Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

This is a Digital Library

With over 100,000 free electronic resource in Persian, Arabic and English

Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] - نسخه متنی

Mike D. Schiffman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Filter Functions

Libpcap offers rich support for Berkeley Packet Filter (BPF) filter programs. BPF packet filtering offers a powerful language for specifying packet filters across libpcap descriptors. Some architectures offer an in-kernel mechanism for processing these filters, and those that do offer a serious performance increase because packets not passing the filter do not have to be copied from kernel-space into user-land. This situation results in less CPU overhead. Table 2.3 summarizes some examples of the filter strings. For a thorough treatment of filter string semantics, see the tcpdump documentation.














































Table 2.3: BPF Filter Strings

FILTER STRING


MATCHES THE FOLLOWING PACKETS





"tcp or udp"


Only TCP or UDP packets (implying IP packets as well)





"host www.somethingawful.com"


Only packets to and from this host





"ip proto 50 or ip proto 51"


Only IP packets with protocol numbers 50 or 51 (IPsec)





"icmp[0] = 8"


ICMP echo request packets (type 8)









int pcap_lookupnet(char *device, bpf_u_int32 *netp,
bpf_u_int32 *maskp, char *errbuf);


pcap_lookupnet() returns the IP address and subnet mask associated with device in host-byte (little-endian) order. For a successful call, the function returns 0 and netp and maskp contain the IP address and subnet mask, respectively. If the function fails, it returns -1 and errbuf contains the reason.



int pcap_compile(pcap_t *p, struct bpf_program *fp, char
*str, int optimize, bpf_u_int32 netmask);


pcap_compile() compiles a high-level tcpdump style command primitive string str into a BPF filter code program fp. p specifies the libpcap descriptor, while optimize is a boolean value specifying whether or not to optimize the filter program. netmask specifies the internet protocol (IP) subnet netmask of the interface to which we will apply the filter. Upon success, the function returns 0 and fp contains the filter program; upon failure, the function returns -1 and pcap_*err() can tell you why.



int pcap_compile_nopcap(int snaplen_arg,
int linktype_arg, struct bpf_program *fp, char *buf, int optimize, bpf_u_int32
netmask);


pcap_compile_nopcap() is a wrapper to pcap_compile() that does not require a pcap descriptor.



int pcap_setfilter(pcap_t *p, struct bpf_program *fp);


pcap_setfilter() takes the filter program fp, which pcap_compile() created, and applies it to the pcap descriptor that p references. Note that this procedure occurs in kernel on the systems that support it and in userland (inside the pcap library) in systems that do not support it. Upon success, the function returns 0; upon failure, the function returns -1 and pcap_*err() tells you why.





Note

Note that filter programs are not stackable. Each successive call to pcap_setfilter() replaces a previously installed filter.




void pcap_freecode(struct bpf_program *fp);


pcap_freecode() is a garbage collection routine that frees all the memory associated with BPF filter program fp.

/ 135