I am indeed using the kernel socket filter option. I will try either the
suggestion below, or just recompiling ethereal with libpcap 0.6 as-is, and
re-compiling the kernel without the socket filter option (it needs a
recompile anyway; my current kernel isn't stable).
--J
-----Original Message-----
From: Guy Harris
To: McNutt, Justin M.
Cc: 'Guy Harris '; ''ethereal-users@xxxxxxxxxxxx' '
Sent: 2/22/01 6:54 PM
Subject: Re: [Ethereal-users] Capture filter bug.
> remove libpcap-0.6.2 source tree
> untar libpcap-0.5.2 source tree
> cd libpcap-0.5.2
> ./configure --prefix=/usr --enable-shared ; make ; make install
> cd ../ethereal-0.8.15
> make distclean
> ./configure --prefix=/usr --enable-shared ; make ; make install
>
> Under linux-2.4.1, ethereal 0.8.15, libpcap 0.5.2, the problem does
not
> happen. The problem *does* occur with libpcap 0.6.2.
It's probably a problem with either Linux PF_PACKET sockets or with the
packet socket mechanism, then; libpcap 0.5.x doesn't use it on Linux,
libpcap 0.6.x does.
Is your kernel configured with the socket filter option? (If you don't
know, try modifying "pcap-linux.c" in the libpcap 0.6.2 source, changing
the
case 1:
/*
* We have a filter that'll work in the kernel.
*/
can_filter_in_kernel = 1;
break;
code in "pcap_setfilter()" to instead be
case 1:
/*
* We have a filter that'll work in the kernel.
* (But we're not going to use it in the
kernel.)
*/
can_filter_in_kernel = 0;
break;
Then rebuild and install the new 0.6.2 library, and see if the problem
still happens.
If it still happens, then it's probably a problem with PF_PACKET
sockets, or with the user-mode packet filtering code, as the change in
question will keep libpcap from using the kernel-mode packet filtering
code.
If it *doesn't* still happen, then it's probably a problem with the
kernel packet filtering code (and it means your kernel is configured
with the socket filter option).