Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
2.5k views
in Technique[技术] by (71.8m points)

c# - Convert Wireshark Filter Expression to BPF

So I am trying to make a program that parses certain udp packets on my network. To do this I use Sharppcap and C#. I have this filter expression and it works flawlessly in wireshark: udp and frame.protocols==eth:ethertype:ip:udp:data.

However, when I try to implement this in my C# Application I get an Exception because the filter Expression is not BPF-Valid (I think).

Does anyone have an idea what the correct syntax would achieve the same thing in BPF?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Seems like you are mixing Capture Filters and Display Filters. The udp part of your filter seems to be a Capture Filter, while the rest is a Display Filter. The display filter just hides some results in Wireshark, while the Capture Filter, actually cuts away packages that do not match the filter. Refer to the pcap filter documentation on how to construct a filter: https://www.tcpdump.org/manpages/pcap-filter.7.html

So your pcap filter in your case is essentially udp, you are interested in UDP packages only.

The Display Filter part is up to you to do in your code when you inspect the packages.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...