On Friday, August 22, 2003, at 9:51 AM, winpcap wrote:
Who/how does the old filter get freed when you set a new one ?
Does pcap_setfilter free any previous used filter when it applies a new one ?
"Freed" in what sense?
In those systems where the filter is passed to the OS kernel (which includes Win32 systems using WinPcap), the OS kernel (on UNIX) or the WinPcap driver (on Windows) frees the copy of the old filter that was in the kernel.
However, there's also the user-mode copy that was passed to "pcap_setfilter()"; the old filter is *not* freed - but, after "pcap_setfilter()" returns, there are no references in libpcap to the copy of the filter that was passed to "pcap_setfilter()" (it's either been copied into the kernel, which makes its own copy, or, on platforms where the OS kernel doesn't support BPF filters, a copy is made and attached to the pcap_t), so, at least in recent versions of libpcap/WinPcap, you can call "pcap_freecode()", passing it the "bpf_program *" for the filter, and it'll free the memory used by the filter.
I ask because i want to make the bpf filter a learning filter like the old one was. This means that each time a new local mac address is found, it should get added to the filter like : "not ether dst 112233445566", and the get compilet and set.
Note that when a filter is set, packets that have been captured but not yet read by your application might be discarded (at least in BSD, which supports BPF filtering in the kernel, this was presumably done so that you don't, after calling "pcap_setfilter()", get packets that wouldn't have passed the new filter; Linux kernels that support BPF filtering don't do that, but people complained about tcpdump on Linux printing packets that didn't match the filter, so libpcap was changed to do the discarding itself - I don't know what WinPcap does here), so changing the filters might cause packets to be lost.
I might even end up with something like 100 of these statemens. Can the bpf filter handle this? "not ether dst 112233445566 and not ether dst 778899AABBCC"...
Such an expression is legal (at least if you put colons into the MAC addresses), although you might run into limitations either in the BPF compiler *or* in the WinPcap driver (it might not allow BPF programs larger than some size; if so, I don't know what that size is).
Also, could one write "not ether dst mac1 mac2 mac3 mac4 mac5......." ?
One could, but, if one did, one would get an error from the BPF compiler if one supplied that filter to the BPF compiler.
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
