ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: [Wireshark-dev] Running BPF filters on raw packet data (no devices)

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gal Sagie <gal.sagie@xxxxxxxxx>
Date: Sun, 16 Jun 2013 20:05:49 +0300
Hello,

I want to achieve the following :

1) I have a raw packet buffer, i want to search if they match a certain BPF filter (i dont care about the device or how i received this packet buffer) just want
   to know it match or doesn't match.

The code i tried :
  1.  pkt = pointer to packet data
  2.         char errbuf[PCAP_ERRBUF_SIZE];
  3.         pcap_t* pc = pcap_create("any",&errbuf);
  4.         int active = pcap_activate(pc);
  5.        
  6.         struct bpf_program fp;
  7.         int res = pcap_compile(pc,&fp,"ip",0,0);
  8.        
  9.         struct pcap_pkthdr hdr;
  10.         memset(&hdr,0,sizeof(hdr));
  11.         hdr.caplen = pkt->pkt_len;
  12.         hdr.len = pkt->pkt_len;  
  13.                        
  14.         u_char* data = "" char *)pkt->data
  15.                        
  16.        int match = pcap_offline_filter(&fp, &hdr ,data);
  17.        printf("Packet Match = %d\r\n",match);


    That doesn't work.... (it doesn't fail but return "0" on match every time even that the packet is IP packet as i debugged it)

    Any ideas ? what am i doing wrong? or how else can i achieve the same results? 
    Thanks in advance!

    Gal.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube