tcpdump mailing list archives
Re: Custom decoding offset? (for batman-adv)
From: Linus Lüssing via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 16 Nov 2020 23:59:21 +0100
--- Begin Message --- From: Linus Lüssing <linus.luessing () c0d3 blue>
Date: Mon, 16 Nov 2020 23:59:21 +0100
On Fri, Nov 06, 2020 at 02:36:13PM +0000, Denis Ovsienko via tcpdump-workers wrote:Date: Fri, 6 Nov 2020 14:36:13 +0000 From: Denis Ovsienko <denis () ovsienko info> To: Linus Lüssing via tcpdump-workers <tcpdump-workers () lists tcpdump org> Subject: Re: [tcpdump-workers] Custom decoding offset? (for batman-adv) [...] editcap would possibly do as a one-time hack given every packet is a batman-adv packet, but a clean solution would likely need to introduce a keyword into pcap filter language along the lines of "pppoed" and "pppoes": pppoes [session_id] [...]Thanks for the pointers! I got a simple "batadv" like the "pppoed" working, which checks for the ethertype in the same way. Next I would like to further extend it with checks for two fields in the batman-adv header, the version and the type field. From a user perspective I would find the following syntax the easiest: batadv [version UINT8] [type UINT8] ... Ideally it would be possible to interchange the version and type attributes. And the type attribute should only be accepted if "version" is either 14 or 15 (these are the only two versions in use these days; 14 is further deprecated). Later I would also like to add more pairs. For instance [ttl UINT8]. However this one is only available for some version/type combinations. I couldn't find an example for this kind of syntax in the pcap-filter manpage. Or is the only way supported or preferred by libpcap to have separate rules for each field to test? Like for "wlan addr1", "wlan addr2" etc.? Regards
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Custom decoding offset? (for batman-adv) Linus Lüssing via tcpdump-workers (Nov 06)
- Re: Custom decoding offset? (for batman-adv) Denis Ovsienko via tcpdump-workers (Nov 06)
- Re: Custom decoding offset? (for batman-adv) Linus Lüssing via tcpdump-workers (Nov 16)
- Re: Custom decoding offset? (for batman-adv) Denis Ovsienko via tcpdump-workers (Nov 06)