I am passing a tcpdump filter to a function which compiles the filter
using pcap_compile and then sets it.
Here is the filter,
ip[12:4]>=0x0000 and ip[12:4] <=0xd9295a3 and ip[16:4] >=0x0000 and
ip[16:4] <=0x3ca9b416 and tcp[0:2]>=0 and tcp[0:2]<=23923 and
tcp[2:2]>=0 and tcp[2:2]<=64582 and tcp[2:2]<=655355
I have many threads passing different filters of a similar form to
the same function.
The problem is, 8 out of 10 times, the string gets passed successfully
and compiled without any problem, but the 2 times, the string gets
manipulated in a random manner.
For example, in this case, the filter was passed as
ip[12:4]>=0x0000 and ip[12:4] <=0xd9295a3 and ip[16:4] >=0x0000 and
ip[16:4] <=0x3ca9b416 and tcp[0:2]>=0 and tcp[0:2]<=23923 and
tcp[2:2]>=0 and tcp[2:2]<=64582 tcp[2:2]<=655355
which of course resulted in pcap_compile raising a syntax error.
Here is a part of the output for 10 threads:
ip[12:4]>=0x0000 and ip[12:4] <=0x4e82b543 and ip[16:4] >=0x0000 and
ip[16:4] <=0x6f835b87 and tcp[0:2]>=0 and tcp[0:2]<=13052 and
tcp[2:2]>=0 and tcp[2:2]<=14069n
Couldn't parse filter ip[12:4]>=0x0000 and ip[12:4] <=0x4e82b543 and
ip[16:4] >=0x0000 and ip[16:4] <=0x6f835b87 and tcp[0:2]>=0 and
tcp[0:2]<=13052 and tcp[2:2]>=0 and tcp[2:2]<=14069n: syntax error
******************
PASSED WITHOUT ERROR
ip[12:4]>=0x4e82b544 and ip[12:4] <=0xffffffff and ip[16:4]
>=0x6f835b88 and ip[16:4] <=0xffffffff and tcp[0:2]>=13053 andtcp[0:2]<=65535 and tcp[2:2]>=14070 and tcp[2:2]<=65535
******************
ip[12:4]>=0x0000 and ip[12:4] <=0xa7997e38 and ip[16:4] >=0x0000 and
ip[16:4] <=0x7b404ab4 and udp[0:2]>=0 and udp[0:2]<=31630 and
udp[2:2]>=0 and udp[2:2]<=27845 tcp[2:2]<=65535
Couldn't parse filter ip[12:4]>=0x0000 and ip[12:4] <=0xa7997e38 and
ip[16:4] >=0x0000 and ip[16:4] <=0x7b404ab4 and udp[0:2]>=0 and
udp[0:2]<=31630 and udp[2:2]>=0 and udp[2:2]<=27845 tcp[2:2]<=65535:
syntax error
******************
PASSED WITHOUT ERROR
ip[12:4]>=0xa7997e39 and ip[12:4] <=0xffffffff and ip[16:4]
>=0x7b404ab5 and ip[16:4] <=0xffffffff and udp[0:2]>=31631 andudp[0:2]<=65535 and udp[2:2]>=27846 and udp[2:2]<=65535
******************
ip[12:4]>=0x0000 and ip[12:4] <=0x48fee779 and ip[16:4] >=0x0000 and
ip[16:4] <=0xcbdf7c5 and tcp[0:2]>=0 and tcp[0:2]<=24066 and
tcp[2:2]>=0 and tcp[2:2]<=56142d udp[2:2]<=65535
Couldn't parse filter ip[12:4]>=0x0000 and ip[12:4] <=0x48fee779 and
ip[16:4] >=0x0000 and ip[16:4] <=0xcbdf7c5 and tcp[0:2]>=0 and
tcp[0:2]<=24066 and tcp[2:2]>=0 and tcp[2:2]<=56142d udp[2:2]<=65535:
syntax error
******************
PASSED WITHOUT ERROR
ip[12:4]>=0x48fee77a and ip[12:4] <=0xffffffff and ip[16:4]
>=0xcbdf7c6 and ip[16:4] <=0xffffffff and tcp[0:2]>=24067 andtcp[0:2]<=65535 and tcp[2:2]>=56143 and tcp[2:2]<=655355
******************
ip[12:4]>=0x0000 and ip[12:4] <=0x1e9e35b and ip[16:4] >=0x0000 and
ip[16:4] <=0x675231ed and tcp[0:2]>=0 and tcp[0:2]<=28481 and
tcp[2:2]>=0 and tcp[2:2]<=50549 tcp[2:2]<=655355
Couldn't parse filter ip[12:4]>=0x0000 and ip[12:4] <=0x1e9e35b and
ip[16:4] >=0x0000 and ip[16:4] <=0x675231ed and tcp[0:2]>=0 and
tcp[0:2]<=28481 and tcp[2:2]>=0 and tcp[2:2]<=50549 tcp[2:2]<=655355:
syntax error
******************
As is evident, the error is pretty random, and mostly toward the end
of the filter with the occasional "and"s missing..
Can anyone please confirm that this is indeed a problem with gcc...?
or are there any particular measures I need to take when passing a
long string?
Thanks,
Shashank