On Friday, August 22, 2003, at 12:06 PM, [EMAIL PROTECTED] wrote:
Sadly, it doesn't, as far as I can tell. The libpcap infrastructure is, apparently, built around only setting a single filter per instance. The memory in the filter is freed only when pcap_close() is called.
The libpcap infrastructure includes:
a compiler that takes a filter expression string, generates code for it into a malloced buffer, and saves a pointer to that buffer, and a count of generated instructions, in the "bpf_program" structure a pointer to which is passed to the compiler;
an interpreter for those programs, to be used in cases where code in the OS kernel can't itself interpret them and filter out packets rather than copying them to userland;
code that, on platforms where the OS *can* interpret them, to hand them to the code in the OS kernel.
In recent versions (and "recent" isn't all that recent - I changed it a while ago), it also includes a routine to free the generated code buffer in a "bpf_program" structure, *and*, on platforms where there's no code in the OS kernel to interpret BPF programs, to, when installing a filter with "bpf_setfilter()", copy the code buffer, so that you *can* free the generated code buffer after installing a filter (it used to just copy the pointer to the code, so you couldn't free the code yourself, as it was still in use by the pcap_t).
The memory for a program produced by "pcap_compile()" is freed only when you call "pcap_freecode()" on it.
The memory for a program installed with "pcap_setfilter()" *and* copied, because code in the OS kernel can't interpret it, is freed either when
1) the pcap_t is closed
or
2) you install a new filter (see "install_bpf_program()").
The memory for a program installed with "pcap_setfilter()" and *not* copied, because code in the OS kernel *can* interpret it, is presumably freed either when
1) the pcap_t is closed
or
2) you install a new filter
although both of those depend on the OS code.
WinPcap includes a driver that runs in the OS kernel and does BPF filtering, so the "because code in the OS kernel *can* interpret it" case applies. I don't have the WinPcap code handy, but I suspect that it frees up the in-kernel copy of the filter in both cases.
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
