Re: dumpcap and bpf assembler

[Sake Blok <sake () euronet nl>]

On 28 mei 2015, at 23:52, Guy Harris wrote:
> On May 27, 2015, at 4:26 PM, Sake Blok <sake () euronet nl> wrote:
>
> > I believe that anything the BPF engine can do can be accomplished by using a capture filter expression
>
> No.

Oops, mis formulated what I wanted to say. I meant to say that I believed that any data in the packet that BPF can look 
at, can be looked at by using specific filter expressions.

> For one thing, a BPF program can return different non-zero values based on the packet contents, so that, for example, 
> somebody could have a bigger snapshot length for some packet types than others (somebody asked about that somewhere - 
> they wanted a bigger snapshot length for DNS packets).  That's not supported in capture filter expressions - those 
> expressions evaluate to a Boolean value, so they either match (returning a single snapshot length) or fail to match.

That is exactly the use case I had for a BPF compiler when I discussed this with Steve McCanne at Sharkfest a couple of 
years ago.

> For another thing, as Richard noted, there are some special tests in the Linux BPF engine that aren't currently 
> supported by capture filter expressions.

I was not aware of that. Thanks for the insight! :-)

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe