Step-by-Step learning using Winpcap (5)

Filter data streams

One of the most powerful features of Winpcap or libpcap is the data stream filtering engine. It provides an efficient way to capture part of the network data stream and is often integrated with the capture mechanism of Winpcap. The data filtering functions are pcap_compile () and pcap_setfilter ().

Pcap_compile () is used to compile a filter device. It uses a high-level Boolean expression to generate a series of low-level bytecode that can be interpreted by the filter engine. Boolean indicates that the syntax can be found in the Development Kit.

Pcap_setfilter () is used to contact a filter filtered by the kernel driver. Once called, all network packets will flow through the related filters and be copied to the application.

The following code shows how to compile and set a filter. Note that we must obtain the mask (description adapter) from the pcap_if structure, because some filters created by pcap_compile () need this parameter during creation.

In the following code segment, the "IP and TCP" parameter of pcap_compile () indicates that only packets that belong to both IPv4 and TCP data are transmitted to the application.

 If (D-> addresses! = NULL) <br/>/* retrieve the mask of the first address of the interface */<br/> netmask = (struct sockaddr_in *) (d-> addresses-> netmask)-> sin_addr.s_un.s_addr; <br/> else <br/>/* If the interface is without an address we suppose to be in a C Class Network */<br/> netmask = 0 xffffff; </P> <p>/* compile the filter */<br/> If (pcap_compile (adhandle, & fcode, "IP and TCP", 1, netmask) <0) <br/>{< br/> fprintf (stderr, "/nunable to compile the packet filter. check the syntax. /n "); <br/>/* free the device list */<br/> pcap_freealldevs (alldevs); <br/> return-1; <br/>}</P> <p>/* set the filter */<br/> If (pcap_setfilter (adhandle, & fcode) <0) <br/>{< br/> fprintf (stderr, "/nerror setting the filter. /n "); <br/>/* free the device list */<br/> pcap_freealldevs (alldevs); <br/> return-1; <br/>}< br/>

For more information about how to filter data streams using filters in this section, see the next section-parse data packets.

Appendix:

One of the most powerful features offered by Winpcap (and by libpcap as well) is the filtering engine. it provides a very efficient way to receive subsets of the network traffic, and is (usually) integrated with the capture mechanic provided by Winpcap. the functions used to filter packets are pcap_compile () and pcap_setfilter ().

Pcap_compile () takes a string containing a high-level Boolean (filter) expression and produces a low-level byte code that can be interpreted by the fileter engine in the packet driver. the syntax of the Boolean expression can be found in the filtering expression syntax section of this documentation.

Pcap_setfilter () associates a filter with a capture session in the kernel driver. once pcap_setfilter () is called, the associated filter will be applied to all the packets coming from the network, and all the conformant packets (I. E ., packets for which the Boolean expression evaluates to true) will be actually copied to the application.

The following code shows how to compile and set a filter. Note that we must retrieve the netmask from the pcap_if structure that describes the adapter, because some filters created by pcap_compile () requit.

The filter passed to pcap_compile () in this code snippet is "IP and TCP", which means to "keep only the packets that are both IPv4 and TCP and deliver them to the application ".

/* Codes */

If you want to see some code that uses the filtering functions shown in this lesson, look at the example presented in the next lesson, interpreting the packets.

# End