1. libpcap does it's filtering in BPF
2. It uses a high level filter language to do so (The famous tcpdump man
page.)
3. The actual interface to libpcap is two stage: firstly to compile the
filter to BPF, and secondly to set it as the filter.
4. People often ask if they can capture-filter on a field in a packet
which is at varying offsets from packet to packet, or on a string which
can exist anywhere in the packet.
5. These filters are possible in BPF, but impossible in the high level
language.
6. It should be straight-forward to write a BPF assembler which would
produce files of the correct form to feed to libpcap. In fact it may
already exist.
7. It should be straight-forward to modify the Ethereal capture dialog
to allow the use of such a file in preference to a high level filter
string.
--
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxx
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________
