tcpdump mailing list archives
Re: interpreting the output of tcpdump -d option
From: Matthew Luckie <mjl () luckie org nz>
Date: Sat, 25 Feb 2006 23:27:57 +1300
Latha G wrote:
Hi all, I have a question on interpreting the output of -d option.. I used tcpdump -d option o/p: (000) ret #96 I interpreted it as returning 96 bytes of the data.
yes
and i used tcpdump -dd option o/p: { 0x6, 0, 0, 0x00000060 }, I interpreted, 0x6 refers to the opcode of ret instruction... 0x00000060 refers to the 96 bytes.....the remaing 0'es stands for what ?
#define BPF_RET 0x06All BPF instructions are of a fixed size. The other two bytes (set to zero) are not used in a return instruction. In a jump statement they are used to index the true / false targets.
and tcpdump -ddd o/p: 1 6 0 0 96 this is the decimal representation to the above -dd option right? is that 1 refers to the the number of instructions??
according to my copy of bpf_dump.c, yes.
And where can i get these instructions and their corresponding opcodes.....
on BSD systems the header is in /usr/include/net/bpf.h http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bpf.h - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- interpreting the output of tcpdump -d option Latha G (Feb 25)
- Re: interpreting the output of tcpdump -d option Matthew Luckie (Feb 25)
- Re: interpreting the output of tcpdump -d option Gregor Maier (Feb 25)
- Re: interpreting the output of tcpdump -d option Matthew Luckie (Feb 25)