Re: question

[Guy Harris <guy () netapp com>]

On Wed, Oct 16, 2002 at 12:44:07AM -0400, subramoni padmanabhan wrote:
> I know DLT_LINUX_SLL header's first two bytes have an 
> option 4 which indicates "packets sent by me". I want to get at these first 
> two bytes in the form a tcpdump filter expression

The tcpdump man page says in the "expression" section (which is what
documents libpcap's capture filter syntax):

      expression
          selects which packets will be dumped.  If no expression
          is  given, all packets on the net will be dumped.  Oth-
          erwise, only packets for  which  expression  is  `true'
          will be dumped.

          The expression consists  of  one  or  more  primitives.
          Primitives  usually  consist  of an id (name or number)
          preceded by one or more qualifiers.   There  are  three
          different kinds of qualifier:

                        ...

          Allowable primitives are:

                        ...

          expr relop expr
               True if the relation holds, where relop is one  of
               >,  <,  >=,  <=,  =, !=, and expr is an arithmetic
               expression   composed   of    integer    constants
               (expressed  in  standard  C  syntax),  the  normal
               binary operators [+, -, *,  /,  &,  |],  a  length
               operator,  and  special packet data accessors.  To
               access data inside the packet, use  the  following
               syntax:
                    proto [ expr : size ]
               Proto is one of ether, fddi, tr, ppp, slip,  link,
               ip,  arp,  rarp,  tcp, udp, icmp or ip6, and indi-
               cates the protocol layer for the index  operation.
               (ether,  fddi, tr, ppp, slip and link all refer to
               the link layer.)  Note that  tcp,  udp  and  other
               upper-layer protocol types only apply to IPv4, not
               IPv6 (this will be fixed in the future).  The byte
               offset,  relative to the indicated protocol layer,
               is given by expr.  Size is optional and  indicates
               the  number  of bytes in the field of interest; it
               can be either one, two, or four, and  defaults  to
               one.   The  length operator, indicated by the key-
               word len, gives the length of the packet.

That's the way you can test parts of the headers, for the protocols in
question, for which there's no explicit expression in the syntax.
To test the first two bytes of the link-layer header, *if they're
big-endian*, use "link[0:2]".

However, I'm not sure it's big-endian in the kernel, so

        link[0:2] != 4

might not correctly test for non-outgoing packets on little-endian
machines such as x86's - on live captures, you might have to do

        link[0:2] != 0x0400

on little-endian machines (but compare with 4 on big-endian machines).

Furthermore, the DLT_LINUX_SLL pseudo-header is synthesized from stuff
in the "address" from which the packet has been received, and the Linux
libpcap code only special-cases the protocol field, so that expression
can't be tested in the kernel in any case; libpcap will not install any
capture filter in the kernel, and will capture all packets and do
filtering in userland.

That filtering can also be done by your application, as I believe you
have been told in at least one reply to your question in the past - just
have the "pcap_dispatch()" or "pcap_loop()" callback routine check that
field in the header and ignore the packet if its value is 4 (it will
have to load it with "htons()", as it's in network byte order in the
header).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe