tcpdump mailing list archives
Re: tcpdump and BPF filters
From: Guy Harris <guy () alum mit edu>
Date: Sun, 10 Jul 2011 12:41:09 -0700
On Jul 10, 2011, at 12:11 PM, Geoffrey Sisson wrote:
It's for walking through some variable-length fields, and involves iteratively using values in the packet as offsets for successive loads.
...
I don't think the filter language supports it,
The filter language is generally fairly high-level, but it does have the <expr> <relop> <expr> expressions, and each <expr> is <proto>[<expr>:<size>], so you can use the result of an expression as the offset in another expression.
and my initial sense is that it would be hard to extend it to do this.
There are definitely places where the code generated for expressions uses values in the packet as offsets; even if you ignore the variable-length IP header, there is, for example, the variable-length 802.11 header, as well as the variable-length radio metadata headers that can precede the 802.11 header. What sort of variable-length fields are you processing?- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 11)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
- Re: tcpdump and BPF filters Darren Reed (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Sam Roberts (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)