Custom decoding offset? (for batman-adv)

[Linus Lüssing via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Linus Lüssing <linus.luessing () c0d3 blue>
>
> Date: Fri, 6 Nov 2020 14:34:12 +0100
>
> Hi!
>
> I would like to use tcpdump and libpcap to filter and examine
> batman-adv packets. batman-adv is a mesh routing protocol which
> encapsulates layer 2 ethernet frames.
>
> I know my way to identify batman-adv packets via raw ether filters.
> What I would like to additionally do is filtering by fields of the
> inner ethernet header.
>
> I saw in the manpage that for various keys the decoding offset is
> modified for the remainder of the expression.
>
> My question is, is there a way to specify a custom decoding offset
> for an encapsulating protocol that is not known by libpcap yet,
> like batman-adv?
>
> Or would I need to add batman-adv support to libpcap?
>
> Regards, Linus
>
>
> PS: The closest I found online so far is this:
>
> https://serverfault.com/questions/617066/tcpdump-decode-packet-starting-at-non-zero-offset
>
> Which suggests something like:
>
> $ tcpdump -i eth0 -w - | editcap -C 82 - - | tcpdump -r -
>
> However, ideally I would like to use a custom offset in a project
> based on libpcap:
>
> https://github.com/lemoer/bpfcountd
>
> Where the tcpdump/editcap approach would currently not work.
>
> So some native, custom decoding offset support for a filter
> expression would be great.
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers