tcpdump mailing list archives
Re: BPF questions...
From: Guy Harris <guy () alum mit edu>
Date: Sat, 21 May 2011 12:57:58 -0700
On May 21, 2011, at 9:09 AM, barcaroller wrote:
This may not be the right group, but I have a few BPF questions that I hope you can answer: * What is the maximum size of a BPF expression that can be passed to tcpdump and pcap_compile()?
pcap_compile() has no inherent limit; the only limit in tcpdump would be a limit on the number of bytes of command-line argument that could be passed to a program. The OS might impose a limit on the size of a BPF *program* generated from an expression.
* What is the maximum level of nesting for BPF expressions for tcpdump and pcap_compile()? Currently, I'm observing nesting levels of 10 or more.
There's no explicit limit.
* Are there BPF expressions for "nested" vlans?
I.e., to match packets with two or more VLAN headers? You could do "vlan and vlan and tcp", or "vlan 2 and vlan 17 and tcp", or something such as that.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- BPF questions... barcaroller (May 21)
- Re: BPF questions... Guy Harris (May 21)