Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on May 20, 2014
  1. @guyharris

    Add support for filters testing for 802.2 LLC frame types.

    guyharris authored
    "llc" can now be used to check for frames with 802.2 headers on
    linktypes other than Sun ATM, and can now be given an argument to check
    for I, S, and U frames and for particular types of S and U frames.
Commits on Jan 3, 2014
  1. @infrastation

    remove libpcap's own CVS keywords

    infrastation authored
    This change removes CVS keywords that express that the file belongs to
    libpcap repository. All such keywords represented the revision and
    timestamp by the end of 2008 or even older.
Commits on Jun 22, 2013
  1. @guyharris

    Avoid some warnings from Sun C.

    guyharris authored
    Some versions of Sun C support __attribute__ but don't support the
    "unused" or "format" attributes - they don't fail, but they whine a lot.
    Check whether they can be used without warnings, and use them only if
    they can.
Commits on May 17, 2013
  1. Support filtering PPPoE sessions by ID.

    Jorge Boncompte [DTI2] authored
Commits on Apr 14, 2013
  1. @guyharris

    Support filtering filtering E1 SS7 traffic on MTP2 layer Annex A.

    dzejarczech authored guyharris committed
    Originally written by Florent Drouin; applied to 1.3.0 by
    Reviewed-By: Guy Harris <>
Commits on Dec 10, 2011
  1. @guyharris

    Make some counts unsigned ("counts" as in "they're always >= 0").

    guyharris authored
    They don't, for example, use -1 as a special value, so just make the
    unsigned.  That squelches some warnings.
Commits on Nov 20, 2011
  1. @gvnn3 @guyharris

    Add support for CARP.

    gvnn3 authored guyharris committed
    Allow "carp" to be used as a filter, rather than requiring "ip proto
    112" or one of "ip proto {vrrp,carp}" depending on whether you're
    running an OS that chooses to have 112 as CARP rather than VRRP in
    /etc/protocols.  (Yes, that means that "carp" will capture VRRP
    packets.  So it goes....)
    Reviewed-By: Guy Harris <>
Commits on Jul 3, 2010
  1. @guyharris

    Add support for "wlan ra" and "wlan ta".

    guyharris authored
    The RA field is absent from management frames (addr1 is DA there), and
    addr1 in other frames.
    The TA field is absent from management frames (addr2 is SA there), and
    addr2, if present, in other frames.
    While we're at it, fix a font glitch in the pcap-filter man page.
Commits on Nov 18, 2007
  1. @yuguy

    Support OpenBSD's "addr1", "addr2", "addr3", and "addr4" link-layer

    yuguy authored
    address types for 802.11.
    Support the OpenBSD names for some of the 802.11 frame types.
    Support OpenBSD's "dir" keyword for 802.11 frame directions.
Commits on Jun 11, 2007
  1. @yuguy

    Pick up changes from NetBSD:

    yuguy authored
        several files:
    	date: 2006/02/27 15:53:24;  author: drochner;  state: Exp;
    	avoid shadowing globals, for WARNS=2
    	date: 2006/02/27 15:55:30;  author: drochner;  state: Exp;
    	minor constification, good for WARNS=3 now
    	date: 2006/02/27 15:57:17;  author: drochner;  state: Exp;
    	NetBSD adaption:
    	-const pcap_strerror() for consistency
    	date: 2006/04/26 09:24:33;  author: tron;  state: Exp;
    	Add missing "const" keywords to match declarations in "pcap.h".
    	date: 2006/10/15 19:27:21;  author: christos;  state: Exp;
    	add a volatile variable to prevent vfork/longjmp clobbering.
    	date: 2006/05/17 17:48:36;  author: drochner;  state: Exp;
    	Make the optimizer use unsigned numbers as the kernel does.
    	While it is not agreed on that purely unsigned arithmetics is nice,
    	different behaviour of optimized and unoptimized code is less desirable.
    	date: 2006/02/27 15:51:38;  author: drochner;  state: Exp;
    	pull in from NetBSD's libpcap: use cloning bpf device on NetBSD
    Have the configure script check for paths.h, so that we can include it
    only if we have it, and use the cloning BPF device only if we're on
    NetBSD *and* _PATH_BPF is defined (hopefully this will keep us from
    using it on versions of NetBSD that don't have a cloning BPF device; if,
    in the future, other OSes with BPF get cloning BPF devices, we can make
    this work for them as well).
Commits on Mar 11, 2007
  1. @yuguy

    From Sepherosa Ziehau: additional filter operations for 802.11 frame

    yuguy authored
    types.  Modified to add ieee80211.h from FreeBSD, rather than depending
    on the OS supplying the header, and to support all 802.11 radio header
    Clean up some link-layer type checks and the messages for failing those
Commits on Feb 8, 2007
  1. @yuguy

    From Florent Drouin: a Link Status Signal Unit is called an LSSU, not an

    yuguy authored
    LSU.  (Leave "lsu" as an alias for backwards compatibility.)
Commits on Dec 21, 2006
  1. @yuguy
Commits on Sep 5, 2005
  1. @yuguy

    Add "pppoed" and "pppoes" keywords, for PPPoE Discovery and Session

    yuguy authored
    packets (based on the Ethernet type).  "pppoes" has the side-effect that
    subsequent filter expressions will test the PPP header and headers
    in the PPP payload, not the link-layer header and headers in the
    link-layer payload.
Commits on Jun 20, 2005
  1. @yuguy

    From Gilbert Hoyek <>: support for capturing SS7

    yuguy authored
    traffic on Intel Septel cards, and for filtering on SS7 MTP3 fields.
    Clean up indentation.
Commits on May 2, 2005
  1. @yuguy

    Make "link[N:M]" refer to the 802.11 header for all 802.11 DLT_ values,

    yuguy authored
    including those with fixed-length radio headers (it already refers to
    the 802.11 header for radiotap).
    Add a new "radio" keyword, to allow access to the radio header.  In
    theory, something to allow testing for specific signal strengths, etc.
    might be useful, but radiotap makes that difficult as the code can't
    loop through the header looking for the signal strength field, the loop
    has to be unrolled, and some of the other headers might not have
    standardized the meaning of some of the fields, so we require the user
    to construct such a filter themselves, for now.
Commits on May 1, 2005
  1. @yuguy

    Make the value argument to "gen_ncmp()" a bpf_int32, the same as the

    yuguy authored
    value arguments are to other routines.  Do the same with the value
    argument to "gen_atmfield_code()".
    "gen_load_a()" can return more than one statement; append to the list of
    statements it returns with "sappend()", rather than manually appending
    to the first statement.
    Fix the argument list to one "gen_ncmp()" call, and get rid of the casts
    in the other calls, as the arguments already have the right types.
    Fix the casts in calls to "gen_atmfield_code()".
Commits on Apr 23, 2005
  1. @yuguy

    From Albert Chin: just define __attribute__ as an empty macro if we

    yuguy authored
    don't have __attribute__ support in the compiler.
    While we're at it, get rid of the declaration of bpf_error() in
    gencode.c, as it's already declared in gencode.h.
Commits on Apr 19, 2005
  1. @yuguy

    From Patrick Marie <>: add support for port ranges

    yuguy authored
    in tests - "portrange X-Y" matches all ports in the range [X,Y].
    Support added for port ranges with IPv6.
    Fix some comments.
Commits on Jun 16, 2004
Commits on Mar 28, 2004
  1. Handle the new OpenBSD pf format (DLT 117), which is now being used

    fenner authored
     by other systems as they adopt pf.
    Don't bother trying to be backwards compatible with DLT 17.
Commits on May 2, 2003
  1. @yuguy

    The value pointed to by "gen_pf_ifname()"'s argument isn't modified, so

    yuguy authored
    make it a const pointer.
    Cast the interface name in the "gen_bcmp()" call in "gen_pf_ifname()" to
    squelch a compiler warning.
Commits on Mar 11, 2003
  1. @yuguy

    Add support for OpenBSD DLT_PFLOG.

    yuguy authored
    Get rid of bogus newline in BPF error string.
Commits on Dec 6, 2002
  1. add BPF_ filters for misc. IS-IS PDU Types

    hannes authored
Commits on Jul 11, 2002
  1. @yuguy
Commits on Jun 11, 2002
  1. whitespace cleanup

    itojun authored
Commits on May 10, 2001
Commits on Apr 17, 2001
  1. @yuguy

    ARCNet support, from NetBSD.

    yuguy authored
Commits on Feb 21, 2001
  1. @yuguy

    Patch from NetBSD, by Klaus Klein <>, to support "vrrp"

    yuguy authored
    as an IP protocol, like "udp", "tcp", "icmp", "pim", etc..
Commits on Jan 28, 2001
  1. @yuguy

    Add a "netbeui" keyword, which selects NetBEUI packets (LLC packets with

    yuguy authored
    0xf0 as the DSAP and SSAP).
    Let "ipx" work on non-Ethernet 802.2 frames - we assume they're always
    frames with the IPX DSAP.
Commits on Jan 14, 2001
  1. @yuguy

    Add "ipx", which checks for the LLC SAP for IPX as well as, on Ethernet,

    yuguy authored
    for "Novell 802.3" frames, which are 802.3 frames (i.e., the type/length
    field is a length field, i.e. it's <= ETHERMTU) with 0xFFFF as the first
    2 bytes.  We don't yet check for ETHERTYPE_IPX as well.
    When checking for OSI packets on Linux cooked captures, check for 802.2
    frames by testing the packet type for LINUX_SLL_P_802_2 rather than by
    checking whether the type field is <= ETHERMTU (it's always a type field
    in DLT_LINUX_SLL captures).
  2. @yuguy

    Support checking for protocols specified by an LLC SAP on FDDI, Token

    yuguy authored
    Ring, and RFC 1483-style ATM, as well as on Ethernet.
    Support checking for LLC SAP protocols other than OSI protocols on
    Ethernet - for now, we check only the DSAP on those, rather than
    checking both the DSAP and SSAP as we do for OSI, as I think, in some
    cases, the SSAP isn't the same as the DSAP.
    When generating protocol type checks on link-layer types with no type
    field, where packets are always IP (SLIP, BSD/OS SLIP, raw IP), generate
    a "test" that always succeeds if the protocol being checked for is IP or
    IPv6 and a "test" that always fails otherwise.  (We originally did
    "gen_true()" if the protocol is IP, and bogusly generated code to check
    the field at an offset of -1 otherwise; a subsequent change caused us
    always to do "gen_true()", but that doesn't properly handle attempts to
    check for other protocols - those attempts should generate code that
    always fails, meaning that if you try to look for ARP packets in such a
    capture the BPF compiler will return "expression rejects all packets" as
    an error - and still generated extra code not all of which was removed
    by the optimizer.  The current code generates no *more* BPF code.)
    Add "stp", which checks for the LLC SAP for the Spanning Tree Protocol.
Commits on Nov 4, 2000
  1. @yuguy

    Declare "install_bpf_program()" in "pcap-int.h", not "gencode.h"; it has

    yuguy authored
    nothing to do with generating code, and "gencode.h" isn't included by
    all "pcap-XXX.c" modules, whilst "pcap-int.h" is.
Commits on Oct 28, 2000
  1. @yuguy
  2. @yuguy

    Tony Li's changes, from FreeBSD, to support filtering for OSI packets

    yuguy authored
    and for ESIS and ISIS packets.
Something went wrong with that request. Please try again.