ecapture icon indicating copy to clipboard operation
ecapture copied to clipboard

Published 20 hours ago verified publisher icon gojue

feat: Support pcap-filter expression for pcap mode

Open Asphaltt opened this issue 5 months ago • 1 comments

Fix #474

It's better to use pcap-filter expression to filter packets like tcpdump instead of --port like options.

There are two ways to use pcap-filter:

  1. ./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng --pcap-filter="host 142.251.10.100"
  2. ./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100

So, in this commit:

  1. Add libpcap as a Git submodule.
  2. make in Makefile will build and install libpcap.
  3. Remove target_port in bpf code.
  4. Add filter_pcap_ebpf_l2() as a stub to inject pcap-filter.
  5. Use [email protected] to inject pcap-filter into bpf program spec with elibpcap library.
  6. Remove --port option.
  7. Add --pcap-filter option.

Asphaltt avatar Feb 03 '24 05:02 Asphaltt