Re: BPF questions...

[Guy Harris <guy () alum mit edu>]

On May 21, 2011, at 9:09 AM, barcaroller wrote:

> This may not be the right group, but I have a few BPF questions that I hope you can answer:
>
> * What is the maximum size of a BPF expression that can be passed to tcpdump and pcap_compile()?

pcap_compile() has no inherent limit; the only limit in tcpdump would be a limit on the number of bytes of command-line 
argument that could be passed to a program.

The OS might impose a limit on the size of a BPF *program* generated from an expression.

> * What is the maximum level of nesting for BPF expressions for tcpdump and pcap_compile()?  Currently, I'm observing 
> nesting levels of 10 or more.

There's no explicit limit.

> * Are there BPF expressions for "nested" vlans?

I.e., to match packets with two or more VLAN headers?  You could do "vlan and vlan and tcp", or "vlan 2 and vlan 17 and 
tcp", or something such as that.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.