Re: dumpcap and bpf assembler

[Richard Stearn <richard () rns-stearn demon co uk>]

Hi Sake

Thank you for the response.  Unfortunately the information I am after
filtering on is not in a capture file, it only exists in the kernel at
run time, skb->protocol.  Hence linking this to dumpcap.

As a packet is processed through the network stack the value of
skb-protocol changes to reflect the next protocol to be inspected.

For example, an AX25 packet is handed to the network interface by the
mkiss driver and skb->protocol == ETH_P_AX25.  The packet is then
processed by the AX25 protocol driver and in the case of the payload
being an IP packet skb->protocol is then changed to ETH_P_IP and the
packet handed back to the network interface.  So now we have apparently
the same packet appearing on the network interface for a second time,
libpcap can not distinguish between the two as the only difference is
the value of skb->protocol, for which there appears to be no way of
filtering on skb->protocol without resorting to BPF assembler.

I hope I am making sense.

--
Regards
        Richard

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe