Re: does "port 25" work?

[Stephen Donnelly <stephen () endace com>]

On Thu, 2008-07-31 at 14:29 -0400, U. George wrote:
> Guy Harris wrote:
> > On Jul 31, 2008, at 10:48 AM, U. George wrote:
> >
> > > why does adding the "PORT" conditional also modify the wild-card 
> > > aspects of "ethernet type"
> >
> > To what "wild-card aspects of 'ethernet type'" are you referring?
> >
> > If you say "port domain", that can only match TCP or UDP packets, which 
> > means it can only match IP packets, which means it *cannot* match 
> > arbitrary Ethernet types.
> > -
> > This is the tcpdump-workers list.
> > Visit https://cod.sandelman.ca/ to unsubscribe.
> if i say this:
>       tcpdump  -n -v -i eth1
>
> i get a log of: ether type * and port *, ie the PPPoE data.
>
> If i say
>       tcpdump  -n -v -i eth1 port domain
>
> i get a filter of ether (type UDP or TCP) and port domain, and no PPPoE data

The filter "port domain" on an Ethernet interface (on my box) generates
a BPF filter that looks for Ethertype 0x86dd for IPv6 OR 0x0800 for
IPv4. It doesn't look for PPPoE, VLANs, GRE or anything else, because
you didn't specify that in your filter.

# tcpdump  -d -n -v -i eth0 port domain
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 10
(002) ldb      [20]
(003) jeq      #0x84            jt 6    jf 4
(004) jeq      #0x6             jt 6    jf 5
(005) jeq      #0x11            jt 6    jf 23
(006) ldh      [54]
(007) jeq      #0x35            jt 22   jf 8
(008) ldh      [56]
(009) jeq      #0x35            jt 22   jf 23
(010) jeq      #0x800           jt 11   jf 23
(011) ldb      [23]
(012) jeq      #0x84            jt 15   jf 13
(013) jeq      #0x6             jt 15   jf 14
(014) jeq      #0x11            jt 15   jf 23
(015) ldh      [20]
(016) jset     #0x1fff          jt 23   jf 17
(017) ldxb     4*([14]&0xf)
(018) ldh      [x + 14]
(019) jeq      #0x35            jt 22   jf 20
(020) ldh      [x + 16]
(021) jeq      #0x35            jt 22   jf 23
(022) ret      #96
(023) ret      #0

The filter "pppoes and port domain" generates a BPF filter which looks
for Ethertype 0x8864 for PPPOE traffic.

# tcpdump  -d -n -v -i eth0 pppoes and port domain
(000) ldh      [12]
(001) jeq      #0x8864          jt 2    jf 25
(002) ldh      [20]
(003) jeq      #0x57            jt 4    jf 12
(004) ldb      [28]
(005) jeq      #0x84            jt 8    jf 6
(006) jeq      #0x6             jt 8    jf 7
(007) jeq      #0x11            jt 8    jf 25
(008) ldh      [62]
(009) jeq      #0x35            jt 24   jf 10
(010) ldh      [64]
(011) jeq      #0x35            jt 24   jf 25
(012) jeq      #0x21            jt 13   jf 25
(013) ldb      [31]
(014) jeq      #0x84            jt 17   jf 15
(015) jeq      #0x6             jt 17   jf 16
(016) jeq      #0x11            jt 17   jf 25
(017) ldh      [28]
(018) jset     #0x1fff          jt 25   jf 19
(019) ldxb     4*([22]&0xf)
(020) ldh      [x + 22]
(021) jeq      #0x35            jt 24   jf 22
(022) ldh      [x + 24]
(023) jeq      #0x35            jt 24   jf 25
(024) ret      #96
(025) ret      #0

> From the man page of a recent tcpdump version:

pppoes True if the packet is a PPP-over-Ethernet Session packet
(Ethernet type 0x8864).  Note that the first  pppoes  keyword
encountered  in  expression changes the decoding offsets for the
remainder of expression on the assumption that the packet is a PPPoE
session packet.

# tcpdump --version
tcpdump version 3.9.8
libpcap version 0.9.8

Stephen
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.