// SetBPFFilter compiles and sets a BPF filter for the pcap handle.
func (p *Handle) SetBPFFilter(expr string) (err error) {
bpf, err := p.compileBPFFilter(expr)
defer C.pcap_freecode(&bpf)
if err != nil {
return err
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Error()
}
return nil
}
// SetBPFInstructionFilter may be used to apply a filter in BPF asm byte code format.
//
// Simplest way to generate BPF asm byte code is with tcpdump:
// tcpdump -dd 'udp'
//
// The output may be used directly to add a filter, e.g.:
// bpfInstructions := []pcap.BpfInstruction{
// {0x28, 0, 0, 0x0000000c},
// {0x15, 0, 9, 0x00000800},
// {0x30, 0, 0, 0x00000017},
// {0x15, 0, 7, 0x00000006},
// {0x28, 0, 0, 0x00000014},
// {0x45, 5, 0, 0x00001fff},
// {0xb1, 0, 0, 0x0000000e},
// {0x50, 0, 0, 0x0000001b},
// {0x54, 0, 0, 0x00000012},
// {0x15, 0, 1, 0x00000012},
// {0x6, 0, 0, 0x0000ffff},
// {0x6, 0, 0, 0x00000000},
// }
//
// An other posibility is to write the bpf code in bpf asm.
// Documentation: https://www.kernel.org/doc/Documentation/networking/filter.txt
//
// To compile the code use bpf_asm from
// https://github.com/torvalds/linux/tree/master/tools/net
//
// The following command may be used to convert bpf_asm output to c/go struct, usable for SetBPFFilterByte:
// bpf_asm -c tcp.bpf
func (p *Handle) SetBPFInstructionFilter(bpfInstructions []BPFInstruction) (err error) {
bpf, err := bpfInstructionFilter(bpfInstructions)
if err != nil {
return err
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Error()
}
C.pcap_freecode(&bpf)
return nil
}
func (p *Pcap) Setfilter(expr string) (err string) {
var bpf _Ctype_struct_bpf_program
if -1 == C.pcap_compile(p.cptr, &bpf, C.CString(expr), 1, 0) {
return p.Geterror()
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Geterror()
}
C.pcap_freecode(&bpf)
return ""
}
func (p *Pcap) SetFilter(expr string) (err error) {
var bpf _Ctype_struct_bpf_program
cexpr := C.CString(expr)
defer C.free(unsafe.Pointer(cexpr))
if -1 == C.pcap_compile(p.cptr, &bpf, cexpr, 1, 0) {
return p.Geterror()
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Geterror()
}
C.pcap_freecode(&bpf)
return nil
}
// SetBPFFilter compiles and sets a BPF filter for the pcap handle.
func (p *Handle) SetBPFFilter(expr string) (err error) {
p.activate.Do(p.activation)
var bpf _Ctype_struct_bpf_program
cexpr := C.CString(expr)
defer C.free(unsafe.Pointer(cexpr))
if -1 == C.pcap_compile(p.cptr, &bpf, cexpr, 1, 0) {
return p.Error()
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Error()
}
C.pcap_freecode(&bpf)
return nil
}
// SetBPFFilter compiles and sets a BPF filter for the pcap handle.
func (p *Handle) SetBPFFilter(expr string) (err error) {
errorBuf := (*C.char)(C.calloc(errorBufferSize, 1))
defer C.free(unsafe.Pointer(errorBuf))
var netp uint32
var maskp uint32
// Only do the lookup on network interfaces.
// No device indicates we're handling a pcap file.
if len(p.device) > 0 {
dev := C.CString(p.device)
defer C.free(unsafe.Pointer(dev))
if -1 == C.pcap_lookupnet(
dev,
(*C.bpf_u_int32)(unsafe.Pointer(&netp)),
(*C.bpf_u_int32)(unsafe.Pointer(&maskp)),
errorBuf,
) {
// We can't lookup the network, but that could be because the interface
// doesn't have an IPv4.
}
}
var bpf _Ctype_struct_bpf_program
cexpr := C.CString(expr)
defer C.free(unsafe.Pointer(cexpr))
if -1 == C.pcap_compile(p.cptr, &bpf, cexpr, 1, C.bpf_u_int32(maskp)) {
return p.Error()
}
if -1 == C.pcap_setfilter(p.cptr, &bpf) {
C.pcap_freecode(&bpf)
return p.Error()
}
C.pcap_freecode(&bpf)
return nil
}
// Setfilter compiles a filter string into a bpf program and sets the filter.
func (p *Pcap) Setfilter(expr string) error {
cexpr := C.CString(expr)
defer C.free(unsafe.Pointer(cexpr))
var bpf C.struct_bpf_program
res := C.pcap_compile(p.cptr, &bpf, cexpr, C.int(OptimizeFilters),
C.PCAP_NETMASK_UNKNOWN)
if res == C.PCAP_ERROR {
return p.GetErr()
}
res = C.pcap_setfilter(p.cptr, &bpf)
if res == C.PCAP_ERROR {
C.pcap_freecode(&bpf)
return p.GetErr()
}
p.Filters = append(p.Filters, expr)
C.pcap_freecode(&bpf)
return nil
}
func (p *Pcap) Setfilter(expr string) os.Error {
var bpf C.struct_bpf_program
cexpr := C.CString(expr)
defer C.free(unsafe.Pointer(cexpr))
if C.pcap_compile(p.cptr, &bpf, cexpr, 1, 0) == -1 {
return os.NewError(p.Geterror())
}
defer C.pcap_freecode(&bpf)
if C.pcap_setfilter(p.cptr, &bpf) == -1 {
return os.NewError(p.Geterror())
}
return nil
}
// CompileBPFFilter compiles and returns a BPF filter for the pcap handle.
func (p *Handle) CompileBPFFilter(expr string) ([]BPFInstruction, error) {
bpf, err := p.compileBPFFilter(expr)
defer C.pcap_freecode(&bpf)
if err != nil {
return nil, err
}
bpfInsn := (*[bpfInstructionBufferSize]_Ctype_struct_bpf_insn)(unsafe.Pointer(bpf.bf_insns))[0:bpf.bf_len:bpf.bf_len]
bpfInstruction := make([]BPFInstruction, len(bpfInsn), len(bpfInsn))
for i, v := range bpfInsn {
bpfInstruction[i].Code = uint16(v.code)
bpfInstruction[i].Jt = uint8(v.jt)
bpfInstruction[i].Jf = uint8(v.jf)
bpfInstruction[i].K = uint32(v.k)
}
return bpfInstruction, nil
}
func destroyBPF(bpf *BPF) {
C.pcap_freecode(&bpf.bpf)
}