tcpdump mailing list archives

Re: tcpdump and BPF filters

From: Darren Reed <darren.reed () oracle com>
Date: Tue, 12 Jul 2011 10:36:09 +0200

Geoffrey Sisson wrote:

Guy Harris <guy () alum mit edu> wrote:

On Jul 10, 2011, at 6:57 PM, Geoffrey Sisson wrote:

The catch is that domain names comprise a variable number of
variable-length fields.

...and include pointers back to other labels, for compression.


It's unlikely this would be used for much besides filtering on QNAMEs,
which are never compressed.

If the queries you're can be expressed in a syntax that could be added
to the libpcap filter syntax, libpcap could be extended to generate BPF
programs to match DNS labels


The primary application would be for filtering based on QNAMEs
ending in a particular pattern.  For example, to match domain names
ending in '.org', an expression like this would be one useful:

        dst port 53 and

namelen(udp[20) >udp[(20 + namelen(udp[20])) - 5] == 3 and # \003

        udp[(20 + namelen(udp[20])) - 4] == 0x6f and    # 'o'
        udp[(20 + namelen(udp[20])) - 3] == 0x72 and    # 'r'
        udp[(20 + namelen(udp[20])) - 2] == 0x67        # 'g'

or even:

        dst port 53 and
        udp[((20 + namelen(udp[20])) - 5):4] == 0x036f7267      # '\003org'

Obviously this would work only if the optimizer did the right thing.

                             (although if those programs loop, they will
have to be run in userland), which would allow all pcap-based programs,
not just tcpdump, to use them.


I was disappointed that you can't loop, but I totally understand
why they did that.

A domain name can have at most 128 labels.  At five instructions per
iteration, that works out to 640 instructions to handle the iteration
(plus a few extras, to provide itermediate long jumps), but that's more
than BPF_MAXINSNS (512), on FreeBSD at least.


I think that you're going beyond what BPF was originally designed to do...
... and as such, performance is not going to be great.

Darren

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
  - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
    - Re: tcpdump and BPF filters Guy Harris (Jul 10)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
    - Re: tcpdump and BPF filters Guy Harris (Jul 11)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
    - Re: tcpdump and BPF filters Darren Reed (Jul 12)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
    - Re: tcpdump and BPF filters Sam Roberts (Jul 12)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)