[Winpcap-users] can I change a filter during capture withWinPCapwithout losing packets?

[Guy Harris]

On Aug 24, 2010, at 10:49 AM, Gianluca Varenni wrote:

> The main problem would be linux, where the only behavior is not flushing the 
> buffers. So either you have a broken API like pcap_setfilter that is 
> supposed to flush the buffer (but it doesn't) or you break the linux 
> applications by adding the pcap_setfilter_noflush and have pcap_setfilter 
> fail on linux. Something broken in both cases...

Eh?

	On those BPF-based systems with the BIOCSETFNR ioctl, pcap_setfilter() flushes the buffer and pcap_setfilter_noflush() doesn't.

	On those BPF-based systems without the BIOCSETFNR ioctl, pcap_setfilter() flushes the buffer and pcap_setfilter_noflush() returns an error.

	On Linux, pcap_setfilter() flushes the buffer because it makes an effort to do so (see set_kernel_filter() in pcap-linux.c) and pcap_setfilter_noflush() doesn't (because it doesn't go through all the effort to do so that pcap_setfilter() does).

	On Windows, if WinPcap added a call to change the filter without flushing, pcap_setfilter() flushes the buffer and pcap_setfilter_noflush() doesn't.

	On systems without kernel-based filtering, neither of them flush the buffer, as the next packet read after the filter is changed is run through the new filter.

	On other systems with kernel-based filtering and without a "change filter without flushing the buffer" call, pcap_setfilter() flushes the buffer and pcap_setfilter_noflush() returns an error.