tcpdump mailing list archives
About pcap rules
From: "Alexander Dupuy" <alex.dupuy () mac com>
Date: Mon, 21 Aug 2006 15:47:18 +0000
when given a rule consisting of a set of sub rules to pcap, if a packet matches the rule, how do I know which sub rule it matches?
libpcap will not tell you that. As far as it's concerned - and as far as the kernel is concerned, on those platforms where the packet filtering is done in the kernel - there are no subrules, there's just one big program that either says "matches" or "doesn't match".
If you're willing to dive below the libpcap interface and generate a custom BPF program, you may be able to distinguish subrules, since the final result is actually not just "matches" or "doesn't match" but rather how many bytes to capture, from 0 to 64K. If you know that all traffic of interest will be at least say 40 bytes you can have a BPF program that captures 38 bytes for one subrule and 39 bytes for another. This won't work, obviously, if you need to capture the entire packet, or if packet lengths shorter than your BPF program returns are observed. It's also a bit tricky to do this coding, and you may want to rely on the Linux "any" interface so that a single BPF program would work regardless of the actual NIC interface type. (if you are using Linux). You can use tcpdump -d to see the BPF programs generated from pcap expressions, which helps, but this definitely qualifies as a very advanced libpcap hack, and unless the performance gains will be significant, this approach is probably unwise to use. I myself have considered this for a particular application, but have never actually implemented it. @alex -- mailto:alex.dupuy () mac com - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- about pcap rules Hui . Ning (Aug 17)
- Re: about pcap rules Guy Harris (Aug 17)
- <Possible follow-ups>
- About pcap rules Alexander Dupuy (Aug 21)
- Re: About pcap rules Gregor Maier (Aug 22)
- Re: About pcap rules Jefferson Ogata (Aug 24)