for an alternative pcap backend I had to use the LSF filter from my code. Contrary to my initial guess the packet starting address used by the filter proved to rely on the amount of preprocessing done (ie the location of the data pointer). Can someone explain to me why this is? Otherwise I'll be happy to supply a patch (if it doesn't break TCP/UDP filtering). By having the filter use for instance mac.ethernet instead of data it will still work across the board. An added bonus is that the only real BPF expression compiler, pcap, works for all levels of filtering. It's then up to the developer to make sure no sub/non TCP checks are made when inspecting a TCP stream. -- Willem de Bruijn wdebruij_at_dds.nl http://www.wdebruij.dds.nl/ current project : Fairly Fast Packet Filter (FFPF) http://ffpf.sourceforge.net/ -- Dit bericht is gescand op virussen en andere gevaarlijke inhoud door ULCN MailScanner en het bericht lijkt schoon te zijn. This message has been scanned for viruses and dangerous content by ULCN MailScanner, and is believed to be clean. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
