Hello all,
I have been working on a program that will report when a HTTP text/plain
packet is sent over the network. I am using libpcap 1.0 in this C++
program, using the function pcap_compile() as follows:
pcap_compile(interface, &filter, "src port 80 && tcp[32:4]=0x666F7220", 1,
mask)
As you can see, after the regular TCP headers, I look for the ASCII value
"for " which has worked perfectly on my Linux box. However, when I compile
on OS X, no packets are found. I used Wireshark to look at the packets on
my MacBook, and sure enough, they should pass through the filter, but they
don't.
To see if I was really wrong, I ran tcpdump with the exact same filter
tcpdump -i en1 "src port 80 && tcp[32:4] = 0x666F7220"
This gave me results...so the filter is correct. There is virtually nobody
on freenode's #wireshark, and this seemed the best place. I would
appreciate any help, thanks!
Caleb Hearon
