On Jun 23, 2010, at 5:37 PM, Steve Scott wrote:
> When I use this pcap compile string, my gcc compiler builds the executable,
> but the pcap compile fails at run time:
>
> "\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)"
The backslashes are unnecessary. If I do
tcpdump -d "\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host
172.19.18.3\\)"
on OS X (with bash as the shell), I get
tcpdump: illegal token: \
If I do
tcpdump -d "(tcp or udp) and (src host 172.19.18.2 or src host
172.19.18.3)"
I get
(000) ldh [12]
(001) jeq #0x86dd jt 10 jf 2
(002) jeq #0x800 jt 3 jf 10
(003) ldb [23]
(004) jeq #0x6 jt 6 jf 5
(005) jeq #0x11 jt 6 jf 10
(006) ld [26]
(007) jeq #0xac131202 jt 9 jf 8
(008) jeq #0xac131203 jt 9 jf 10
(009) ret #65535
(010) ret #0
(on an Ethernet device).
If I do
tcpdump -d \\(tcp or udp\\) and \\(src host 172.19.18.2 or src host
172.19.18.3\\)
the shell complains:
-bash: syntax error near unexpected token `('
And if I do
tcpdump -d \(tcp or udp\) and \(src host 172.19.18.2 or src host
172.19.18.3\)
I get the same program as before. If I do
echo \(tcp or udp\) and \(src host 172.19.18.2 or src host
172.19.18.3\)
I get
(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)
which means the string you pass to pcap_compile should be
"(tcp or udp) and (src host 172.19.18.2 or src host 172.19.18.3)"
The only purpose the backslashes serve is to escape the parentheses from the
shell; they are not necessary in order to escape the parentheses from the C
compiler, so you should leave them out if you're writing a program that calls
pcap_compile().
> Is this a bug in the pcap compiler?
No, it's a bug in your program. Remove the backslashes from the C string.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
