tcpdump mailing list archives
pcap_compile() errors in libpcap beta and CVS
From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 10 Dec 2003 16:08:32 -0500
I've noticed some strange behavior with the latest pcap_compile(). When building up complex filters, there is an error if multiple matches are performed on the same data offset while using arithmetic operators to form the match value. An example will explain better. The following filter is a match for ACK FIN or ACK SYN tcp segments. This is just a simple example to demonstrate the problem. tcpdump -d '(tcp[13] = (0x10 + 0x01)) or (tcp[13] = (0x10 + 0x02))' (000) ldh [12] (001) jeq #0x800 jt 2 jf 12 (002) ldb [23] (003) jeq #0x6 jt 4 jf 12 (004) ldh [20] (005) jset #0x1fff jt 12 jf 6 (006) ldxb 4*([14]&0xf) (007) ldb [x + 27] (008) ldx #0x11 (009) jeq x jt 11 jf 10 (010) jeq x jt 11 jf 12 (011) ret #68 (012) ret #0 The error is visible at (010) - there should be ldx #0x12 before the jeq. If the same filter were built without the arithmetic operators, it compiles properly and avoids the extra ld step(s). tcpdump -d '(tcp[13] = 0x11) or (tcp[13] = 0x12) (000) ldh [12] (001) jeq #0x800 jt 2 jf 11 (002) ldb [23] (003) jeq #0x6 jt 4 jf 11 (004) ldh [20] (005) jset #0x1fff jt 11 jf 6 (006) ldxb 4*([14]&0xf) (007) ldb [x + 27] (008) jeq #0x11 jt 10 jf 9 (009) jeq #0x12 jt 10 jf 11 (010) ret #68 (011) ret #0 Previous versions (0.7.2 here) of pcap_compile handled this correctly with or without the addition operation: tcpdump.oldpcap -d '(tcp[13] = (0x10 + 0x01)) or (tcp[13] = (0x10 + 0x02))' (000) ldh [12] (001) jeq #0x800 jt 2 jf 11 (002) ldb [23] (003) jeq #0x6 jt 4 jf 11 (004) ldh [20] (005) jset #0x1fff jt 11 jf 6 (006) ldxb 4*([14]&0xf) (007) ldb [x + 27] (008) jeq #0x11 jt 10 jf 9 (009) jeq #0x12 jt 10 jf 11 (010) ret #68 (011) ret #0 With IDABench I use include statements & variable substitution to facilitate easier complex filter generation & maintenance. The following composite filter now fails: tcp and !src net 129.170.248.0/23 and ( (tcp[13] & 0x3f != 0x02) and (tcp[13] & 0x3f != (0x02 + 0x10)) and (tcp[13] & 0x3f != (0x10 + 0x01)) and (tcp[13] & 0x3f != (0x10 + 0x08 + 0x01)) and (tcp[13] & 0x3f != (0x10 + 0x08 + 0x01 + 0x20)) and (tcp[13] & 0x3f != (0x10 + 0x04)) and (tcp[13] & 0x3f != 0x10) and (tcp[13] & 0x3f != (0x10 + 0x08)) and (tcp[13] & 0x3f != 0x04) and (tcp[13] & 0x3f != (0x20 + 0x10 + 0x01)) and (tcp[13] & 0x3f != (0x20 + 0x10 + 0x08)) and (tcp[13] & 0x3f != (0x20 + 0x10 + 0x08 + 0x04)) and (tcp[13] & 0x3f != (0x10 + 0x08 + 0x04)) ) It compiles into: (000) ldh [12] (001) jeq #0x800 jt 2 jf 26 (002) ldb [23] (003) jeq #0x6 jt 4 jf 26 (004) ld [26] (005) and #0xfffffe00 (006) jeq #0x81aaf800 jt 26 jf 7 (007) ldh [20] (008) jset #0x1fff jt 26 jf 9 (009) ldxb 4*([14]&0xf) (010) ldb [x + 27] (011) and #0x3f (012) jeq #0x2 jt 26 jf 13 (013) jeq x jt 26 jf 14 (014) jeq x jt 26 jf 15 (015) jeq x jt 26 jf 16 (016) jeq x jt 26 jf 17 (017) jeq x jt 26 jf 18 (018) jeq #0x10 jt 26 jf 19 (019) jeq x jt 26 jf 20 (020) jeq #0x4 jt 26 jf 21 (021) jeq x jt 26 jf 22 (022) jeq x jt 26 jf 23 (023) jeq x jt 26 jf 24 (024) jeq x jt 26 jf 25 (025) ret #68 (026) ret #0 My size of my hourly reports (and number of false positives) skyrocketed as you can imagine! Cheers. -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 10)
- Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 17)
- Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 17)
- Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 21)
- Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 21)
- Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 21)
- Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 21)
- Re: pcap_compile() errors in libpcap beta and CVS Guy Harris (Dec 17)
- Re: pcap_compile() errors in libpcap beta and CVS George Bakos (Dec 17)