libtins  3.4
 All Classes Namespaces Functions Variables Typedefs Enumerations Enumerator Friends Pages
Public Member Functions | List of all members
Tins::OfflinePacketFilter Class Reference

Wraps a pcap filter and matches it against a packet or buffer. More...

#include <offline_packet_filter.h>

Public Member Functions

template<typename T >
 OfflinePacketFilter (const std::string &filter, const DataLinkType< T > &lt, unsigned int snap_len=65535)
 OfflinePacketFilter (const OfflinePacketFilter &other)
 Copy constructor. More...
OfflinePacketFilteroperator= (const OfflinePacketFilter &other)
 Copy assignment operator. More...
 ~OfflinePacketFilter ()
bool matches_filter (const uint8_t *buffer, uint32_t total_sz) const
 Applies the compiled filter on the provided buffer. More...
bool matches_filter (PDU &pdu) const
 Applies the compiled filter on the provided packet. More...

Detailed Description

Wraps a pcap filter and matches it against a packet or buffer.

This is a thin wrapper over pcap_offline_filter. You can use it to perform packet filtering outside of Sniffer instances.

A potential use case would be if you are capturing packets that are sent from another host over UDP. You would recieve UDP packets, then parse their content, and apply the OfflinePacketFilter over the wrapped packet. For example:

// Assume we get an UDP packet from somewhere.
// Inside the payload, there will be a complete packet
// including its link layer protocol.
UDP udp = get_packet();
// Create the filter. We'll be expecting Ethernet packets.
OfflinePacketFilter filter("ip and port 80", DataLinkType<EthernetII>());
// We can use this directly over the inner PDU (assuming it has one)
// See the notes on the efficiency of doing it this way.
if(filter.matches_filter(*udp.inner_pdu())) {
// Matches!
// We can also use the payload. This version it faster and should
// be preferred over the one above
const RawPDU& raw = udp.rfind_pdu<RawPDU>();
const auto& payload = raw.payload();
if(filter.matches_filter(, payload.size())) {
// Matches!

Constructor & Destructor Documentation

template<typename T >
Tins::OfflinePacketFilter::OfflinePacketFilter ( const std::string &  filter,
const DataLinkType< T > &  lt,
unsigned int  snap_len = 65535 

Constructs an OfflinePacketFilter object.

filterThe pcap filter to use.
ltThe link layer type to use.
snap_lenThe snapshot length to use.
Tins::OfflinePacketFilter::OfflinePacketFilter ( const OfflinePacketFilter other)

Copy constructor.

Note that during copy construction the pcap filter is recompiled. Therefore, it might be somehow expensive to copy OfflinePacketFilters.

otherThe filter to be copied.
Tins::OfflinePacketFilter::~OfflinePacketFilter ( )

Releases the compiled pcap filter and handle.

Member Function Documentation

bool Tins::OfflinePacketFilter::matches_filter ( const uint8_t *  buffer,
uint32_t  total_sz 
) const

Applies the compiled filter on the provided buffer.

This method uses pcap_offline_filter on the provided buffer and returns a bool indicating if the packet pointed by the buffer matches the filter.

bufferA pointer to a buffer which holds a raw packet.
total_szThe length of the buffer pointed by buffer.
true iff the packet matches the filter.
bool Tins::OfflinePacketFilter::matches_filter ( PDU pdu) const

Applies the compiled filter on the provided packet.

This method checks whether the provided packet matches the filter. Since this uses pcap filters and they work over a raw data buffer, this method serialices the packet and then applies the filter. Therefore, this can be quite expensive to use. If you have access to the packet before constructing a PDU from it, it is recommended to use the other overload over the raw buffer.

pduThe packet to be matched against the filter.
true iff the packet matches the filter.
OfflinePacketFilter & Tins::OfflinePacketFilter::operator= ( const OfflinePacketFilter other)

Copy assignment operator.

otherThe filter to be copied.
See Also

The documentation for this class was generated from the following files: