我正在拧一个用于过滤CAP转储文件的自定义应用程序。在开始开发之前,我在Wireshark中尝试了预期的过滤表达式:
(eapol || wlan.fc.type_subtype == 0x08)&& wlan.bssid == 00:11:00:11:00:11
,它完美地工作了。但是,当我在应用程序中实现此过滤时(请参见下面的src代码),我开始针对完全相同的过滤表达式而收到“错误过滤器-语法错误”。我的Libpcap和过滤器出了什么问题?
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pcap.h>
#include <time.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
char *inputFileName=NULL;
char *outputFileName=NULL;
char *bssId=NULL;
char *filter_expNew = "(eapol || wlan.fc.type_subtype == 0x08) && wlan.bssid == 00:11:00:11:00:11";
void my_packet_handler(
u_char *args,
const struct pcap_pkthdr* header,
const u_char* packet
) {
struct ether_header *eth_header;
/* The packet is larger than the ether_header struct,
but we just want to look at the first part of the packet
that contains the header. We force the compiler
to treat the pointer to the packet as just a pointer
to the ether_header. The data payload of the packet comes
after the headers. Different packet types have different header
lengths though, but the ethernet header is always the same (14 bytes) */
eth_header = (struct ether_header *) packet;
if (ntohs(eth_header->ether_type) == ETHERTYPE_IP) {
printf("IP\n");
} else if (ntohs(eth_header->ether_type) == ETHERTYPE_ARP) {
printf("ARP\n");
} else if (ntohs(eth_header->ether_type) == ETHERTYPE_REVARP) {
printf("Reverse ARP\n");
}
FILE *fo = fopen(outputFileName,"wb");
fclose(fo);
}
void print_packet_info(const u_char *packet, struct pcap_pkthdr packet_header);
// taken from https://www.devdungeon.com/content/using-libpcap-c#load-pcap-file
int main(int argc, char **argv) {
printf("Filtering expression:%s\n",filter_expNew);
char dev[] = "any";
pcap_t *handle;
char error_buffer[PCAP_ERRBUF_SIZE];
struct bpf_program filter;
bpf_u_int32 subnet_mask, ip;
if (pcap_lookupnet(dev, &ip, &subnet_mask, error_buffer) == -1) {
printf("Could not get information for device: %s\n", dev);
ip = 0;
subnet_mask = 0;
}
handle = pcap_open_offline(inputFileName, error_buffer);
if (handle == NULL) {
printf("Could not open %s - %s\n", dev, error_buffer);
return 2;
}
if (pcap_compile(handle, &filter, filter_exp, 0, ip) == -1) {
printf("Bad filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &filter) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_compile(handle, &filter, filter_expNew, 0, ip) == -1) {
printf("Bad filter - %s\n", pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &filter) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(handle));
return 2;
}
pcap_loop(handle, 0, my_packet_handler, NULL);
pcap_close(handle);
return 0;
}