How portable is the output of pcap_compile?

Question

pcap_compile() compiles a string into a filter program in the form of a bpf_program struct. In theory I could save the compiled form of the program and supply it to pcap_setfilter() on a different network interface or even on a different machine.

Will that work? Is the bpf_program form portable across different interfaces? Different processes? Different architectures? Or is it safest to compile the expression each time I want to use it?

Based on the existence of pcap_open_dead() I assume it is somewhat portable, but what's safe and what's not doesn't seem to be spelled out anywhere in the documentation.

Answer 1

No, it isn't portable in general.

You can use them on the same machine.

On similar machines somewhat safely. Different architectures? Probably not. Maybe if they have similar types. Different Operating Systems? No. I don't recommend any of these though.

If you really want to be sure, just compile the expression when you use it. It really takes an inconsequential amount of time if you're doing it rarely enough. If you're switching expressions rapidly, you might want to keep a few around.