On Tue, Feb 20, 2001 at 12:28:30PM -0600, Henry, Brad ERM wrote:
> and here the process core dumps. Any ideas why? im sure it's something
> simple, like netmask maybe shouldn't be 32? I assumed that that was to be
> the netmask of the network im capturing on, which is 32 bits. Am I mistaken?
Yes, you're mistaken. It's a mask, not a count of bits - some networks
have non-contiguous subnet masks, which cannot be expressed merely by a
count of bits.
A netmask of 32 bits is 0xFFFFFFFF.
*However*, that's *not* the problem; the netmask is just copied verbatim
into one of the instructions in the generated code, so a bad netmask
isn't going to cause a crash.
The man page may not be saying this sufficiently explicitly:
pcap_compile() is used to compile the string "str" into a
filter program. "program" is a pointer to a bpf_program
struct and is filled in by pcap_compile(). "optimize" con-
trols whether optimization on the resulting code is per-
formed. "netmask" specifies the netmask of the local net.
but the "str" argument is *not* the name of a file containing a filter,
it's the actual filter expression itself; "testfilter.fltr" isn't a
valid filter expression.
Therefore, "pcap_compile()" will return an error; you're not checking
for that in your code. If it returns a value of -1, that means it's
failed; you should then use "pcap_geterr()" to get a string giving a
textual description of the error in the filter, and print that - and
*not* call "pcap_setfilter()", as you don't have a filter to set.
If you want to get a filter from a file, you'll have to open and read
the file yourself, putting the text in the file into an array of "char",
and pass that array to "pcap_compile()".
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
