tcpdump mailing list archives
Re: Custom decoding offset? (for batman-adv)
From: Denis Ovsienko via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Fri, 6 Nov 2020 14:36:13 +0000
--- Begin Message --- From: Denis Ovsienko <denis () ovsienko info>
Date: Fri, 6 Nov 2020 14:36:13 +0000
On Fri, 6 Nov 2020 14:34:12 +0100 Linus Lüssing via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote: [...]Which suggests something like: $ tcpdump -i eth0 -w - | editcap -C 82 - - | tcpdump -r - However, ideally I would like to use a custom offset in a project based on libpcap: https://github.com/lemoer/bpfcountd Where the tcpdump/editcap approach would currently not work. So some native, custom decoding offset support for a filter expression would be great.editcap would possibly do as a one-time hack given every packet is a batman-adv packet, but a clean solution would likely need to introduce a keyword into pcap filter language along the lines of "pppoed" and "pppoes": pppoes [session_id] True if the packet is a PPP-over-Ethernet Ses‐ sion packet (Ethernet type 0x8864). If [ses‐ sion_id] is specified, only true if the packet has the specified session_id. Note that the first pppoes keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a PPPoE session packet. For example: pppoes 0x27 && ip filters IPv4 protocols encapsulated in PPPoE session id 0x27. See libpcap commit 7fb15ab for some implementation details. Could you figure out which keywords and which parameters this problem seems to need and post that to the list first? -- Denis Ovsienko
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Custom decoding offset? (for batman-adv) Linus Lüssing via tcpdump-workers (Nov 06)
- Re: Custom decoding offset? (for batman-adv) Denis Ovsienko via tcpdump-workers (Nov 06)
- Re: Custom decoding offset? (for batman-adv) Linus Lüssing via tcpdump-workers (Nov 16)
- Re: Custom decoding offset? (for batman-adv) Denis Ovsienko via tcpdump-workers (Nov 06)