Hi.
I can confirm that the source of the problem is 2, and it affects libpcap, as well, so the same problem seems to be present on the other OSes supported by libpcap.
I had a quick look at the libpcap documentation, and it seems that there are no notes documenting such behavior.
I've put Guy Harris in CC to this message, maybe he has a clue about it. My opinion is that this behavior is actually a bug that needs to be fixed. Guy, what do you think?
Have a nice day GV
----- Original Message ----- From: "Loris Degioanni" <[EMAIL PROTECTED]>
To: <winpcap-users@winpcap.polito.it>
Sent: Wednesday, February 02, 2005 2:43 AM
Subject: RE: [WinPcap-users] Changing filter after reading doesn't discard old packets
I can see two reasons for that:
1. the winpcap driver is broken, and doesn't empty the kernel buffer when a new filter is set. I'm pretty sure that the latest version (3.1b4) from the WinPcap website behaves correctly from this point of view (i just cheked the code), so you can try to install it instead of the 3.0 you're currently using. 2. The driver does its job, but when you set a new filter you still have some packets in the user-level libpcap-managed buffer, and libpcap doesn't drop them. I think this is the most probable cause.
I'll try to analyze the problem better, meanwhile a quick hack is to close the adapter and then reopen it before setting a new filter.
Loris
-----Original Message----- From: Gabriel Becedillas [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 11:09 AM To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] Changing filter after reading doesn't discard old packets
Hi, I'm having a problem and I'd like to know if this is a bug or not: If I set a filter that doesn't match any packet and then read, I don't get any packet. This is ok to me. If I set a filter that doesn't match any packet but I did a previous read, I get packets. Is that ok ? that old packets that doesn't match the current filter are returned ?. I'm puting an example program (omited the headers and error checking for simplicity). I'm using WinPCap 3.0 on a Windows 2000 SP4 box. Thanks.
void set_filter(pcap_t* a_Dev, const char* a_Filter) { struct bpf_program bpfprog;
pcap_compile(a_Dev, &bpfprog, const_cast<char*>(a_Filter), 1, 0xFFFFFE00); pcap_setfilter(a_Dev, &bpfprog); }
bool read(pcap_t* a_Dev) { pcap_pkthdr* p_hdr; u_char* p_data; return pcap_next_ex(a_Dev, &p_hdr, &p_data) == 1; }
int main() { char error[PCAP_ERRBUF_SIZE]; bool test;
pcap_t* dd = pcap_open_live("\\Device\\NPF_{3F532625-F275-42E3-A1D2-EF5AEF988F6E}", 100, 1, 2000, error); ::Sleep(5000); test = read(dd); assert(test); set_filter(dd, "host 1.1.1.1"); test = read(dd); assert(!test); return 0; }
--
Gabriel Becedillas Developer CORE SECURITY TECHNOLOGIES
Florida 141 - 2º cuerpo - 7º piso C1005AAC Buenos Aires - Argentina Tel/Fax: (54 11) 5032-CORE (2673) http://www.corest.com
====================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED] ======================
====================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED] ======================
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
