Ask Your Question
0

How to filter packets with BPF in a C++ program when they're not read from a live capture or pcap/pcap-ng file?

asked 2021-01-29 21:42:38 +0000

sumitece87 gravatar image

Hello,

I am using a DPDK application. I have a pointer to a packet and trying to match it against a BPF filter using:

// Initialized before looking at the packet pcap_open_dead(DLT_EN10MB, 65535); pcap_compile(...)

// when I have a packet, I call
pcap_offline_filter(...)

The packets are always VLAN encapsulated. Whenever the filter is "vlan", I match all the packets.

Other than that, it is not able to filter any other type (e.g., ip, arp).

Can anyone help me out figuring what might be the problem?

Thanks, Sumit

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2021-01-29 21:50:47 +0000

Guy Harris gravatar image

updated 2021-01-29 21:51:20 +0000

(This is really a libpcap question, but....)

The packets are always VLAN encapsulated.

That means that all filters must be of the form "vlan and XXX"; for example, "vlan and ip" to find IP packets, "vlan and arp" to find ARP packets, etc..

edit flag offensive delete link more

Comments

And for more information on the vlan primitive, refer to the pcap-filter man page.

cmaynard gravatar imagecmaynard ( 2021-01-29 22:20:04 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-01-29 21:42:38 +0000

Seen: 541 times

Last updated: Jan 29 '21

Related questions

Can I create a capture filter on a pcap file

capture filter: access data behind tcp header

Delay in GOOSE Subscription

Capture incoming packets from remote web server

Localhost capturing

What is the syntax for wireshark custom column

How to filter out TCP retransmissions

My UDP packets aren't showing

Using tshark filters to extract only interesting traffic from 12GB trace

Capture Filters - SSL Handshake or HEX

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2