tcpdump mailing list archives

Re: Signed/Unsigned Frag Offset Issue?

From: Guy Harris <guy () alum mit edu>
Date: Wed, 10 Dec 2003 13:15:43 -0800


On Dec 10, 2003, at 11:52 AM, Joshua Krage wrote:

On Wed, Dec 10, 2003 at 02:32:45AM -0800, Guy Harris wrote:

What does
        tcpdump -d 'ip[6:2] & 0x1fff > 0'
print?


$ tcpdump -d ip[6:2] & 0x1fff > 0
(000) ldh       [12]
(001) jeq       #0x800           jt 2    jf 5
(002) ldh       [20]
(003) jset      #0x1fff          jt 5    jf 4
(004) ret       #96
(005) ret       #0


That's interesting.  The libpcap 0.6 in Mac OS X 10.3.1 generates

        (000) ldh      [12]
        (001) jeq      #0x800           jt 2    jf 6
        (002) ldh      [20]
        (003) and      #0x1fff
        (004) jgt      #0x80000000      jt 6    jf 5
        (005) ret      #96
        (006) ret      #0

and the current CVS version of libpcap generates

        (000) ldh      [12]
        (001) jeq      #0x800           jt 2    jf 7
        (002) ldh      [20]
        (003) and      #0x1fff
        (004) ldx      #0x0
        (005) jgt      x                jt 6    jf 7
        (006) ret      #96
        (007) ret      #0

(I suspect the use of the X register is bogus and

        (000) ldh      [12]
        (001) jeq      #0x800           jt 2    jf 6
        (002) ldh      [20]
        (003) and      #0x1fff
        (004) jgt      #0x0             jt 5    jf 6
        (005) ret      #96
        (006) ret      #0

would have sufficed, unless "jgt x" does a different sort of comparisonthan does "jgt #0x0").


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Signed/Unsigned Frag Offset Issue? Joshua Krage (Dec 09)
- Re: Signed/Unsigned Frag Offset Issue? Guy Harris (Dec 10)
  - Re: Signed/Unsigned Frag Offset Issue? Joshua Krage (Dec 10)
    - Re: Signed/Unsigned Frag Offset Issue? Guy Harris (Dec 10)