group__wpcap__tut5.html

WinPcap V4.01技术手册

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>WinPcap: Filtering the traffic</title>
<link href="style.css" rel="stylesheet" type="text/css">
<link href="tabs.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.5.1 -->
<div class="tabs">
  <ul>
    <li><a href="main.html"><span>Main&nbsp;Page</span></a></li>
    <li><a href="modules.html"><span>Modules</span></a></li>
    <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
    <li><a href="files.html"><span>Files</span></a></li>
    <li><a href="pages.html"><span>Related&nbsp;Pages</span></a></li>
  </ul></div>
<h1>Filtering the traffic</h1><table border="0" cellpadding="0" cellspacing="0">
<tr><td></td></tr>
</table>
One of the most powerful features offered by WinPcap (and by libpcap as well) is the filtering engine. It provides a very efficient way to receive subsets of the network traffic, and is (usually) integrated with the capture mechanism provided by WinPcap. The functions used to filter packets are <a class="el" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile()</a> and <a class="el" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61">pcap_setfilter()</a>.<p>
<a class="el" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile()</a> takes a string containing a high-level Boolean (filter) expression and produces a low-level byte code that can be interpreted by the fileter engine in the packet driver. The syntax of the boolean expression can be found in the <a class="el" href="group__language.html">Filtering expression syntax</a> section of this documentation.<p>
<a class="el" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61">pcap_setfilter()</a> associates a filter with a capture session in the kernel driver. Once <a class="el" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61">pcap_setfilter()</a> is called, the associated filter will be applied to all the packets coming from the network, and all the conformant packets (i.e., packets for which the Boolean expression evaluates to true) will be actually copied to the application.<p>
The following code shows how to compile and set a filter. Note that we must retrieve the netmask from the <a class="el" href="structpcap__if.html">pcap_if</a> structure that describes the adapter, because some filters created by <a class="el" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile()</a> require it.<p>
The filter passed to <a class="el" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile()</a> in this code snippet is "ip and tcp", which means to "keep only the packets that are both IPv4 and TCP and deliver them to the application".<p>
<div class="fragment"><pre class="fragment">    <span class="keywordflow">if</span> (d-&gt;<a class="code" href="structpcap__if.html#3910004677550db6d9b09792ba3e2cca">addresses</a> != NULL)
        <span class="comment">/* Retrieve the mask of the first address of the interface */</span>
        netmask=((<span class="keyword">struct </span>sockaddr_in *)(d-&gt;<a class="code" href="structpcap__if.html#3910004677550db6d9b09792ba3e2cca">addresses</a>-&gt;<a class="code" href="structpcap__addr.html#c43963e42e4d901e55e433ab9c3ea686">netmask</a>))-&gt;sin_addr.S_un.S_addr;
    <span class="keywordflow">else</span>
        <span class="comment">/* If the interface is without an address we suppose to be in a C class network */</span>
        netmask=0xffffff; 


compile the filter
    if (<a class="code" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile</a>(adhandle, &amp;fcode, <span class="stringliteral">"ip and tcp"</span>, 1, netmask) &lt; 0)
    {
        fprintf(stderr,<span class="stringliteral">"\nUnable to compile the packet filter. Check the syntax.\n"</span>);
        <span class="comment">/* Free the device list */</span>
        <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1">pcap_freealldevs</a>(alldevs);
        <span class="keywordflow">return</span> -1;
    }
    
set the filter
    <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61">pcap_setfilter</a>(adhandle, &amp;fcode) &lt; 0)
    {
        fprintf(stderr,<span class="stringliteral">"\nError setting the filter.\n"</span>);
        <span class="comment">/* Free the device list */</span>
        <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1">pcap_freealldevs</a>(alldevs);
        <span class="keywordflow">return</span> -1;
    }
</pre></div><p>
If you want to see some code that uses the filtering functions shown in this lesson, look at the example presented in the next Lesson, <a class="el" href="group__wpcap__tut6.html">Interpreting the packets</a>.<p>
<a class="el" href="group__wpcap__tut4.html">&lt;&lt;&lt; Previous</a> <a class="el" href="group__wpcap__tut6.html">Next &gt;&gt;&gt;</a> 
<hr>
<p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2007 
CACE Technologies. All rights reserved.</p>