how to dynamically modify the filter in tcpdump

Question

I am modifying tcpdump to dynamically change the filter that it uses to get the output from.

currently the tcpdump uses the pcap_set_filter to actually prepare the filter for the incoming packets or the outgoing packets for which the user interested into, (is the pcap_compile does this? i am not so sure of this), is it possible from the tcpdump to dynamically change the filter? in the sense that i wanted to filter packets on my MAC address and i dynamically change mac for some reasons and now my mac changed, inturn i should inform tcpdump to change filter on the new mac, how can i do this?

Answer 1

is it possible from the tcpdump to dynamically change the filter?

Yes, it can call pcap_setfilter(), with the new filter (as compiled from a filter expression by pcap_compile()), on the pcap_t that it has open, to set the filter to the new value.

However, that will cause traffic that's been captured but not read by tcpdump to be discarded. There is no mechanism in libpcap to prevent that from happening.

in the sense that i wanted to filter packets on my MAC address and i dynamically change mac for some reasons and now my mac changed, inturn i should inform tcpdump to change filter on the new mac, how can i do this?

You would not only have to modify tcpdump to call pcap_compile() and pcap_setfilter() while it's capturing traffic, you would also have to modify it to receive messages from some source to tell it to change the filter and to specify what the new filter should be, and arrange to have that message be sent to it when the MAC address changes.