LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page LIBPCAP can't parse valid expression from Wireshark
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-12-2019, 03:04 PM   #1
glestwid
LQ Newbie
 
Registered: Apr 2018
Posts: 16

Rep: Reputation: Disabled
Question LIBPCAP can't parse valid expression from Wireshark

Hi,

I am wring a custom app for filtering CAP dump files. Before starting its development I tried the expected filtering expression in Wireshark:

Quote:
(eapol || wlan.fc.type_subtype == 0x08) && wlan.bssid == 00:11:00:11:00:11
and it worked flawlessly. But when I implemented this filtering in the app:

Code:
#include <stdio.h>  
#include <string.h>
#include <stdlib.h>
#include <unistd.h>   
#include <pcap.h>
#include <time.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>

    char *inputFileName=NULL;
    char *outputFileName=NULL;
    char *bssId=NULL;
    char *filter_expNew = "(eapol || wlan.fc.type_subtype == 0x08) && wlan.bssid == 00:11:00:11:00:11";

void my_packet_handler(
    u_char *args,
    const struct pcap_pkthdr* header,
    const u_char* packet
) {
    struct ether_header *eth_header;
    /* The packet is larger than the ether_header struct,
       but we just want to look at the first part of the packet
       that contains the header. We force the compiler
       to treat the pointer to the packet as just a pointer
       to the ether_header. The data payload of the packet comes
       after the headers. Different packet types have different header
       lengths though, but the ethernet header is always the same (14 bytes) */
    eth_header = (struct ether_header *) packet;
    
    if (ntohs(eth_header->ether_type) == ETHERTYPE_IP) {
        printf("IP\n");
    } else  if (ntohs(eth_header->ether_type) == ETHERTYPE_ARP) {
        printf("ARP\n");
    } else  if (ntohs(eth_header->ether_type) == ETHERTYPE_REVARP) {
        printf("Reverse ARP\n");
    }
    
    FILE *fo = fopen(outputFileName,"wb");
    fclose(fo);
}
void print_packet_info(const u_char *packet, struct pcap_pkthdr packet_header);


// taken from https://www.devdungeon.com/content/using-libpcap-c#load-pcap-file
int main(int argc, char **argv) {
    
    
    printf("Filtering expression:%s\n",filter_expNew);
    
    char dev[] = "any";
    pcap_t *handle;
    char error_buffer[PCAP_ERRBUF_SIZE];
    struct bpf_program filter;
    bpf_u_int32 subnet_mask, ip;

    if (pcap_lookupnet(dev, &ip, &subnet_mask, error_buffer) == -1) {
        printf("Could not get information for device: %s\n", dev);
        ip = 0;
        subnet_mask = 0;
    }
    handle = pcap_open_offline(inputFileName, error_buffer);
    if (handle == NULL) {
        printf("Could not open %s - %s\n", dev, error_buffer);
        return 2;
    }
    if (pcap_compile(handle, &filter, filter_exp, 0, ip) == -1) {
        printf("Bad filter - %s\n", pcap_geterr(handle));
        return 2;
    }
    if (pcap_setfilter(handle, &filter) == -1) {
        printf("Error setting filter - %s\n", pcap_geterr(handle));
        return 2;
    }

    if (pcap_compile(handle, &filter, filter_expNew, 0, ip) == -1) {
        printf("Bad filter - %s\n", pcap_geterr(handle));
        return 2;
    }
    if (pcap_setfilter(handle, &filter) == -1) {
        printf("Error setting filter - %s\n", pcap_geterr(handle));
        return 2;
    }
    
    pcap_loop(handle, 0, my_packet_handler, NULL);
    
    pcap_close(handle);
    
    return 0;
}
I started getting "Bad filter - syntax error" for exactly the same filtering expression. What am I doing wrong with Libpcap and my filter?
 
  


Reply

Tags
libpcap, wireshark



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] jhalfs sed: -e expression #1, char 55:Invalid preceding regular expression percy_vere_uk Linux From Scratch 10 07-22-2017 07:15 AM
ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h) not found OtagoHarbour Linux - Newbie 12 08-28-2012 01:59 PM
"cannot stat `libpcap.so.1.0.0':" error during make of Libpcap 1.0.0 on Fedora 9 myriad_moments Linux - Software 4 04-09-2010 02:02 AM
Parse error: parse error, unexpected '/' - can anyone see the error in this code? v@ny@ Programming 8 04-03-2010 04:07 PM
Regular expression to match a valid URL string vharishankar Programming 13 07-21-2005 09:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:42 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration