Is the offline filtering in WinPcap thread-safe?

Question

Using WinPcap 4.1.2, I have a need to collect all of the IP-based traffic on a given interface and then filter user-selected TCP- and UDP-based "conversations" for layer 7 processing. Due to the simultaneous need to uniquely tag each incoming frame once, I cannot use the obvious solution of having multiple pcap_t devices with a unique filter for each device. Instead, I am collecting the data with a single pcap_t device, tagging each frame, and then leveraging the pcap_offline_filter API to filter each selected "conversation" in a separate thread (i.e., X conversations will be filtered in X different threads) to take full advantage of the multi-core systems this application will be running on.

The question is simple. Is the pcap_offline_filter API thread-safe?

Answer 1

pcap_offline_filter() has no global data that would be shared by multiple instances, so, as long as you're not modifying its arguments in other threads (there's no reason to do so - you shouldn't, for example, be changing the compiled filter structure while in the middle of filtering with it, or changing the packet header or data while filtering it), it's thread-safe.

(pcap_compile(), however, is not itself thread-safe; it's based on a YACC parser and Lex lexical analyzer, and I don't think yacc or Bison, or Lex or Flex, generate thread-safe code by default, and the code generator also has global variables. Just make sure you compile the filter expressions in the same thread; you can then let multiple threads use those expressions. I've checked into the libpcap trunk a change to make the first argument to pcap_offline_filter() a const struct bpf_program *, to clarify that it reads but doesn't modify the filter. That applies both to the struct bpf_program and to the array of struct bpf_insns to which that structure points.)