Re: interpreting the output of tcpdump -d option

[Matthew Luckie <mjl () luckie org nz>]

Latha G wrote:
> Hi all,
>
> I have a question on interpreting the output of -d option..
> I used tcpdump -d option
> o/p: (000) ret #96
> I interpreted it as returning 96 bytes of the data.

yes

> and i used tcpdump -dd option
> o/p:  { 0x6, 0, 0, 0x00000060 },
> I interpreted, 0x6 refers to the opcode of ret instruction... 0x00000060
> refers to the 96 bytes.....the remaing 0'es stands for what ?

#define         BPF_RET         0x06

All BPF instructions are of a fixed size.  The other two bytes (set to 
zero) are not used in a return instruction.  In a jump statement they 
are used to index the true / false targets.

> and tcpdump -ddd
> o/p: 1
>       6 0 0 96
>
> this is the decimal representation to the above -dd option right?
> is that 1 refers to the the number of instructions??

according to my copy of bpf_dump.c, yes.

> And where can i get these instructions and their corresponding opcodes.....

on BSD systems the header is in /usr/include/net/bpf.h

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bpf.h
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.