Home    Product home page    Download    Order
Contents
Introduction
PSSDK basics
PSSDK components
Packets processing diagram
IP filtering application in 5 steps
1. Initialize Packet Sniffer SDK
2. Retrieve information about network devices
3. Open network device
4. Create BPF filter
5. Capture and process the traffic
BPF programming
HNPSManager
HNAdapter
HNFileAdapter
HNAdapterConfig
HNUserFilter
HNPacket
HNQueue
HNTcpManager
HNTcpSession
HNLBAdapter
HNLBSession
HNLBHosts
Structures
Constants enumerations
Events
RFC
WinPCap to PSSDK migration module
Error codes
FAQ
Packet Sniffer SDK DLL Edition

4: Create BPF filter

 Previous Next

To create BPF filter you should use a special programming language which sets the rules for filtering network packets. Please see What is BPF filter program? topic for the details.

To create BPF filter and use it in Packet Sniffer SDK please use HNUserFilter component.

First you should create HNUserFilter component:

[C++]
HANDLE hFtr = BpfCreate();
[Delphi]
hFtr : Pointer;
hFtr := BpfCreate();

After HNUserFilter component has been created successfully, you can program the rules for filtering network packets using BpfAddCmd and BpfAddJmp functions.

Then you should provide HNAdapter component with HNUserFilter using HNAdapter.UserFilter property, and activate it by setting HNAdapter.UserFilterActive property in TRUE in order to implement the rules for packets filtering which have just been created.

Please see the following example of creating a filter for IP packets:

[C++]
// Get the value of the word (WORD) with offset 12 from the packet
// beginning

BpfAddCmd(hFtr,BPF_LD+BPF_H+BPF_ABS, 12);  

// Check if its value is equal to ETHERTYPE_IP (0x800, IP protocol)
// If values match, jump with offset=0,
// Else jump with offset=1

BpfAddJmp(hFtr,BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 1);  

// Exit with return code -1 (TRUE: pass this packet)

BpfAddCmd(hFtr,BPF_RET+BPF_K, -1);  

// Exit with return code 0 (FALSE: ignore this packet)

BpfAddCmd(hFtr,BPF_RET+BPF_K, 0);   

AdpSetUserFilter(hAdp,hFtr); 
AdpSetUserFilterActive(hAdp,TRUE);
[Delphi]
// Get the value of the word (WORD) with offset 12 from the packet
// beginning

BpfAddCmd(hFtr,BPF_LD+BPF_H+BPF_ABS, 12);  

// Check if its value is equal to ETHERTYPE_IP (0x800, IP protocol)
// If values match, jump with offset=0,
// Else jump with offset=1

BpfAddJmp(hFtr,BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 1);  

// Exit with return code -1 (TRUE: pass this packet)

BpfAddCmd(hFtr,BPF_RET+BPF_K, -1);  

// Exit with return code 0 (FALSE: ignore this packet)

BpfAddCmd(hFtr,BPF_RET+BPF_K, 0);   

AdpSetUserFilter(hAdp,hFtr); 
AdpSetUserFilterActive(hAdp,TRUE);

After you have created BPF filter, and bound it with the network adapter (HNAdapter.UserFilter), Packet Sniffer SDK will filter packets using these rules. Also, you can create and apply BPF filter without opening the network adapter.

Next step:

5: Capture and process the traffic

Previous Next