Ethereal-users: Re: [Ethereal-users] Capture filter bug.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 22 Feb 2001 16:54:21 -0800 (PST)
> remove libpcap-0.6.2 source tree
> untar libpcap-0.5.2 source tree
> cd libpcap-0.5.2
> ./configure --prefix=/usr --enable-shared ; make ; make install
> cd ../ethereal-0.8.15
> make distclean
> ./configure --prefix=/usr --enable-shared ; make ; make install
> 
> Under linux-2.4.1, ethereal 0.8.15, libpcap 0.5.2, the problem does not
> happen.  The problem *does* occur with libpcap 0.6.2.

It's probably a problem with either Linux PF_PACKET sockets or with the
packet socket mechanism, then; libpcap 0.5.x doesn't use it on Linux,
libpcap 0.6.x does.

Is your kernel configured with the socket filter option?  (If you don't
know, try modifying "pcap-linux.c" in the libpcap 0.6.2 source, changing
the

		case 1:
			/*
			 * We have a filter that'll work in the kernel.
			 */
			can_filter_in_kernel = 1;
			break;

code in "pcap_setfilter()" to instead be

		case 1:
			/*
			 * We have a filter that'll work in the kernel.
			 * (But we're not going to use it in the kernel.)
			 */
			can_filter_in_kernel = 0;
			break;

Then rebuild and install the new 0.6.2 library, and see if the problem
still happens.

If it still happens, then it's probably a problem with PF_PACKET
sockets, or with the user-mode packet filtering code, as the change in
question will keep libpcap from using the kernel-mode packet filtering
code.

If it *doesn't* still happen, then it's probably a problem with the
kernel packet filtering code (and it means your kernel is configured
with the socket filter option).