tcpdump mailing list archives
Re: tcpdump and BPF filters
From: "Geoffrey Sisson" <geoff () geoff co uk>
Date: Sun, 10 Jul 2011 12:11:43 -0700
Guy Harris <guy () alum mit edu> wrote:
What are you trying to do? If it's a type of test that the filter language doesn't support, the filter language should perhaps be extended to support it.
It's for walking through some variable-length fields, and involves
iteratively using values in the packet as offsets for successive loads.
. . .
BPF_STMT(BPF_LD + BPF_B + BPF_IND, 0),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 34, 0),
BPF_STMT(BPF_ALU + BPF_ADD + BPF_X, 0),
BPF_STMT(BPF_ALU + BPF_ADD + BPF_K, 1),
BPF_STMT(BPF_MISC + BPF_TAX, 0),
BPF_STMT(BPF_LD + BPF_B + BPF_IND, 0),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 20, 0),
BPF_STMT(BPF_ALU + BPF_ADD + BPF_X, 0),
BPF_STMT(BPF_ALU + BPF_ADD + BPF_K, 1),
BPF_STMT(BPF_MISC + BPF_TAX, 0),
BPF_STMT(BPF_LD + BPF_B + BPF_IND, 0),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 15, 0),
. . .
I don't think the filter language supports it, and my initial sense
is that it would be hard to extend it to do this.
Geoff
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 11)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
- Re: tcpdump and BPF filters Darren Reed (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Sam Roberts (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)