> TCPDUMP/LIBPCAP:
>
> When I created a very large filter rule, my sniffer crashes due
> to an error in bpf_optimize() in libpcap. Does anyone know how
> to increase the bpf filter rule size?
There are, as far as I can tell, no hardcoded maxima in the BPF
optimizer.
However, there is a bug in the 0.5.2 and earlier versions of libpcap
that can cause crashes in "icode_to_fcode()" with large filter
expressions:
http://www.tcpdump.org/lists/workers/2000/msg01364.html
("bpf_optimize()" itself is unlikely to crash, as it just calls a bunch
of other routines - the only thing it does directly is dereference its
argument, which means it crashes if the argument is null, but it's
passed "&root" as an argument, and that can't be null in a valid
implementation of C; did it crash in "bpf_optimize()", or in some other
routine?).
Perhaps you're getting that bug; did you see this with one of the
nightly CVS snapshots from "tcpdump.org" (from the "Current Tar files"
section on the home page), or did you see it with the 0.5.2 release or
an earlier release of libpcap?
If it's an earlier release, try the latest "Current Tar files" version;
the bug referred to above was fixed a while ago.
If it's one of the recent nightly snapshots, there may be another bug;
please send us a stack trace, and an example of the filter that caused a
crash.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
