Ask Your Question

How to filter packets with BPF in a C++ program when they're not read from a live capture or pcap/pcap-ng file?

asked 2021-01-29 21:42:38 +0000


I am using a DPDK application. I have a pointer to a packet and trying to match it against a BPF filter using:

// Initialized before looking at the packet pcap_open_dead(DLT_EN10MB, 65535); pcap_compile(...)

// when I have a packet, I call

The packets are always VLAN encapsulated. Whenever the filter is "vlan", I match all the packets.

Other than that, it is not able to filter any other type (e.g., ip, arp).

Can anyone help me out figuring what might be the problem?

Thanks, Sumit

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-01-29 21:50:47 +0000

Guy Harris gravatar image

updated 2021-01-29 21:51:20 +0000

(This is really a libpcap question, but....)

The packets are always VLAN encapsulated.

That means that all filters must be of the form "vlan and XXX"; for example, "vlan and ip" to find IP packets, "vlan and arp" to find ARP packets, etc..

edit flag offensive delete link more


And for more information on the vlan primitive, refer to the pcap-filter man page.

cmaynard gravatar imagecmaynard ( 2021-01-29 22:20:04 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-01-29 21:42:38 +0000

Seen: 541 times

Last updated: Jan 29 '21