Wireshark · Wireshark-dev: [Wireshark-dev] Help using BPF filters with libpcap

Wireshark-dev: [Wireshark-dev] Help using BPF filters with libpcap

Date: Thu, 16 Apr 2009 15:04:41 -0600

Hello all,
I have been working on a program that will report when a HTTP text/plain
packet is sent over the network.  I am using libpcap 1.0 in this C++
program, using the function pcap_compile() as follows:

pcap_compile(interface, &filter, "src port 80 && tcp[32:4]=0x666F7220", 1,
mask)

As you can see, after the regular TCP headers, I look for the ASCII value
"for " which has worked perfectly on my Linux box.  However, when I compile
on OS X, no packets are found.  I used Wireshark to look at the packets on
my MacBook, and sure enough, they should pass through the filter, but they
don't.

To see if I was really wrong, I ran tcpdump with the exact same filter

tcpdump -i en1 "src port 80 && tcp[32:4] = 0x666F7220"

This gave me results...so the filter is correct.  There is virtually nobody
on freenode's #wireshark, and this seemed the best place.  I would
appreciate any help, thanks!

Caleb Hearon

Follow-Ups:
- Re: [Wireshark-dev] Help using BPF filters with libpcap
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] VC6 compile error related to Win64 change
Next by Date: Re: [Wireshark-dev] Help using BPF filters with libpcap
Previous by thread: Re: [Wireshark-dev] VC6 compile error related to Win64 change
Next by thread: Re: [Wireshark-dev] Help using BPF filters with libpcap
Index(es):
- Date
- Thread