How portable is the output of pcap_compile?

views:

145

answers:

How portable is the output of pcap_compile?

pcap_compile() compiles a string into a filter program in the form of a bpf_program struct. In theory I could save the compiled form of the program and supply it to pcap_setfilter() on a different network interface or even on a different machine.

Will that work? Is the bpf_program form portable across different interfaces? Different processes? Different architectures? Or is it safest to compile the expression each time I want to use it?

Based on the existence of pcap_open_dead() I assume it is somewhat portable, but what's safe and what's not doesn't seem to be spelled out anywhere in the documentation.

+1 A:

No, it isn't portable in general.

You can use them on the same machine.

On similar machines somewhat safely. Different architectures? Probably not. Maybe if they have similar types. Different Operating Systems? No. I don't recommend any of these though.

If you really want to be sure, just compile the expression when you use it. It really takes an inconsequential amount of time if you're doing it rarely enough. If you're switching expressions rapidly, you might want to keep a few around.

McPherrinM 2009-12-11 22:20:09

Thanks, this is very helpful. To clarify: what about different interfaces/devices on the same machine?

benzado 2009-12-11 22:41:33

Different interfaces on the same machine should be fine, I think. I'm not entirely certain about all implementations though. I'm actually hesitant about different /kinds/ of interfaces, like ethernet/loopback/ieee1394. I have a suspicion that might not work out, though its been over a year since I've hacked on any of that code and things are leaking out of my head.

McPherrinM 2009-12-12 03:47:19

ansaurus

tags:

views:

answers:

How portable is the output of pcap_compile?

related questions