Hello again. Regarding the freeing of the filter program, I think it works fine.
I added this loop to a program and let it run 3 million times constantly checking memory usage.. repeat pcap_compile(.... ) pcap_setfilter(....) pcap_freecode(....) inc(count) until count = 3000000 After this was done, my program was not using any additional memory, it was the same as the when we started the loop. Also, global memory usage didnt change either while the loop was working. So therefore i think that : pcap_setfilter free's the kernal filter each time it is called, while pcap_freecode free's the local copy of the filter/bpf_program. So if one calls pcap_freecode after each pcap_compile/pcap_setfilter, then i think we are just fine. Regards, J. Thomsen. ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 9:06 PM Subject: RE: [WinPcap-users] speed + re-capturing packets. > Hello All. > [snip] > > Regarding this matter I do have some additional questions: > Who/how does the old filter get freed when you set a new one ? Sadly, it doesn't, as far as I can tell. The libpcap infrastructure is, apparently, built around only setting a single filter per instance. The memory in the filter is freed only when pcap_close() is called. I built an application which needs to continually filter out a changing list of MAC addresses, and ran into problems with severe memory leaks down inside winpcap because the filter memory was not freed by a new call to pcap_setfilter(). > > Does pcap_setfilter free any previous used filter when it applies > a new one ? Nope. You can free the local storage of the BPF bytecode with pcap_freecode(), but the actual filter does not get freed. > > I ask because i want to make the bpf filter a learning filter like the > old one was. This means that each time a new local mac address > is found, it should get added to the filter like : > "not ether dst 112233445566", and the get compilet and set. Exactly the same problem I ran into. I have now moved MAC filtering to the application level to avoid this problem. > > I might even end up with something like 100 of these statemens. > Can the bpf filter handle this? > "not ether dst 112233445566 and not ether dst 778899AABBCC"... > > Also, could one write "not ether dst mac1 mac2 mac3 mac4 > mac5......." ? Not in my experience, but I'm no Yak specialist ;-) ====================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ====================== ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
