|
I am processing a hybrid
pcap file using libpcap and filter _expression_. The pcap
file is hybrid with ipv4 & ipv6 packets. The code
fragment is as follows:
/*----------------------------------------------------------------------------*/ pcap_t * fp;
string pcapfilename = "g00.pcap";
string pcap_filter = "tcp dst port 80";
struct bpf_program filtercode;
// open pcap file
if ((fp = pcap_open_offline(pcapfilename.c_str(), errbuf)) == NULL)
{
cout << "file open failed" << endl;
return 0;
}
//set filter string if (pcap_filter.length() > 0)
{
u_int32_t netmask = 0xffffffff;
struct bpf_program filtercode;
if (pcap_compile(fp, &filtercode, pcap_filter.c_str(), 1, netmask) < 0)
{
cout << "compile filter code error " << pcap_geterr(fp) << endl;
pcap_close(fp);
return 0;
}
if (pcap_setfilter(fp, &filtercode) < 0)
{
cout << "set filter error " << pcap_geterr(fp) << endl;
pcap_close(fp);
return 0;
}
}
// read packets while((ret = pcap_next_ex(fp, &hdr, &pData)) > 0) //!!! notice here !!!
{
cout << "I got it!!!" << endl;
}
/*----------------------------------------------------------------------------*/
I'm assure that the pcap file
has many packets with tcp dest port 80, but I got nothing while I try to read it
out.
While I traced into the
program, I got the "ret" is -2, it means the end of file is
encountered.
I used
another pcap file with pure ipv4 packets to test above code, it ran
correctly and I got the right packets as expected.
Is this a
bug?
2011-12-30
homeryan |