[Winpcap-users] Filtering during offline file read
Guy Harris
guy at alum.mit.edu
Sun Apr 11 23:19:12 PDT 2010
On Apr 11, 2010, at 9:01 PM, Charles Bland wrote:
> I want to filter packets I'm reading from an offline file. What throws me
> is what do I do with the netmask argument? How does a offline file have a
> netmask?
With libpcap files, it doesn't. With a pcap-ng file, it does, but only the latest shiniest version of libpcap supports reading pcap-ng files, and that version hasn't yet been made the basis of a WinPcap release.
*HOWEVER*:
The *only* way in which the netmask is used is by pcap_compile() is for the "broadcast" keyword if it's checking *IP* addresses rather than *MAC* addresses.
If you don't care about checking for IP broadcast addresses in a filter, you can specify 0 or 0xffffffff as the netmask; if you *do* care, there's nothing you can do other than find out - from some source other than the capture file - what the netmask was for that network, and supply that.
More information about the Winpcap-users
mailing list