tcpdump mailing list archives

Re: Modular arithmetic

From: Guy Harris <guy () alum mit edu>
Date: Thu, 6 Sep 2012 01:02:32 -0700


On Sep 6, 2012, at 12:36 AM, George Bakos wrote:

$  tcpdump -nvr /tmp/DG2-test2 '(ip[2:2] - 20) % 5 != 0 && ip[6] &
0x20 = 0x20' 

reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet)
19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+],
proto ICMP (1), length 61) 192.168.11.5 > 192.168.11.46: ip-proto-1

(000) ldh      [12]
(001) jeq      #0x800           jt 2  jf 10
(002) ldh      [16]
(003) sub      #20
(004) mod      #5
(005) jeq      #0x0             jt 10 jf 6


OK, so you presumably added a BPF_MOD instruction to the BPF interpreter as part of your changes, right?  There's none 
in libpcap's bpf_filter.c nor in a fairly recent FreeBSD kernel's bpf_filter.c nor in Linux 3.0.4's net/core/filter.c, 
so that code won't work with at least those interpreters.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Modular arithmetic George Bakos (Sep 05)
- Re: Modular arithmetic Guy Harris (Sep 05)
  - Re: Modular arithmetic George Bakos (Sep 06)
    - Re: Modular arithmetic Guy Harris (Sep 06)
    - Message not available
    - Message not available
    - Message not available
    - Re: [PATCH net-next] filter: add MOD operation George Bakos (Sep 08)
    - Message not available
    - Message not available
    - Re: Modular arithmetic David Laight (Sep 10)
    - Message not available
    - Re: Modular arithmetic David Laight (Sep 10)
    - Re: Modular arithmetic Guy Harris (Sep 10)