Wireshark · Ethereal-dev: [Ethereal-dev] Filters do not match

Ethereal-dev: [Ethereal-dev] Filters do not match

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Soft Boy <etherealfilter@xxxxxxxxx>

Date: Wed, 24 Mar 2004 06:43:06 -0800 (PST)

Hi,

I am trying to make a tool by slightly modifying
ethereal. As an experiment I have changed the function
main() as shown below. The main function basically
calls the APIs used to compile the dfilter, create
dissector and run dfilter code. It has an ARP packet
and a read filter 'arp', passed as an command line
argument, which should match this packet. Similarly,
filters 'ip' and 'tcp' should not match this packet.
However, what I am getting is always NO match. Am I
missing anything here ?? 

Makefile have no change except that I have disbaled
the compiler optimization.

Any help will be appriciated.

thanks and regards,
SoftBoy

int
main(int argc, char *argv[])
{
  int                   opt;
  extern char           *optarg;
  gboolean              arg_error = FALSE;
  gboolean      	passed = TRUE;
  gchar                 *rfilter = NULL;
#ifdef HAVE_PCAP_OPEN_DEAD
  struct bpf_program	fcode;
#endif
  dfilter_t		*rfcode = NULL;
  frame_data		fdata;
  epan_dissect_t	*edt=NULL;
  struct wtap_pkthdr whdr;
  union wtap_pseudo_header pseudo_header;
  cb_args_t args;
  int err;
  struct pcap_pkthdr hdr;
  struct pcap_pkthdr *phdr=&hdr;
  guchar data[64]={
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 
	0x00, 0x0c, 0x29, 0x15, 0x9d, 0xa7,
	0x08, 0x06, 0x00, 0x01, 0x08, 0x00,
	0x06, 0x04, 0x00, 0x01, 0x00, 0x50,
	0x56, 0xc0, 0x00, 0x01, 0xc0, 0xa8, 
	0x3e, 0x01, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0xc0, 0xa8, 0x3e, 0x03
	};
  guchar *pd=&data;

  hdr.ts.tv_sec = 0;
  hdr.ts.tv_usec = 0;
  hdr.len = 42;
  hdr.caplen = 42;

  /* Register all dissectors; we must do this before
checking for the
     "-G" flag, as the "-G" flag dumps information
registered by the
     dissectors, and we must do it before we read the
preferences, in
     case any dissectors register preferences. */
 
epan_init(PLUGIN_DIR,register_all_protocols,register_all_protocol_handoffs);


  /* Now get our args */
  while ((opt = getopt(argc, argv,
"a:b:c:d:Df:F:hi:lLnN:o:pqr:R:s:St:T:vw:Vxy:z:")) !=
-1) {
    switch (opt) {
      case 'd':        /* Decode as rule */
        if (!add_decode_as(optarg))
          exit(1);
	break;
      case 'h':        /* Print help and exit */
	print_usage(TRUE);
	exit(0);
        break;
      case 'S':        /* show packets in real time */
        decode = TRUE;
        break;
      case 'T':        /* printing Type */
        if (strcmp(optarg, "text") == 0)
		print_format = PR_FMT_TEXT;
	else if (strcmp(optarg, "pdml") == 0)
		print_format = PR_FMT_PDML;
	else if (strcmp(optarg, "ps") == 0)
		print_format = PR_FMT_PS;
	else {
		fprintf(stderr, "tethereal: Invalid -T
parameter.\n");
		fprintf(stderr, "It must be \"ps\", \"text\" or
\"pdml\".\n");
		exit(1);
	}
	break;
      case 'v':        /* Show version and exit */
        printf("t" PACKAGE " " VERSION
#ifdef CVSVERSION
	    " (" CVSVERSION ")"
#endif
	    "\n%s\n%s\n",
	    comp_info_str->str, runtime_info_str->str);
        exit(0);
        break;
      default:
      case '?':        /* Bad flag - print usage
message */
        arg_error = TRUE;
        break;
    }
  }

  /* If no capture filter or read filter has been
specified, and there are
     still command-line arguments, treat them as the
tokens of a capture
     filter (if no "-r" flag was specified) or a read
filter (if a "-r"
     flag was specified. */
  if (optind < argc) {
      rfilter = get_args_as_string(argc, argv,
optind);
  }

  if (rfilter != NULL) {
    if (!dfilter_compile(rfilter, &rfcode)) {
      fprintf(stderr, "tethereal: %s\n",
dfilter_error_msg);
      epan_cleanup();
#ifdef HAVE_PCAP_OPEN_DEAD
      {
        pcap_t *p;

        p = pcap_open_dead(DLT_EN10MB,
MIN_PACKET_SIZE);
        if (p != NULL) {
          if (pcap_compile(p, &fcode, rfilter, 0, 0)
!= -1) {
            fprintf(stderr,
              "  Note: That display filter code looks
like a valid capture filter;\n"
              "        maybe you mixed them up?\n");
          }
          pcap_close(p);
        }
      }
#endif
      exit(2);
    }
  }
  cfile.rfcode = rfcode;

  /* Initialize all data structures used for
dissection. */
  init_dissection();

  ld.linktype       = WTAP_ENCAP_UNKNOWN;
  ld.pdh            = NULL;

  /* Convert from libpcap to Wiretap format.
     If that fails, ignore the packet
(wtap_process_pcap_packet has
     written an error message). */
  pd = wtap_process_pcap_packet(ld.linktype, phdr, pd,
&pseudo_header,
				&whdr, &err);
  if (pd == NULL) {
    return -1;
  }

  args.cf = &cfile;
  args.pdh = ld.pdh;

  if (cfile.rfcode) {
  	fill_in_fdata(&fdata, &cfile, &whdr, 0);
	  edt = epan_dissect_new(TRUE, TRUE);
	  epan_dissect_prime_dfilter(edt, cfile.rfcode);
	  epan_dissect_run(edt, &pseudo_header, pd, &fdata,
NULL);
	  passed = dfilter_apply_edt(cfile.rfcode, edt);
  }
  printf("The filter has %s passed",
(passed?"":"NOT"));
 
  if (edt != NULL)
    epan_dissect_free(edt);
  if (cfile.rfcode)
    clear_fdata(&fdata);
  epan_cleanup();

  return 0;
}



--- Soft Boy <etherealfilter@xxxxxxxxx> wrote:
> > Libethereal is work in progress to put the
> > dissection and display filter stuff into a
> library.
> > While the library exists by now, the API 
> > a) probably needs cleanup and
> > b) should be usable anyway.
> 
> Where are the APIs ? Is there any doc/readme or can
> you please refer to me particular C files ?? 
>  
> > > Can I build  libethereal using the 
> > > ethereal.0.10.2 which I have downloaded ??
> > 
> > No, libethereal (under unix) exists in current cvs
> > only.
> > If you want to test, take a look at the web pages
> ->
> > development on how to download via cvs or the
> > nightly
> > source snapshots.
> Thanks.
> I took ethereal0.10.2 and compiled epan only. It
> gave
> me 3 archives: libethereal, libdfilter, and
> libftypes.
> I guess these do not have the dissectors. Do we have
> any makefile to archive the dissector code in
> library
> ??
> 
> regards,
> soft boy
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Follow-Ups:
- Re: [Ethereal-dev] Filters do not match
  - From: Guy Harris

References:
- Re: [Ethereal-dev] Display filter working
  - From: Soft Boy

Prev by Date: Re: [Ethereal-dev] samr patch and kerberos update
Next by Date: [Ethereal-dev] Can't autogen on OS X
Previous by thread: Re: [Ethereal-dev] Display filter working
Next by thread: Re: [Ethereal-dev] Filters do not match
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$