Hi Steighton At this time i am using application level filtering. But the problem is that it hogs the cpu using something like 100% cpu load quite easily ( yes my filter code is optimized )
If one could get to know how the filter is put together, then we could maybe make shure that i gets free'd correctly, I mean... by keeping references yourself, you can set the new filter, and free the old, *if* pcap_freecode really works. Alternatively, one could save the reference to the compilet filter. And then when you need more filtering of the same kind as the old, you can manually add it to the chain, or can we ? It looks like its a linked list in memory, so in principle its posibble. / J. Thomsen. ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 9:06 PM Subject: RE: [WinPcap-users] speed + re-capturing packets. > Hello All. > [snip] > > Regarding this matter I do have some additional questions: > Who/how does the old filter get freed when you set a new one ? Sadly, it doesn't, as far as I can tell. The libpcap infrastructure is, apparently, built around only setting a single filter per instance. The memory in the filter is freed only when pcap_close() is called. I built an application which needs to continually filter out a changing list of MAC addresses, and ran into problems with severe memory leaks down inside winpcap because the filter memory was not freed by a new call to pcap_setfilter(). > > Does pcap_setfilter free any previous used filter when it applies > a new one ? Nope. You can free the local storage of the BPF bytecode with pcap_freecode(), but the actual filter does not get freed. > > I ask because i want to make the bpf filter a learning filter like the > old one was. This means that each time a new local mac address > is found, it should get added to the filter like : > "not ether dst 112233445566", and the get compilet and set. Exactly the same problem I ran into. I have now moved MAC filtering to the application level to avoid this problem. > > I might even end up with something like 100 of these statemens. > Can the bpf filter handle this? > "not ether dst 112233445566 and not ether dst 778899AABBCC"... > > Also, could one write "not ether dst mac1 mac2 mac3 mac4 > mac5......." ? Not in my experience, but I'm no Yak specialist ;-) ====================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ====================== ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
