Ethereal-dev: RE : RE : [Ethereal-dev] about ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "RABRET Laurent FTRD/DAC/ISS" <laurent.rabret@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Jun 2003 12:03:38 +0200
The code you have was a very first (quick & dirty) proposal that even
didn't work on Windows XP...
About filtering, it is true I didn't implement it because it was not
critical for me (I just support the promisc vs. non promisc filter which
is directly sent to the lower network driver level and possibly
forwarded to NIC in case of advanced interfaces). However, because the
NM SDK proposes a specific API to inject filters in, presumably, its own
protocol driver (i.e. in kernel space) I can work on the pcap grammar
for NM to support it (but it's not a just 2 hours work...). Not sure it
is a judicious proposal because I've seen many complains about the use
of 2 different grammars... To me, the NM driver is only a very useful
spare so filtering is maybe not that important.
Regards
Laurent


-----Original Message-----
From: Guy Harris [mailto:gharris@xxxxxxxxx] 
Sent: Wednesday, June 25, 2003 10:24 AM
To: RABRET Laurent FTRD/DAC/ISS
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: RE : [Ethereal-dev] about ethereal

On Tue, Jun 24, 2003 at 05:05:02PM +0200, RABRET Laurent FTRD/DAC/ISS
wrote:
> I suppose the filtering is performed in kernel mode...

>From looking at your code, the filtering doesn't seem to be done at all.
"pcap_setfilter()" calls the SetFilter method of the pcap_t_ passed to
it, but that method doesn't use its "struct bpf_program *" argument -
it's not passed into the NetMon driver, so the filtering can't be done
in kernel mode (the kernel doesn't even know about the BPF program - and
I suspect there's no BPF interpreter in Microsoft's NetMon driver
anyway, so there's nothing it could do with a BPF program if it *did*
know about it), and there are no calls to "bpf_filter()" anywhere in
your code, so the filtering isn't done in user mode, either.