How to filter packets with BPF in a C++ program when they're not read from a live capture or pcap/pcap-ng file?

asked 2021-01-29 21:42:38 +0000


I am using a DPDK application. I have a pointer to a packet and trying to match it against a BPF filter using:

// Initialized before looking at the packet pcap_open_dead(DLT_EN10MB, 65535); pcap_compile(...)

// when I have a packet, I call

The packets are always VLAN encapsulated. Whenever the filter is "vlan", I match all the packets.

Other than that, it is not able to filter any other type (e.g., ip, arp).

Can anyone help me out figuring what might be the problem?

Thanks, Sumit

answered 2021-01-29 21:50:47 +0000

Guy Harris gravatar image

updated 2021-01-29 21:51:20 +0000

(This is really a libpcap question, but....)

The packets are always VLAN encapsulated.

That means that all filters must be of the form "vlan and XXX"; for example, "vlan and ip" to find IP packets, "vlan and arp" to find ARP packets, etc..

And for more information on the vlan primitive, refer to the pcap-filter man page.

