About pcap rules

["Alexander Dupuy" <alex.dupuy () mac com>]

> > when given a rule consisting of a set of sub rules to pcap,  if a packet 
> > matches the rule, how do I know which sub rule it matches? 

> libpcap will not tell you that.  As far as it's concerned - and as far
> as the kernel is concerned, on those platforms where the packet
> filtering is done in the kernel - there are no subrules, there's just 
> one big program that either says "matches" or "doesn't match".

If you're willing to dive below the libpcap interface and generate a custom BPF program, you may be able to distinguish 
subrules, since the final result is actually not just "matches" or "doesn't match" but rather how many bytes to 
capture, from 0 to 64K.

If you know that all traffic of interest will be at least say 40 bytes you can have a BPF program that captures 38 
bytes for one subrule and 39 bytes for another. This won't work, obviously, if you need to capture the entire packet, 
or if packet lengths shorter than your BPF program returns are observed. It's also a bit tricky to do this coding, and 
you may want to rely on the Linux "any" interface so that a single BPF program would work regardless of the actual NIC 
interface type. (if you are using Linux).

You can use tcpdump -d to see the BPF programs generated from pcap expressions, which helps, but this definitely 
qualifies as a very advanced libpcap hack, and unless the performance gains will be significant, this approach is 
probably unwise to use. I myself have considered this for a particular application, but have never actually implemented 
it.

@alex
-- 
mailto:alex.dupuy () mac com    -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.