diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-03-09 00:49:09 -0800 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2017-03-09 00:49:09 -0800 |
| commit | 5dd0e37550ae9e76fa755064d22934e00538317e (patch) | |
| tree | ca7961510a63fc1bc1562447a0bdccb205ce52fa /pcap-new.c | |
| parent | f55739c07564dffe5ccc541d447c169e835428aa (diff) | |
Put back the greasy "save the capture filter string so we can tweak it" hack.
In order to be able to arrange that, when doing a remote capture, the
machine doing the capturing doesn't capture the traffic it sends
containing the captured packets, we have to tweak the user's filter to
filter out traffic to and from the port(s) being used for capturing, and
tell the remote machine to use that as the filter.
WinPcap did this by inserting a hack into pcap_compile() to save the
filter.
We do it by having a hook, called by pcap_compile(), so it doesn't have
to know anything about remote packet capture; we handle that all in our
hook routine.
Ideally, we should do this by compiling the additional filter code
ourselves and combining it with the existing filter code in our
pcap_setfilter routine, and get rid of this hack entirely. That way, we
don't have to *assume* that 1) the filter code being used was generated
by pcap_compile() (which needn't be the case), 2) the filter is in
standard pcap syntax (which it might not be - there's a pull request to
add the ability to specify raw BPF machine code, in binary form, to
pcap_compile()), and 3) nobody ever calls pcap_compile() to compile a
filter that they *aren't* going to hand to pcap_setfilter (which they
might do, e.g. if they're using BPF filters to do packet classification
on packets we hand them).
Fix up some comments while we're at it.
Diffstat (limited to 'pcap-new.c')
0 files changed, 0 insertions, 0 deletions