int pfring_mod_set_bpf_filter(pfring *ring, char *filter_buffer){ int rc = 0; #ifdef ENABLE_BPF struct bpf_program filter; struct sock_fprog fcode; if (!filter_buffer) return -1; if(pcap_compile_nopcap(ring->caplen, /* snaplen_arg */ DLT_EN10MB, /* linktype_arg */ &filter, /* program */ filter_buffer, /* const char *buf */ 0, /* optimize */ 0 /* mask */ ) == -1) return -1; if (filter.bf_insns == NULL) return (-1); fcode.len = filter.bf_len; fcode.filter = filter.bf_insns; rc = setsockopt(ring->fd, 0, SO_ATTACH_FILTER, &fcode, sizeof(fcode)); if (rc == -1) { int dummy = 0; setsockopt(ring->fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy)); } #endif return rc; }
void parse_bpf(ipfw_insn **cmd, int *ac, char **av[]) { struct bpf_program program; ipfw_insn_bpf *bpf; int avlen; NEXT_ARG1; (*cmd)->opcode = O_LAYER4_BPF; (*cmd)->module = MODULE_LAYER4_ID; avlen = strlen(**av); if (avlen > 256) errx(EX_DATAERR, "bpf \"%s\" too long (max 256)", **av); bpf = (ipfw_insn_bpf *)(*cmd); strcpy(bpf->bf_str, **av); if (pcap_compile_nopcap(65535, DLT_RAW, &program, **av, 1, PCAP_NETMASK_UNKNOWN)) errx(EX_DATAERR, "bpf \"%s\" compilation error", **av); bpf->bf_len = program.bf_len; memcpy(&bpf->bf_insn, program.bf_insns, sizeof(struct bpf_insn) * program.bf_len); (*cmd)->len |= (sizeof(ipfw_insn_bpf) + sizeof(struct bpf_insn) * (bpf->bf_len - 1)) / sizeof(uint32_t); pcap_freecode(&program); NEXT_ARG1; }
void bpf_try_compile(const char *rulefile, struct sock_fprog *bpf, uint32_t link_type) { int i, ret; const struct bpf_insn *ins; struct sock_filter *out; struct bpf_program _bpf; ret = pcap_compile_nopcap(65535, link_type, &_bpf, rulefile, 1, 0xffffffff); if (ret < 0) panic("Cannot compile filter %s\n", rulefile); bpf->len = _bpf.bf_len; bpf->filter = xrealloc(bpf->filter, 1, bpf->len * sizeof(*out)); for (i = 0, ins = _bpf.bf_insns, out = bpf->filter; i < bpf->len; ++i, ++ins, ++out) { out->code = ins->code; out->jt = ins->jt; out->jf = ins->jf; out->k = ins->k; if (out->code == 0x06 && out->k > 0) out->k = 0xFFFFFFFF; } pcap_freecode(&_bpf); if (__bpf_validate(bpf) == 0) panic("This is not a valid BPF program!\n"); }
static int pfring_zc_daq_set_filter(void *handle, const char *filter) { Pfring_Context_t *context = (Pfring_Context_t *) handle; #ifdef ENABLE_BPF if (pcap_compile_nopcap(context->snaplen, /* snaplen_arg */ DLT_EN10MB, /* linktype_arg */ &context->filter, /* program */ filter, /* const char *buf */ 0, /* optimize */ 0 /* mask */ ) == -1) { goto bpf_error; } if (context->filter.bf_insns == NULL) goto bpf_error; context->bpf_filter = 1; return DAQ_SUCCESS; bpf_error: DPE(context->errbuf, "%s: BPF state machine compilation failed!", __FUNCTION__); #else DPE(context->errbuf, "%s: BPF filters not supported!", __FUNCTION__); #endif return DAQ_ERROR; }
int set_raw_filter(unsigned int loc_idx, char *filter) { struct bpf_program raw_filter; //uint16_t snaplen = 65535; int linktype; //struct pcap_t *aa; int fd = -1; LERR("APPLY FILTER [%d]\n", loc_idx); if(loc_idx >= MAX_SOCKETS || sniffer_proto[loc_idx] == NULL) return 0; fd = pcap_get_selectable_fd(sniffer_proto[loc_idx]); linktype = profile_socket[loc_idx].link_type ? profile_socket[loc_idx].link_type : DLT_EN10MB; if (pcap_compile_nopcap(profile_socket[loc_idx].snap_len ? profile_socket[loc_idx].snap_len : 0xffff, linktype, &raw_filter, filter, 1, 0) == -1) { LERR("Failed to compile filter '%s'", filter); return -1; } #if ( defined (OS_LINUX) || defined (OS_SOLARIS) ) if(setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &raw_filter, sizeof(raw_filter)) < 0 ) { LERR(" setsockopt filter: [%s] [%d]", strerror(errno), errno); return -1; } #endif //free(BPF_code); pcap_freecode( (struct bpf_program *) &raw_filter); return 1; }
void CProtoEngBase::SetCombinedFilter() { #if UCFG_SNIF_FILTER try { for (size_t i=m_filters.size(); i--;) { CAdapterFilter& f = *m_filters[i]; String s; if (f.m_medium == PROTO_ETHERNET) //!!!? or NdisMedium802_5 s = m_sIPFilter; if (!m_sUserFilter.IsEmpty()) { if (!s.IsEmpty()) s += " and "; s += "("+m_sUserFilter+")"; } bpf_program bpf; char *buf = (char*)alloca(s.Length+1); strcpy(buf, s); if (pcap_compile_nopcap(0xFFFF, MediumToDlt(f.m_medium), &bpf, buf, 0, 0)<0) Throw(1); f.SetFilter(bpf); } } catch (RCExc) { m_sUserFilter = ""; throw; } #endif }
int main(int argc, char *argv[]) { struct bpf_program prog; parse_args(argc, argv); if (pcap_compile_nopcap(snaplen, dlt, &prog, expr, 1, 0)) { fprintf(stderr, "Syntax error in expression\n"); exit(EX_USAGE); } switch(format) { case RAW: print_raw(&prog); break; case HEXSTRING: print_hexstring(&prog); break; case NG_BPF: print_ng_bpf(&prog); break; } return EX_OK; }
int pcap_ex_compile_nopcap(int snaplen, int dlt, struct bpf_program *fp, char *str, int optimize, unsigned int netmask) { #ifdef HAVE_PCAP_COMPILE_NOPCAP #ifdef __NetBSD__ /* We love consistent interfaces */ char errbuf[PCAP_ERRBUF_SIZE]; return (pcap_compile_nopcap(snaplen, dlt, fp, str, optimize, netmask, errbuf)); #else return (pcap_compile_nopcap(snaplen, dlt, fp, str, optimize, netmask)); #endif #else FILE *f; struct pcap_file_header hdr; pcap_t *pc; char path[] = "/tmp/.pypcapXXXXXX.pcap"; char ebuf[PCAP_ERRBUF_SIZE]; int ret = -1; mktemp(path); if ((f = fopen(path, "w")) != NULL ) { hdr.magic = 0xa1b2c3d4; hdr.version_major = PCAP_VERSION_MAJOR; hdr.version_minor = PCAP_VERSION_MINOR; hdr.thiszone = 0; hdr.snaplen = snaplen; hdr.sigfigs = 0; hdr.linktype = dlt; fwrite(&hdr, sizeof(hdr), 1, f); fclose(f); if ((pc = pcap_open_offline(path, ebuf)) != NULL ) { ret = pcap_compile(pc, fp, str, optimize, netmask); pcap_close(pc); } unlink(path); } return (ret); #endif }
int parse_bpf_filter(char *filter_buffer, u_int caplen) { if(pcap_compile_nopcap(caplen, /* snaplen_arg */ DLT_EN10MB, /* linktype_arg */ &filter, /* program */ filter_buffer, /* const char *buf */ 0, /* optimize */ 0 /* mask */ ) == -1) { return -1; } if(filter.bf_insns == NULL) return -1; return 0; }
int pfring_mod_set_bpf_filter(pfring *ring, char *filter_buffer){ int rc = -1; #ifdef ENABLE_BPF struct bpf_program filter; struct sock_fprog fcode; if(!filter_buffer) return -1; if(unlikely(ring->reentrant)) pthread_rwlock_wrlock(&ring->rx_lock); if(pcap_compile_nopcap(ring->caplen, /* snaplen_arg */ DLT_EN10MB, /* linktype_arg */ &filter, /* program */ filter_buffer, /* const char *buf */ 0, /* optimize */ 0 /* mask */ ) == -1) { rc = -1; goto pfring_mod_set_bpf_filter_exit; } if(filter.bf_insns == NULL) { rc = -1; goto pfring_mod_set_bpf_filter_exit; } fcode.len = filter.bf_len; fcode.filter = (struct sock_filter*)filter.bf_insns; rc = setsockopt(ring->fd, 0, SO_ATTACH_FILTER, &fcode, sizeof(fcode)); if(rc == -1) pfring_mod_remove_bpf_filter(ring); pfring_mod_set_bpf_filter_exit: if(unlikely(ring->reentrant)) pthread_rwlock_unlock(&ring->rx_lock); #endif return rc; }