cfile.rfcode)
    clear_fdata(&fdata);
  epan_cleanup();

  return 0;
}



--- Soft Boy <etherealfilter@xxxxxxxxx> wrote:
> > Libethereal is work in progress to put the
> > dissection and display filter stuff into a
> library.
> > While the library exists by now, the API 
> > a) probably needs cleanup and
> > b) should be usable anyway.
> 
> Where are the APIs ? Is there any doc/readme or can
> you please refer to me particular C files ?? 
>  
> > > Can I build  libethereal using the 
> > > ethereal.0.10.2 which I have downloaded ??
> > 
> > No, libethereal (under unix) exists in current cvs
> > only.
> > If you want to test, take a look at the web pages
> ->
> > development on how to download via cvs or the
> > nightly
> > source snapshots.
> Thanks.
> I took ethereal0.10.2 and compiled epan only. It
> gave
> me 3 archives: libethereal, libdfilter, and
> libftypes.
> I guess these do not have the dissectors. Do we have
> any makefile to archive the dissector code in
> library
> ??
> 
> regards,
> soft boy
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube