I can see two reasons for that:

1. the winpcap driver is broken, and doesn't empty the kernel buffer when a
new filter is set. I'm pretty sure that the latest version (3.1b4) from the
WinPcap website behaves correctly from this point of view (i just cheked the
code), so you can try to install it instead of the 3.0 you're currently
using.
2. The driver does its job, but when you set a new filter you still have
some packets in the user-level libpcap-managed buffer, and libpcap doesn't
drop them. I think this is the most probable cause.

I'll try to analyze the problem better, meanwhile a quick hack is to close
the adapter and then reopen it before setting a new filter.

Loris


> -----Original Message-----
> From: Gabriel Becedillas [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 01, 2005 11:09 AM
> To: winpcap-users@winpcap.polito.it
> Subject: [WinPcap-users] Changing filter after reading doesn't discard 
> old packets
> 
> Hi,
> I'm having a problem and I'd like to know if this is a bug or not:
> If I set a filter that doesn't match any packet and then read, I don't 
> get any packet. This is ok to me.
> If I set a filter that doesn't match any packet but I did a previous 
> read, I get packets.
> Is that ok ? that old packets that doesn't match the current filter 
> are returned ?.
> I'm puting an example program (omited the headers and error checking 
> for simplicity).
> I'm using WinPCap 3.0 on a Windows 2000 SP4 box.
> Thanks.
> 
> void set_filter(pcap_t* a_Dev, const char* a_Filter) {
>      struct bpf_program bpfprog;
> 
>      pcap_compile(a_Dev, &bpfprog,
> const_cast<char*>(a_Filter), 1, 0xFFFFFE00);
>      pcap_setfilter(a_Dev, &bpfprog);
> }
> 
> bool read(pcap_t* a_Dev)
> {
>      pcap_pkthdr* p_hdr;
>      u_char* p_data;
>      return pcap_next_ex(a_Dev, &p_hdr, &p_data) == 1; }
> 
> int main()
> {
>      char error[PCAP_ERRBUF_SIZE];
>      bool test;
> 
>      pcap_t* dd =
> pcap_open_live("\\Device\\NPF_{3F532625-F275-42E3-A1D2-EF5AEF988F6E}",
> 100, 1, 2000, error);
>      ::Sleep(5000);
>      test = read(dd);
>      assert(test);
>      set_filter(dd, "host 1.1.1.1");
>      test = read(dd);
>      assert(!test);
>      return 0;
> }
> 
> --
> 
> 
> Gabriel Becedillas
> Developer
> CORE SECURITY TECHNOLOGIES
> 
> Florida 141 - 2 cuerpo - 7 piso
> C1005AAC Buenos Aires - Argentina
> Tel/Fax: (54 11) 5032-CORE (2673)
> http://www.corest.com
> 
> 
> ======================
>  This is the WinPcap users list. It is archived at 
> http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
> 
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ======================
> 



================================================================= This is the 
WinPcap users list. It is archived at
 http://www.mail-archive.com/winpcap-users@winpcap.polito.it/

 To unsubscribe use
 mailto: [EMAIL PROTECTED]
=================================================================

Reply via email to