My impression of what's going on here: - libpcap opens the capture device. The kernel starts capturing all packets. - libpcap installs the filter. The kernel starts capturing only the packets you want. - libpcap reads the captured packets, and doesn't run the user-land filter on them because it doesn't want to duplicate effort, since the kernel is filtering. The obvious workaround is to run the user-land filter all the time, but that duplicates effort most of the time. Another solution that lessens the race would be to install a filter that asks for no packets as soon as opening the device, and then let pcap_setfilter() delete that filter and install a new one. Bill - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
