why pcap_setfilter did not take effect

Question

I'm using libpcap as lib to write a C program for catching up coming IPs. my code snippet as following:

struct bpf_program filter;
pcap_compile(pcap_handle, &filter, "icmp[icmptype]=0 and '(dst 16.11.26.100 or dst 16.11.27.100)'", 1, 0);
pcap_setfilter(pcap_handle, &filter);

But it didn't work, I still could see other dest Ips rather than only the above two Ips.

score 1 · Answer 1 · answered May 25 '19 at 03:49

1

I fixed the problem, the right answer is here:

"icmp[icmptype]=0 and (dst 16.11.26.100 or dst 16.11.27.100)"

Just removed the single quota.

answered May 25 '19 at 03:49

Jack

5,540
13
65
113

score 1 · Accepted Answer · answered May 27 '19 at 20:29

1

You should always check for errors from library routine calls. If you'd checked for errors from pcap_compile(), you would have seen that the compile failed (due to the single quotes, although the error message would probably just be "syntax error").

answered May 27 '19 at 20:29

user9065877

193
1
1
2

why pcap_setfilter did not take effect

2 Answers2