tcpdump mailing list archives
Re: tcpdump and BPF filters
From: "Geoffrey Sisson" <geoff () geoff co uk>
Date: Mon, 11 Jul 2011 13:28:23 -0700
Guy Harris <guy () alum mit edu> wrote:
On Jul 10, 2011, at 6:57 PM, Geoffrey Sisson wrote:The catch is that domain names comprise a variable number of variable-length fields....and include pointers back to other labels, for compression.
It's unlikely this would be used for much besides filtering on QNAMEs, which are never compressed.
If the queries you're can be expressed in a syntax that could be added to the libpcap filter syntax, libpcap could be extended to generate BPF programs to match DNS labels
The primary application would be for filtering based on QNAMEs ending in a particular pattern. For example, to match domain names ending in '.org', an expression like this would be one useful: dst port 53 and namelen(udp[20) > udp[(20 + namelen(udp[20])) - 5] == 3 and # \003 udp[(20 + namelen(udp[20])) - 4] == 0x6f and # 'o' udp[(20 + namelen(udp[20])) - 3] == 0x72 and # 'r' udp[(20 + namelen(udp[20])) - 2] == 0x67 # 'g' or even: dst port 53 and udp[((20 + namelen(udp[20])) - 5):4] == 0x036f7267 # '\003org' Obviously this would work only if the optimizer did the right thing.
(although if those programs loop, they will have to be run in userland), which would allow all pcap-based programs, not just tcpdump, to use them.
I was disappointed that you can't loop, but I totally understand why they did that. A domain name can have at most 128 labels. At five instructions per iteration, that works out to 640 instructions to handle the iteration (plus a few extras, to provide itermediate long jumps), but that's more than BPF_MAXINSNS (512), on FreeBSD at least. It's rare for names to have more than 35 labels (the size of an IPv6 PTR RR owner name), so you could get by with 175 iteration instructions. Geoff - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 11)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
- Re: tcpdump and BPF filters Darren Reed (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Sam Roberts (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)