|
HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | BACKWARD COMPATIBILITY | SEE ALSO | COLOPHON |
|
|
|
PCAP_COMPILE(3PCAP) PCAP_COMPILE(3PCAP)
pcap_compile - compile a filter expression
#include <pcap/pcap.h>
int pcap_compile(pcap_t *p, struct bpf_program *fp,
const char *str, int optimize, bpf_u_int32 netmask);
pcap_compile() is used to compile the string str into a filter
program. See pcap-filter(7) for the syntax of that string. fp is
a pointer to a bpf_program struct and is filled in by
pcap_compile(). optimize controls whether optimization on the
resulting code is performed. netmask specifies the IPv4 netmask
(in host byte order) of the network on which packets are being
captured; it is used only when checking for IPv4 broadcast
addresses in the filter program. If the netmask of the network on
which packets are being captured isn't known to the program, or if
packets are being captured on the Linux "any" pseudo-interface
that can capture on more than one network, a value of
PCAP_NETMASK_UNKNOWN can be supplied; tests for IPv4 broadcast
addresses will fail to compile, but all other tests in the filter
program will be OK.
On Linux, if the pcap_t handle corresponds to a live packet
capture, the resulting filter program may use Linux BPF
extensions. This works transparently if the filter program is
used to filter packets on the same pcap_t handle, which should be
done when possible. In other use cases trying to use a filter
program with BPF extensions in pcap_offline_filter(3PCAP) or for
filtering an input savefile would reject more packets than
expected because the extensions depend on auxiliary packet data,
which would not be available. The workaround is to compile the
filter without the extensions by using a pcap_t handle from
pcap_open_dead(3PCAP) or pcap_open_offline(3PCAP) rather than a
handle from pcap_create(3PCAP) or pcap_open_live(3PCAP).
If BPF extensions are disabled as described above or the OS is not
Linux, pcap_compile() may start rejecting some filter expressions
for some link-layer header types, this is the expected behaviour.
For example, the ifindex keyword is valid for any live capture on
Linux, but when reading packets from a savefile, regardless of the
OS it is valid for DLT_LINUX_SLL2 only.
pcap_compile() returns 0 on success and PCAP_ERROR on failure. If
PCAP_ERROR is returned, pcap_geterr(3PCAP) or pcap_perror(3PCAP)
may be called with p as an argument to fetch or display the error
text.
The PCAP_NETMASK_UNKNOWN constant became available in libpcap
release 1.1.0.
In libpcap 1.8.0 and later, pcap_compile() can be used in multiple
threads within a single process. However, in earlier versions of
libpcap, it is not safe to use pcap_compile() in multiple threads
in a single process without some form of mutual exclusion allowing
only one thread to call it at any given time.
pcap(3PCAP), pcap_setfilter(3PCAP), pcap_freecode(3PCAP)
This page is part of the libpcap (packet capture library) project.
Information about the project can be found at
⟨http://www.tcpdump.org/⟩. If you have a bug report for this
manual page, see ⟨http://www.tcpdump.org/#patches⟩. This page was
obtained from the project's upstream Git repository
⟨https://github.com/the-tcpdump-group/libpcap.git⟩ on 2025-02-02.
(At that time, the date of the most recent commit that was found
in the repository was 2025-01-31.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
31 January 2025 PCAP_COMPILE(3PCAP)
|
HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|