Re: [tcpdump-workers] filter to match no packets?

Thu, 11 Jul 2002 13:50:05 -0700 

Joe,

And what about ret #0? It is just one instruction.
See set_kernel_filter in pcap-linux.c
Honza

----- Original Message -----
From: "Joe Elliott" <[EMAIL PROTECTED]>
To: "Honza Pomahac" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 11, 2002 7:57 PM
Subject: Re: [tcpdump-workers] filter to match no packets?


> Honza,
> Is there a simpler test to use? I am using 'ip6' for now as its
> a single inspection for pcap to do. ip6 is not ideal as I may actually
> see some ip6 traffic occasionally.
>
>  'ip and ip[0] & 0xf0 != 0x40' looks like 2 tests. What is the actual
> code once its compiled? Can pcap inspect/test this in one instruction?
>
> I need the absolute minimum of load on pcap for performance reasons.
>
> Joe.
>
> --
>                                           __o       _~o       __o
>                                          `\<,      `\<,      `\<,
>
______________________________________(*)/_(*)__(*)/_(*)__(*)/_(*)________
>  Im a 21st Century Digital Boy ... I aint got a life, but I got lotsa
toys.
>  *******************     Joe Elliott  [EMAIL PROTECTED]
********************
>  Phone:(650)961-6631    Cell:(650)714-3932    Inetd.Com
http://inetd.com
>  -------------------------------------------------------------------------
-
>
> On Thu, 11 Jul 2002, Honza Pomahac wrote:
>
> > Date: Thu, 11 Jul 2002 11:20:48 +0200
> > From: Honza Pomahac <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: [tcpdump-workers] filter to match no packets?
> >
> > 'ip and ip[0] & 0xf0 != 0x40'
> > Honza
> >
> > > Hello,
> > > What is the simplest, lowest cost filter that can be set that is
> > > guaranteed to not match any packets? I need this as I am dynamically
> > > changing the filter and occasionally need to disable packet capture
without
> > > stopping the program.
> > >
> > > Is there a special value I can set that avoids any unnecessary tests?
> > >
> > > Thanx .. Joe.
> > >
> >
> > -
> > This is the TCPDUMP workers list. It is archived at
> > http://www.tcpdump.org/lists/workers/index.html
> > To unsubscribe use
mailto:[EMAIL PROTECTED]?body=unsubscribe
> >
>
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use
mailto:[EMAIL PROTECTED]?body=unsubscribe
>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to