c/c++ pcap filter expression for ARP reply packets

Question

I am trying to create pcap filter for filtering ARP replies only. In wireshark i use

arp.opcode==2

and it works perfectly. But when i use it in pcap_compile function, it throws an exception - syntax error. I tried also these variants:

arp.opcode = 2
arp.opcode 2
arp opcode 2
arp.reply
arp reply

and nothing seems to work. I tried to google it, but no success. Is it even possibly to filter that specific packets?

Just use either C or C++. Don't tag the post with both. Also add the code without which we can't help. — Shridhar R Kulkarni, Apr 16 '17 at 10:50
pcap filters are not as sophisticated as the expressions Wireshark supports. Documentation at e.g. https://linux.die.net/man/7/pcap-filter. You might be better off just filtering for arp traffic and then checking for replies in code; otherwise you're going to need to research the arp packet format at the byte level. — Alan Stokes, Apr 16 '17 at 11:01
@AlanStokes Yea, i figured. I wanted to make it simpler, but i guess it cant be done. Thanks for reply! — Tibor Mikita, Apr 16 '17 at 11:14

score 0 · Answer 1 · edited May 23 '17 at 10:30

0

I suspect this should work, based on the packet structure from Wikipedia:

arp [6:2] = 2

(It's easier to look up once you figure out the answer, unfortunately.)

edited May 23 '17 at 10:30

Community

answered Apr 16 '17 at 13:31

Alan Stokes

1 Answers1