c/c++ pcap filter expression for ARP reply packets

0
votes

I am trying to create pcap filter for filtering ARP replies only. In wireshark i use 

arp.opcode==2

and it works perfectly. But when i use it in pcap_compile function, it throws an exception - syntax error. I tried also these variants:

arp.opcode = 2
arp.opcode 2
arp opcode 2
arp.reply
arp reply

and nothing seems to work. I tried to google it, but no success. Is it even possibly to filter that specific packets?

1
c++cpcaplibpcaparp
Just use either C or C++. Don't tag the post with both. Also add the code without which we can't help. - Shridhar R Kulkarni
pcap filters are not as sophisticated as the expressions Wireshark supports. Documentation at e.g. linux.die.net/man/7/pcap-filter. You might be better off just filtering for arp traffic and then checking for replies in code; otherwise you're going to need to research the arp packet format at the byte level. - Alan Stokes
@AlanStokes Yea, i figured. I wanted to make it simpler, but i guess it cant be done. Thanks for reply! - Tibor Mikita

1 Answers

0
votes

I suspect this should work, based on the packet structure from Wikipedia:

arp [6:2] = 2

That's also suggested by this answer: https://stackoverflow.com/a/40199540/212870

(It's easier to look up once you figure out the answer, unfortunately.)