tcpdump mailing list archives

pcap_compile() errors in libpcap beta and CVS

From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 10 Dec 2003 16:08:32 -0500

I've noticed some strange behavior with the latest pcap_compile(). When
building up complex filters, there is an error if multiple matches are
performed on the same data offset while using arithmetic operators to form the
match value. An example will explain better.

The following filter is a match for ACK FIN or ACK SYN tcp segments. This is
just a simple example to demonstrate the problem.

tcpdump -d '(tcp[13] = (0x10 + 0x01)) or (tcp[13] = (0x10 + 0x02))'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 12
(004) ldh      [20]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]
(008) ldx      #0x11
(009) jeq      x                jt 11   jf 10
(010) jeq      x                jt 11   jf 12
(011) ret      #68
(012) ret      #0

The error is visible at (010) - there should be ldx #0x12 before the jeq.

If the same filter were built without the arithmetic operators, it compiles
properly and avoids the extra ld step(s).

tcpdump -d '(tcp[13] = 0x11) or (tcp[13] = 0x12)
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 11
(004) ldh      [20]
(005) jset     #0x1fff          jt 11   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]
(008) jeq      #0x11            jt 10   jf 9
(009) jeq      #0x12            jt 10   jf 11
(010) ret      #68
(011) ret      #0

Previous versions (0.7.2 here) of pcap_compile handled this correctly with or
without the addition operation:

tcpdump.oldpcap -d '(tcp[13] = (0x10 + 0x01)) or (tcp[13] = (0x10 + 0x02))'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 11
(004) ldh      [20]
(005) jset     #0x1fff          jt 11   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]
(008) jeq      #0x11            jt 10   jf 9
(009) jeq      #0x12            jt 10   jf 11
(010) ret      #68
(011) ret      #0

With IDABench I use include statements & variable substitution to facilitate easier complex filter generation & 
maintenance. The following composite filter now fails:

tcp and !src net 129.170.248.0/23 and
(
 (tcp[13] & 0x3f != 0x02)
 and
 (tcp[13] & 0x3f != (0x02 + 0x10))
 and
 (tcp[13] & 0x3f != (0x10 + 0x01))
 and
 (tcp[13] & 0x3f != (0x10 + 0x08 + 0x01))
 and
 (tcp[13] & 0x3f != (0x10 + 0x08 + 0x01 + 0x20))
 and
 (tcp[13] & 0x3f != (0x10 + 0x04))
 and
 (tcp[13] & 0x3f != 0x10)
 and
 (tcp[13] & 0x3f != (0x10 + 0x08))
 and
 (tcp[13] & 0x3f != 0x04)
 and
 (tcp[13] & 0x3f != (0x20 + 0x10 + 0x01))
 and
 (tcp[13] & 0x3f != (0x20 + 0x10 + 0x08))
 and
 (tcp[13] & 0x3f != (0x20 + 0x10 + 0x08 + 0x04))
 and
 (tcp[13] & 0x3f != (0x10 + 0x08 + 0x04))
)

It compiles into:
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 26
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 26
(004) ld       [26]
(005) and      #0xfffffe00
(006) jeq      #0x81aaf800      jt 26   jf 7
(007) ldh      [20]
(008) jset     #0x1fff          jt 26   jf 9
(009) ldxb     4*([14]&0xf)
(010) ldb      [x + 27]
(011) and      #0x3f
(012) jeq      #0x2             jt 26   jf 13
(013) jeq      x                jt 26   jf 14
(014) jeq      x                jt 26   jf 15
(015) jeq      x                jt 26   jf 16
(016) jeq      x                jt 26   jf 17
(017) jeq      x                jt 26   jf 18
(018) jeq      #0x10            jt 26   jf 19
(019) jeq      x                jt 26   jf 20
(020) jeq      #0x4             jt 26   jf 21
(021) jeq      x                jt 26   jf 22
(022) jeq      x                jt 26   jf 23
(023) jeq      x                jt 26   jf 24
(024) jeq      x                jt 26   jf 25
(025) ret      #68
(026) ret      #0

My size of my hourly reports (and number of false positives) skyrocketed as you
can imagine!

Cheers.

-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 10)
- Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 17)
  - Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 17)
    - Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 21)
    - Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 21)
    - Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 21)
    - Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 21)