tcpdump mailing list archives

Re: tcpdump and BPF filters

From: "Geoffrey Sisson" <geoff () geoff co uk>
Date: Sun, 10 Jul 2011 18:57:16 -0700

Guy Harris <guy () alum mit edu> wrote:

What sort of variable-length fields are you processing?-


Labels in the wire representation of a domain name.

From RFC 1035:


   Domain names in messages are expressed in terms of a sequence
   of labels.  Each label is represented as a one octet length field
   followed by that number of octets.  Since every domain name ends with
   the null label of the root, a domain name is terminated by a length
   byte of zero.

The filter language is generally fairly high-level, but it does
have the <expr> <relop> <expr> expressions, and each <expr> is
<proto>[<expr>:<size>], so you can use the result of an expression as
the offset in another expression.

There are definitely places where the code generated for expressions
uses values in the packet as offsets; even if you ignore the
variable-length IP header, there is, for example, the variable-length
802.11 header, as well as the variable-length radio metadata headers
that can precede the 802.11 header.


The catch is that domain names comprise a variable number of
variable-length fields.  Examples of valid sequences:

   +---+---+---+---+---+---+---+---+---+---+---+---+---+
   |007| t | c | p | d | u | m | p |003| o | r | g |000|
   +---+---+---+---+---+---+---+---+---+---+---+---+---+

   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
   |003| w | w | w |003| f | o | o |002| c | o |002| u | k |000|
   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

   +---+---+---+---+---+
   |003| e | d | u |000|
   +---+---+---+---+---+

   +---+
   |000|
   +---+

   (XXX = numeric field length, X = ASCII data)

It's not as simple as finding the first octet with a value of zero,
as this is a valid sequence:

   +---+---+---+---+---+---+---+---+---+
   |003| f |000| o |003| b |000| r |000|        = f\000o.b\000r.
   +---+---+---+---+---+---+---+---+---+

Geoff

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
  - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
    - Re: tcpdump and BPF filters Guy Harris (Jul 10)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
    - Re: tcpdump and BPF filters Guy Harris (Jul 11)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
    - Re: tcpdump and BPF filters Darren Reed (Jul 12)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
    - Re: tcpdump and BPF filters Sam Roberts (Jul 12)
    - Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)