Wireshark-dev: Re: [Wireshark-dev] Help using BPF filters with libpcap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 16 Apr 2009 16:46:24 -0700

On Apr 16, 2009, at 2:04 PM, caleb@xxxxxxxxxxx wrote:

I have been working on a program that will report when a HTTP text/ plain
packet is sent over the network.

What do you mean by "a HTTP text/plain packet"?

I am using libpcap 1.0 in this C++
program, using the function pcap_compile() as follows:

pcap_compile(interface, &filter, "src port 80 && tcp[32:4] =0x666F7220", 1,
mask)

As you can see, after the regular TCP headers, I look for the ASCII value
"for "

To be precise, you're looking for the ASCII value "for " at an offset that, for TCP segments with no TCP options, is 12 bytes past the end of the TCP headers.

which has worked perfectly on my Linux box.  However, when I compile
on OS X, no packets are found. I used Wireshark to look at the packets on my MacBook, and sure enough, they should pass through the filter, but they
don't.

To see if I was really wrong, I ran tcpdump with the exact same filter

tcpdump -i en1 "src port 80 && tcp[32:4] = 0x666F7220"

This gave me results...so the filter is correct.

In other words, if you capture with Wireshark on en1 with the filter

	src port 80 && tcp[32:4] = 0x666F7220

you see no traffic, but if you capture with tcpdump on en1 with the same filter, you don't?

Or did you just look at some other capture file with Wireshark?