LIBPCAP can't parse valid expression from Wireshark
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
and it worked flawlessly. But when I implemented this filtering in the app:
Code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pcap.h>
#include <time.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
char *inputFileName=NULL;
char *outputFileName=NULL;
char *bssId=NULL;
char *filter_expNew = "(eapol || wlan.fc.type_subtype == 0x08) && wlan.bssid == 00:11:00:11:00:11";
void my_packet_handler(
u_char *args,
const struct pcap_pkthdr* header,
const u_char* packet
) {
struct ether_header *eth_header;
/* The packet is larger than the ether_header struct,
but we just want to look at the first part of the packet
that contains the header. We force the compiler
to treat the pointer to the packet as just a pointer
to the ether_header. The data payload of the packet comes
after the headers. Different packet types have different header
lengths though, but the ethernet header is always the same (14 bytes) */
eth_header = (struct ether_header *) packet;
if (ntohs(eth_header->ether_type) == ETHERTYPE_IP) {
printf("IP\n");
} else if (ntohs(eth_header->ether_type) == ETHERTYPE_ARP) {
printf("ARP\n");
} else if (ntohs(eth_header->ether_type) == ETHERTYPE_REVARP) {
printf("Reverse ARP\n");
}
FILE *fo = fopen(outputFileName,"wb");
fclose(fo);
}
void print_packet_info(const u_char *packet, struct pcap_pkthdr packet_header);
// taken from https://www.devdungeon.com/content/using-libpcap-c#load-pcap-file
int main(int argc, char **argv) {
printf("Filtering expression:%s\n",filter_expNew);
char dev[] = "any";
pcap_t *handle;
char error_buffer[PCAP_ERRBUF_SIZE];
struct bpf_program filter;
bpf_u_int32 subnet_mask, ip;
if (pcap_lookupnet(dev, &ip, &subnet_mask, error_buffer) == -1) {
printf("Could not get information for device: %s\n", dev);
ip = 0;
subnet_mask = 0;
}
handle = pcap_open_offline(inputFileName, error_buffer);
if (handle == NULL) {
printf("Could not open %s - %s\n", dev, error_buffer);
return 2;
}
if (pcap_compile(handle, &filter, filter_exp, 0, ip) == -1) {
printf("Bad filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &filter) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_compile(handle, &filter, filter_expNew, 0, ip) == -1) {
printf("Bad filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &filter) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(handle));
return 2;
}
pcap_loop(handle, 0, my_packet_handler, NULL);
pcap_close(handle);
return 0;
}
I started getting "Bad filter - syntax error" for exactly the same filtering expression. What am I doing wrong with Libpcap and my filter?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.