LSF sk_run_filter: why use the data pointer?

From: Willem de Bruijn
Date: Thu Apr 15 2004 - 08:02:31 EST

for an alternative pcap backend I had to use the LSF filter from my code.
Contrary to my initial guess the packet starting address used by the filter
proved to rely on the amount of preprocessing done (ie the location of the
data pointer). Can someone explain to me why this is?

Otherwise I'll be happy to supply a patch (if it doesn't break TCP/UDP
filtering). By having the filter use for instance mac.ethernet instead of
data it will still work across the board. An added bonus is that the only
real BPF expression compiler, pcap, works for all levels of filtering. It's
then up to the developer to make sure no sub/non TCP checks are made when
inspecting a TCP stream.

Willem de Bruijn

current project :
Fairly Fast Packet Filter (FFPF)

Dit bericht is gescand op virussen en andere gevaarlijke inhoud door ULCN MailScanner en het bericht lijkt schoon te zijn.
This message has been scanned for viruses and dangerous content by ULCN MailScanner, and is believed to be clean.

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at