Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixing Bro-level BPF filtering.

Browse source
This commit is contained in:
Robin Sommer 2014-09-03 17:37:35 -07:00
parent 569853444f
commit 43e63daa45
1 changed files with 12 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/iosource/BPF_Program.cc
View file

@ -58,7 +58,14 @@ int pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
}
#endif
BPF_Program::BPF_Program() : m_compiled(), m_program()
// Simple heuristic to identify filters that always match, so that we can
// skip the filtering in that case. "ip or not ip" is Bro's default filter.
static bool filter_matches_anything(const char *filter)
{
return (! filter) || strlen(filter) == 0 || strcmp(filter, "ip or not ip") == 0;
}
BPF_Program::BPF_Program() : m_compiled(), m_matches_anything(false), m_program()
{
}
@ -86,7 +93,7 @@ bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32 netmask,
}
m_compiled = true;
m_matches_anything = (strlen(filter) == 0 || strcmp(filter, "ip or not ip") == 0);
m_matches_anything = filter_matches_anything(filter);
return true;
}
@ -114,7 +121,10 @@ bool BPF_Program::Compile(int snaplen, int linktype, const char* filter,
#endif
if ( err == 0 )
{
m_compiled = true;
m_matches_anything = filter_matches_anything(filter);
}
return err == 0;
}