On Tue, Mar 16, 2010 at 4:40 PM, Jim Lloyd <jll...@silvertailsystems.com>wrote:
> I have a working application using libpcap that doesn't always filter as I > expect. The application is designed to sniff http traffic, so the filter can > be as simple as "tcp port 80". However, we allow sniffing multiple http > servers running on different ports, so it is common to use a filter like > "tcp and (port 80 or port 8080)". Because of this, when sniffing a single > port, the filter we use will look like "tcp and (port 80)". > > This filter seems to work correctly "most" of the time, but in varying > situations we start to see packets where neither the source port or the > destination port matches the specified port. Until today, I only noticed > this for relatively high volume packet sniffing (say 250mbps). But now I am > seeing it on one of our machines with a relatively modest volume of traffic > (about 18mbps). > > I imagine it might be driver specific, and now I see that the ethernet > interfaces on the servers I have available for testing have a more diverse > set of drivers than I was aware. Using ethtool and checking a few different > interfaces, I see drivers bnx2, tg3, and forcedeth. I seem to be having > problems with bnx2. Is this a known issue? > > No error code is returned when we compile and install the filter. Is there > any way to determine if a filter is being ignored? > > It turns out I was mistaken. An error code of -3 is being returned by pcap_setfilter. Instead of checking for a function result of 0, and assuming anything else was an error, my code was checking for a function result of -1, and assuming anything else was success. My bad. So, what does an error code of -3 indicate? I've skimmed the source code and haven't found a path where -3 would be returned. I've done some experimentation and determined that apparently I must call pcap_activate before calling pcap_setfilter. That is counter intuitive, so I wonder if it is by design or not. FYI this is all on linux, using kernel 2.6.18, and using the recently release libpcap 1.1. Thanks, Jim Lloyd - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.