tcpdump mailing list archives

Re: cap_compile() generates strange code with DLT_RAW

From: Anton Yuzhaninov <citrin () rambler-co ru>
Date: Thu, 31 May 2007 00:24:11 +0400

Hello, Guy.

You wrote on Wednesday, May 30, 2007, 10:14:07 PM:

Anton Yuzhaninov wrote:

Hello.

When libpcap build with -DINET6 pcap_compile() generates strange pbf
code with DLT_RAW

cap_compile_nopcap(65535, DLT_RAW, &bp, "udp", 1, 0)
generates this code:

# (000) ld       #0x0
{ code=0 jt=0 jf=0 k=0 }
# (001) ldb      [6]
{ code=48 jt=0 jf=0 k=6 }
# (002) jeq      #0x11            jt 5  jf 3
{ code=21 jt=2 jf=0 k=17 }
# (003) ldb      [9]
{ code=48 jt=0 jf=0 k=9 }
# (004) jeq      #0x11            jt 5  jf 6
{ code=21 jt=0 jf=1 k=17 }
# (005) ret      #65535
{ code=6 jt=0 jf=0 k=65535 }
# (006) ret      #0
{ code=6 jt=0 jf=0 k=0 }

(001), (002) - check that byte with offset 6 (4 bits from flags filed
and 4 bits from fragment offset) equal 17 (protocol number for udp)
It seems to be wrong

...for IPv4, but not for IPv6 (if the next header is UDP).

Since both "is this IPv4?" and "is this IPv6?" were being answered as 
"yes", it was testing both the IPv6 "next header" field and the IPv4 
"protocol" field, regardless of whether the packet is IPv4 or IPv6.


But with code generated by 0.9.4 IPv4 non-UDP packets can be matched
by expression "udp"

I've checked in a change to, for DLT_RAW, check the version field of the
IPv4/IPv6 header; the generated code if INET6 is enabled is now:

(000) ldb      [0]
(001) and      #0xf0
(002) jeq      #0x60            jt 3    jf 5
(003) ldb      [6]
(004) jeq      #0x11            jt 10   jf 11
(005) ldb      [0]
(006) and      #0xf0
(007) jeq      #0x40            jt 8    jf 11
(008) ldb      [9]
(009) jeq      #0x11            jt 10   jf 11
(010) ret      #65535
(011) ret      #0


It seems better. Which libpcap version was used to produce this bpf
code?

This is checked into the main and x.9 branches.


mail = CVS head?
Is this in 0.9.5 release?

-- 
WBR,
 Anton Yuzhaninov

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

cap_compile() generates strange code with DLT_RAW Anton Yuzhaninov (May 30)
- Re: cap_compile() generates strange code with DLT_RAW Guy Harris (May 30)
  - Re: cap_compile() generates strange code with DLT_RAW Anton Yuzhaninov (May 30)
    - Re: cap_compile() generates strange code with DLT_RAW Guy Harris (May 30)