On Fri, Apr 06, 2001 at 01:02:08AM -0400, Zhigang Chen wrote:
> I read the sample codes packaged with WinPcap. I do not know how the
> filter programs are defined.
They're programs in the BPF machine language; I think the USENIX paper
on BPF describes that machine language - see
http://www.tcpdump.org/related.html
for a link to PostScript and PDF versions of that paper.
The BSD man page for bpf also describes it, so if you have a BSD machine
handy, you could try "man bpf".
However, it may be more convenient to write the filter as an expression
of the sort given to tcpdump/WinPcap - see the tcpdump/WinPcap
documentation for an example of that syntax - and run it through
"pcap_compile()" to generate the machine code for you.
> So I cannot run pcap_filter.
(Presumably you mean "pcap_setfilter()".)
> Neither am I
> sure if the filter programs can achieve the functionality mentioned above.
It can easily handle the "intercept all IP packets" or "intercept all
TCP packets" part - the tcpdump-style expressions for those would be
"ip" and "tcp", respectively.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
