Rpcap filters that require BPF extensions (e.g., vlan) do not work

[johnthacker]

The rpcap protocol compiles filters into BPF programs and sends the bytecode to the remote device. This does not work properly if the filter requires knowledge of BPF extensions to compile correctly for the remote device (e.g., vlan on Linux and now Windows) because it does not set the pcap_t's bpf_codegen_flags, presumably because the protocol does not communicate the necessary information.

1. Set up a vlan interface.
2. Capture packets locally with and without a vlan filter. Note that there are VLAN tagged packets.
3. Capture packets remotely with rpcap and no filter. Note that there are VLAN tagged packets.
4. Capture packets remotely with rpcap and a vlan filter. Note zero packets captured.

Compiling the filter both locally and with the rpcap device shows that BPF extensions are not used with the rpcap device. (Same behavior from dumpcap.)

$ sudo ./tcpdump -d -i enp6s0 "vlan"
(000) ldb      [vlanp]
(001) jeq      #0x1             jt 6	jf 2
(002) ldh      [12]
(003) jeq      #0x8100          jt 6	jf 4
(004) jeq      #0x88a8          jt 6	jf 5
(005) jeq      #0x9100          jt 6	jf 7
(006) ret      #262144
(007) ret      #0

 $ ./tcpdump -d -i "rpcap://127.0.0.1/enp6s0" "vlan"
(000) ldh      [12]
(001) jeq      #0x8100          jt 4	jf 2
(002) jeq      #0x88a8          jt 4	jf 3
(003) jeq      #0x9100          jt 4	jf 5
(004) ret      #262144
(005) ret      #0

• This is not a security issue (See first line).

$pcap-config--version
1.11.0-PRE-GIT