tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie user question: Getting packets from

From: Guy Harris <guy () alum mit edu>
Date: Mon, 27 Sep 2004 14:25:47 -0700

On Sep 27, 2004, at 12:37 PM, KEVIN ZEMBOWER wrote:


Output is:

kevinz@www:~$ su -
Password:
www:~# tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) 
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 8
(002) ld       [26]
(003) jeq      #0xa281e1c0      jt 4    jf 8
(004) ldb      [23]
(005) jeq      #0x6             jt 7    jf 6
(006) jeq      #0x11            jt 7    jf 8
(007) ret      #96
(008) ret      #0


OK, that code:
loads the 2-byte big-endian quantity at an offset of 12 from the beginning of the packet - which, on an Ethernet packet, is the type/length field in the Ethernet header - and compares it with 0x0800 - which is the type code for IPv4 - and, if it's not equal, jumps to instruction 8, which returns 0, meaning "reject this packet" (i.e., it rejects all packets other than IPv4 packets);
loads the 4-byte big-endian quantity at an offset of 26 from the beginning of the packet - which, for an IPv4-over-Ethernet packet, is the source IP address in the IPv4 header - and compares it with 0xa281e1c0 - which is 162.129.225.192, or "centernet.jhuccp.org" - and, if it's not equal, jumps to instruction 8 (i.e., it rejects all packets that don't have a source IP address of 162.129.225.192);
loads the one-byte quantity at an offset of 23 from the beginning of the packet - which, for an IPv4-over-Ethernet packet, is the protocol type field in the IPv4 header - and, if it's equal to 6 - i.e., if it's a TCP packet - jumps to instruction 7, which returns 96, meaning "accept this packet and get its first 96 bytes", and, if it's not 6, jumps to instruction 6, which does the same check for 17, i.e. UDP.
So the code generated for "src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \)" is correct. Perhaps the BPF interpreter isn't working, or isn't being used correctly.
Try downloading the current versions of libpcap and tcpdump (0.8.3 and 3.8.3), unpacking them into subdirectories of the same directory, configuring and compiling libpcap, and configuring and compiling tcpdump, and try the resulting version of tcpdump. If that works, file a bug on this in the Debian bug system. 

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: