oh no I wasn't referring to that at all. I understand
that. Sorry I should have been more specific. I was
referring to the point made that with a savefile, the
BPF filters are used and print-linux.c is not used. I
am not too familiar with the code base so I might be
missing something. too bad I cant seem to find that
mail now....
Thanks
-Joe
--- Guy Harris <[EMAIL PROTECTED]> wrote:
> > I was reading a response saying something about
> the
> > filtering in tcpdump with -r option (savefile) is
> > different than the regular live capture.
> >
> > Is that what libpcap does?
>
> The filtering is done by libpcap.
>
> > And what is the difference specifically?
>
> Well, I don't know to which response you're
> referring, but if it's the
> one about the netmask, the difference is that:
>
> in a live capture, those filter expressions that
> depend on the
> netmask (i.e., filter expressions that check for a
> broadcast IP
> address) use the netmask reported for that
> interface at the time
> the filter expression is compiled;
>
> when reading a capture file, those filter
> expressions use a
> netmask of 0.
>
> > Also why ;-)
>
> Because, when reading a savefile, there is no way
> for tcpdump or libpcap
> to determine the netmask of the interface on which
> the capture was done
> - the netmask isn't stored in the capture file.
> (No, saving the name of
> the interface isn't sufficient - the capture might
> have been done on a
> completely different machine.)
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use
mailto:[EMAIL PROTECTED]?body=unsubscribe
__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
