RE: [WinPcap-users] setfilter
Hi, Hi. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: giovedi 11 novembre 2004 21.18 To: [EMAIL PROTECTED] Subject: [WinPcap-users] setfilter Hello... Can I set a new filter on an ongoing capture without missing a packet? Discription: I set a 'port ' filter expression and listen to the traffic. Now I want to extend the filter to 'port or port ' by using pcap_setfilter(). Is it possible that winpcap misses a packet on port during the filter exchange? I would say yes. If I remember well, when you change the filter the kernel buffer is cleaned, so all data in it is discarded. If you had some packets that were captured but not yet delivered to the application, these are lost. I confirm. Loris This beaviour is needed, otherwise you may receive packets satifying the old filter after setting the new one. Cheers, fulvio (Additional question: what is the filter expression for a port range? 'port or port 1112 or port 1113 or ... or port ') Thanks... Marc == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] setfilter
Hi. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: giovedi 11 novembre 2004 21.18 To: [EMAIL PROTECTED] Subject: [WinPcap-users] setfilter Hello... Can I set a new filter on an ongoing capture without missing a packet? Discription: I set a 'port ' filter expression and listen to the traffic. Now I want to extend the filter to 'port or port ' by using pcap_setfilter(). Is it possible that winpcap misses a packet on port during the filter exchange? I would say yes. If I remember well, when you change the filter the kernel buffer is cleaned, so all data in it is discarded. If you had some packets that were captured but not yet delivered to the application, these are lost. This beaviour is needed, otherwise you may receive packets satifying the old filter after setting the new one. Cheers, fulvio (Additional question: what is the filter expression for a port range? 'port or port 1112 or port 1113 or ... or port ') Thanks... Marc == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] setfilter
Fulvio Risso wrote: This beaviour is needed, otherwise you may receive packets satifying the old filter after setting the new one. Absolutely. The same is done in the BPF code in BSD. It's not done in the Linux socket filter code - but people complained about that, because they set a filter but got packets that wouldn't have passed the filter, so the libpcap support for Linux was changed to flush all packets when the filter was set. Perhaps an option to allow applications to set a filter without flushing, for cases where it's known that the new filter will accept all packets that the old filter would (such as the case in the original message), would be useful - but even if the WinPcap driver, or the BPF code, or the Linux libpcap code, or... did that, there'd be no guarantee that the relevant packets won't be discarded before the new filter is set, so it can't be *guaranteed* that no relevant packets will be lost. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==