TechQA.

Correct filter expression in libpcap for outgoing packets

742 views Asked by At

I want to sniff only outgoing 'TCP-ACK' packet from my system. Hence I set my filter expression in my lib-pcap program as:

char filter_exp[] = "src host 172.16.0.1 and tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst | tcp-psh) == 0";

But it's showing an lib-pcap syntax error at runtime as:

Couldn't parse filter src host 172.16.0.1 and tcp[tcpflags] and (tcp-syn | tcp-fin | tcp-rst | tcp-psh) == 0: syntax error

Can anybody tell what's wrong here and what would be the correct filter expression for this?

I got the syntax from here (in the Examples section.).

c libpcap bpf
Original Q&A
1

There are 1 answers

0
RatDon On BEST ANSWER

The syntax is incorrect because tcp-psh is not a valid syntax. The correct one is tcp-push. So the correct filter expression will be:

char filter_exp[] = "src host 172.16.0.1 and tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst | tcp-push) == 0";

Related Questions in C

Related Questions in LIBPCAP

Related Questions in BPF

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions