This project is read-only.

Setting filter on OffLinePacketDevice

Oct 22, 2012 at 9:00 PM

Hi, is it possible to apply a filter when reading the packets from a file?

I have this piece of code where the end result is that no packets are copied to the output.pcap file. If I remove the lines when I define the filter and apply it it copies all the packets.

OfflinePacketDevice selectedDevice = new OfflinePacketDevice(filename.Substring(0, filename.Length -2) );
                         
// Open the capture file
communicator = selectedDevice.Open(65536,
                                PacketDeviceOpenAttributes.Promiscuous, 
                                1000);
 
BerkeleyPacketFilter filter = communicator.CreateFilter("host 192.168.1.100");
          
// Set the filter
communicator.SetFilter(filter);
           
dumpFile = communicator.OpenDump("output.pcap");

communicator.ReceivePackets(0, DispatcherHandler);

public void DispatcherHandler(Packet packet)
{
       dumpFile.Dump(packet);
}

thank you

fborot

Oct 22, 2012 at 9:27 PM

Sounds like it works as expected.

Is there any problem with the way it works for you?

Oct 22, 2012 at 9:43 PM

txs for the reply.

Actually it is not working as expected. What I expect (which may or may not be the intended behavior) is to "select" only packets from/to that IP that are present in the source file.

The filter I set should allow me to keep and  copy only the packets where that IP is present (as source or dest) like a wireshark capture filter. But what happens is that it is leaving out ALL the packets and no packets are dumped to the file. in the source file there are like 32 packets where that IP is either source or destination.

However, if I remove the 2 lines (define and apply filter) all packets are copied.

Nov 1, 2012 at 12:07 AM

has anybody tested this ? applying filter to packets in a file to speed up processing based on a smaller packets list?

thank you in advance

fborot

Nov 23, 2012 at 7:33 PM

Can you provide some link to the input pcap file?