Wireshark mailing list archives
Re: dumpcap and bpf assembler
From: Sake Blok <sake () euronet nl>
Date: Wed, 27 May 2015 15:39:47 +0200
Richard, I have the same interest, different reason and did not find anything on my last search (a couple of years ago). However, there is a lot you can do with using offsets and stuff yourself. For instance: Multiple vlans: vlan and (ether[14:2]&0x0fff = 4092 or ether[14:2]&0x0fff = 4094) SIP over IPoverIP: ip proto 4 and (ip[((ip[0]&0x0f)<<2)+9]=17 or ip[((ip[0]&0x0f)<<2)+9]=6) and (ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+0:2]=5060 or ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+2:2]=5060) As you can see, you can just use the highest protocol that BPF does understand correctly and work with offsets from there. Do you have an example capture file that you can share, then I might be able to help you. Cheers, Sake On 26 mei 2015, at 22:21, Richard Stearn wrote:
Is there a way of handing dumpcap a BPF assembler file rather than a libpcap expression? I have RTFM'd, googled and not found an answer. Of course my reading ability and googlefu could be well broken :-) Why, because I wish to filter on the protocol the network interface currently believes the packet to be (skb->protocol), rather than what the interface says it is and I have not found a libpcap expression that achieves that. -- Regards Richard ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- dumpcap and bpf assembler Richard Stearn (May 26)
- Re: dumpcap and bpf assembler Sake Blok (May 27)
- Re: dumpcap and bpf assembler Richard Stearn (May 27)
- Re: dumpcap and bpf assembler Sake Blok (May 27)
- Re: dumpcap and bpf assembler Richard Stearn (May 28)
- Re: dumpcap and bpf assembler Guy Harris (May 28)
- Re: dumpcap and bpf assembler Sake Blok (May 29)
- Re: dumpcap and bpf assembler Richard Stearn (May 27)
- Re: dumpcap and bpf assembler Sake Blok (May 27)