PcapPlusPlus
PcapFilter.h File Reference
#include <string>
#include <vector>
#include "ProtocolType.h"
#include <stdint.h>
#include <ArpLayer.h>

Go to the source code of this file.

Classes

class  pcpp::GeneralFilter
 
class  pcpp::IFilterWithDirection
 
class  pcpp::IFilterWithOperator
 
class  pcpp::IPFilter
 
class  pcpp::IpV4IDFilter
 
class  pcpp::IpV4TotalLengthFilter
 
class  pcpp::PortFilter
 
class  pcpp::PortRangeFilter
 
class  pcpp::MacAddressFilter
 
class  pcpp::EtherTypeFilter
 
class  pcpp::AndFilter
 
class  pcpp::OrFilter
 
class  pcpp::NotFilter
 
class  pcpp::ProtoFilter
 
class  pcpp::ArpFilter
 
class  pcpp::VlanFilter
 
class  pcpp::TcpFlagsFilter
 
class  pcpp::TcpWindowSizeFilter
 
class  pcpp::UdpLengthFilter
 

Namespaces

 pcpp
 The main namespace for the PcapPlusPlus lib.
 

Enumerations

enum  pcpp::Direction { pcpp::SRC, pcpp::DST, pcpp::SRC_OR_DST }
 
enum  pcpp::FilterOperator {
  pcpp::EQUALS, pcpp::NOT_EQUALS, pcpp::GREATER_THAN, pcpp::GREATER_OR_EQUAL,
  pcpp::LESS_THAN, pcpp::LESS_OR_EQUAL
}
 

Detailed Description

Most packet capture engines contain packet filtering capabilities. In order to set the filters there should be a known syntax user can use. The most popular syntax is Berkeley Packet Filter (BPF) - see more in here: http://en.wikipedia.org/wiki/Berkeley_Packet_Filter. Detailed explanation of the syntax can be found here: http://www.tcpdump.org/manpages/pcap-filter.7.html.
The problem with BPF is that, for my opinion, the syntax is too complicated and too poorly documented. In addition the BPF filter compilers may output syntax errors that are hard to understand. My experience with BPF was not good, so I decided to make the filters mechanism more structured, easier to understand and less error-prone by creating classes that represent filters. Each possible filter phrase is represented by a class. The filter, at the end, is that class.
For example: the filter "src host 1.1.1.1" will be represented by IPFilter instance; "dst port 80" will be represented by PortFilter, and so on.
So what about complex filters that involve "and", "or"? There are also 2 classes: AndFilter and OrFilter that can store more filters (in a composite idea) and connect them by "and" or "or". For example: "src host 1.1.1.1 and dst port 80" will be represented by an AndFilter that h olds IPFilter and PortFilter inside it