ecapture icon indicating copy to clipboard operation
ecapture copied to clipboard

Published 20 hours ago verified publisher icon gojue

feat: Support pcap-filter expression for pcap mode

Open Asphaltt opened this issue 1 year ago • 1 comments

Fix #474

It's better to use pcap-filter expression to filter packets like tcpdump instead of --port like options.

There are two ways to use pcap-filter:

  1. ./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng --pcap-filter="host 142.251.10.100"
  2. ./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100

So, in this commit:

  1. Add libpcap as a Git submodule.
  2. make in Makefile will build and install libpcap.
  3. Remove target_port in bpf code.
  4. Add filter_pcap_ebpf_l2() as a stub to inject pcap-filter.
  5. Use [email protected] to inject pcap-filter into bpf program spec with elibpcap library.
  6. Remove --port option.
  7. Add --pcap-filter option.

Asphaltt avatar Feb 03 '24 05:02 Asphaltt 

./bin/ecapture tls -m pcap -i ens33 --pcapfile test.pcapng host 142.251.10.100

It seems that Option 2 is more in line with the usual rules of using pcap-filter, just like tcpdump , tshark etc...

看上去,选项2 更符合使用pcap-filter的规则习惯,跟tcpdump等产品一样。

cfc4n avatar Feb 04 '24 02:02 cfc4n

It runs normally on x86_64\aarch64 Linux. However, it has no effect when running on aarch64 Android (kernel 5.15).

But you can skip Android for now.

cfc4n avatar Feb 21 '24 13:02 cfc4n