1 .\" Copyright (c) 1994, 1996, 1997
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that: (1) source code distributions
6 .\" retain the above copyright notice and this paragraph in its entirety, (2)
7 .\" distributions including binary code include the above copyright notice and
8 .\" this paragraph in its entirety in the documentation or other materials
9 .\" provided with the distribution, and (3) all advertising materials mentioning
10 .\" features or use of this software display the following acknowledgement:
11 .\" ``This product includes software developed by the University of California,
12 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13 .\" the University nor the names of its contributors may be used to endorse
14 .\" or promote products derived from this software without specific prior
15 .\" written permission.
16 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 .TH PCAP_COMPILE 3PCAP "24 January 2025"
22 pcap_compile \- compile a filter expression
26 #include <pcap/pcap.h>
30 int pcap_compile(pcap_t *p, struct bpf_program *fp,
31 const char *str, int optimize, bpf_u_int32 netmask);
36 is used to compile the string
38 into a filter program. See
39 .BR \%pcap-filter (@MAN_MISC_INFO@)
40 for the syntax of that string.
44 struct and is filled in by
47 controls whether optimization on the resulting code is performed.
49 specifies the IPv4 netmask of the network on which packets are being
50 captured; it is used only when checking for IPv4 broadcast addresses in
51 the filter program. If the netmask of the network on which packets are
52 being captured isn't known to the program, or if packets are being
53 captured on the Linux "any" pseudo-interface that can capture on more
54 than one network, a value of
55 .B PCAP_NETMASK_UNKNOWN
56 can be supplied; tests
57 for IPv4 broadcast addresses will fail to compile, but all other tests in
58 the filter program will be OK.
62 handle corresponds to a live packet capture, the resulting filter program
63 may use Linux BPF extensions. This works transparently if the filter
64 program is used to filter packets on the same
66 handle, which should be done when possible. In other use cases trying to
67 use a filter program with BPF extensions in
68 .BR \%pcap_offline_filter (3PCAP)
69 or for filtering an input savefile would reject more packets than expected
70 because the extensions depend on auxiliary packet data, which would not be
71 available. The workaround is to compile the filter without the extensions
75 .BR \%pcap_open_dead (3PCAP)
77 .BR \%pcap_open_offline (3PCAP)
78 rather than a handle from
79 .BR \%pcap_create (3PCAP)
81 .BR \%pcap_open_live (3PCAP).
83 If BPF extensions are disabled as described above or the OS is not Linux,
85 may start rejecting some filter expressions for some link-layer header types,
86 this is the expected behaviour. For example, the
88 keyword is valid for any live capture on Linux, but when reading packets
89 from a savefile, regardless of the OS it is valid for
101 .BR pcap_geterr (3PCAP)
103 .BR pcap_perror (3PCAP)
106 as an argument to fetch or display the error text.
107 .SH BACKWARD COMPATIBILITY
110 .B PCAP_NETMASK_UNKNOWN
111 constant became available in libpcap release 1.1.0.
113 In libpcap 1.8.0 and later,
115 can be used in multiple threads within a single process. However, in
116 earlier versions of libpcap, it is
120 in multiple threads in a single process without some form of mutual
121 exclusion allowing only one thread to call it at any given time.
124 .BR pcap_setfilter (3PCAP),
125 .BR pcap_freecode (3PCAP)
projects / libpcap / blob