tcpdump mailing list archives
Re: question
From: Guy Harris <guy () netapp com>
Date: Wed, 16 Oct 2002 12:50:07 -0700
On Wed, Oct 16, 2002 at 12:44:07AM -0400, subramoni padmanabhan wrote:
I know DLT_LINUX_SLL header's first two bytes have an option 4 which indicates "packets sent by me". I want to get at these first two bytes in the form a tcpdump filter expression
The tcpdump man page says in the "expression" section (which is what documents libpcap's capture filter syntax): expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Oth- erwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... Allowable primitives are: ... expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp or ip6, and indi- cates the protocol layer for the index operation. (ether, fddi, tr, ppp, slip and link all refer to the link layer.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the key- word len, gives the length of the packet. That's the way you can test parts of the headers, for the protocols in question, for which there's no explicit expression in the syntax. To test the first two bytes of the link-layer header, *if they're big-endian*, use "link[0:2]". However, I'm not sure it's big-endian in the kernel, so link[0:2] != 4 might not correctly test for non-outgoing packets on little-endian machines such as x86's - on live captures, you might have to do link[0:2] != 0x0400 on little-endian machines (but compare with 4 on big-endian machines). Furthermore, the DLT_LINUX_SLL pseudo-header is synthesized from stuff in the "address" from which the packet has been received, and the Linux libpcap code only special-cases the protocol field, so that expression can't be tested in the kernel in any case; libpcap will not install any capture filter in the kernel, and will capture all packets and do filtering in userland. That filtering can also be done by your application, as I believe you have been told in at least one reply to your question in the past - just have the "pcap_dispatch()" or "pcap_loop()" callback routine check that field in the header and ignore the packet if its value is 4 (it will have to load it with "htons()", as it's in network byte order in the header). - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- question subramoni padmanabhan (Oct 08)
- Re: question Vishal Malhan` (Oct 09)
- Re: question Guy Harris (Oct 09)
- <Possible follow-ups>
- Re: question subramoni padmanabhan (Oct 09)
- question subramoni padmanabhan (Oct 10)
- question subramoni padmanabhan (Oct 14)
- question subramoni padmanabhan (Oct 15)
- Re: question Guy Harris (Oct 16)