On 03/17/10 18:45, Guy Harris wrote:
On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote:
I've done some experimentation and determined that apparently I
must call pcap_activate before calling pcap_setfilter.
Yes.
That is counter intuitive, so I wonder if it is by design or not.
It may change
On Thu, Mar 18, 2010 at 7:33 AM, Eloy Paris pe...@chapus.net wrote:
On 03/17/10 18:45, Guy Harris wrote:
On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote:
I've done some experimentation and determined that apparently I
must call pcap_activate before calling pcap_setfilter.
Yes.
That is
On 03/18/10 11:02, Jim Lloyd wrote:
See 'man pcap' and 'man pcap_create'. You don't need pcap_activate() if you
use pcap_open_live().
Ah, I see. I found this gem at the end of the pcap man page (for libpcap
1.0.0):
pcap_create() and pcap_activate() were not available in versions of
libpcap
On Mar 18, 2010, at 8:02 AM, Jim Lloyd wrote:
Perhaps someone can clarify this point for me. When is filtering done?
If the packet capture mechanism supports BPF packet filtering in the kernel
(and the filter isn't too complicated to fit in the kernel or otherwise
incapable of being handled
On Mar 18, 2010, at 8:20 AM, Eloy Paris wrote:
pcap_create() and pcap_activate() were not available in versions of
libpcap prior to 1.0; if you are writing an application that must work on
versions of libpcap prior to 1.0, either use pcap_open_live() to get a handle
for a live capture or,
Jim == Jim Lloyd jll...@silvertailsystems.com writes:
Jim I imagine it might be driver specific, and now I see that the
Jim ethernet interfaces on the servers I have available for testing
Jim have a more diverse set of drivers than I was aware. Using
Jim ethtool and checking a
On Tue, Mar 16, 2010 at 4:40 PM, Jim Lloyd jll...@silvertailsystems.comwrote:
I have a working application using libpcap that doesn't always filter as I
expect. The application is designed to sniff http traffic, so the filter can
be as simple as tcp port 80. However, we allow sniffing multiple
On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote:
So, what does an error code of -3 indicate?
#define PCAP_ERROR_NOT_ACTIVATED-3 /* the capture needs to
be activated */
I've done some experimentation and determined that apparently I must call
pcap_activate before calling
I have a working application using libpcap that doesn't always filter as I
expect. The application is designed to sniff http traffic, so the filter can
be as simple as tcp port 80. However, we allow sniffing multiple http
servers running on different ports, so it is common to use a filter like
tcp