I have an application that displays stats about packets in a pcap file. Here is a partial output from a run I did without filters: 192.168.42.4:5082-17.253.27.205:20480 88:66:5a:04:e0:76 00:80:ae:b2:1e:92 S.SA.A
I then ran again with a port filter for 5082 and got nothing, no packets were found.
here is the set filter I used on the reader:
reader->setFilter("port 5082");
reader->setFilter("host 192.168.42.4") and this works fine. I can get filters for MAC addresses, IP, and protocol to work. I can't get any filter with ports in it to work.
reader->setFilter("ost 192.168.42.4 and src port 5082") fails as well.
The following fails as well:
pcpp::PortFilter p(5082, pcpp::SRC_OR_DST);
if (!reader->setFilter(p)) {
fmt::print("Could not set up filter on file");
}
Note: 0 packets found, no error on setFilter.
Any ideas?
I found the problem. seladb question made me take a close look at the capture file. Some how the port numbers I am getting from pcapplusplus are not the same as in the capture as displayed by Wireshark. Now I will have to go back and figure out why my port number from pcapplusplus is corrupt.
Thanks for your response.