tcpdump mailing list archives
Re: only outbound traffic
From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Fri, 29 Apr 2011 16:34:42 +0900
Hi,
Why would an "offset" keyword be better in the filtering language than, say, the "vlan" keyword it already has? You'd still have to do the same sort of special stuff, but it'd be a more manual operation. (I.e., why would saying "offset {length of VLAN tag}" be better than "vlan"?)
Its more explicit too me. It is not really intuitive that "port 80 and vlan" and " vlan and port 80" gives different results, until you realize that vlan increases the ether type offset.
The ideal would be a filtering language wherein having the filter code in the kernel skip past VLAN tags automatically was cheap. Perhaps a language (not a language for users to express filters, but a language into which to compile the filters the user expresses) that makes it impossible to specify infinite loops, combined with a JIT to make loops reasonably efficient (there already exist JITs for x86-32 and x86-64 on some platforms, e.g. Windows and FreeBSD), would be the right way to handle VLANs and IPv6 protocol chains and perhaps even filters at higher protocol levels.-
If you say so ;) Arent there any special port mirroring NICS out there that remove those VLAN tags? Cheers, Andrej- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- only outbound traffic Andrej van der Zee (Apr 28)
- Re: only outbound traffic Andrej van der Zee (Apr 28)
- Re: only outbound traffic Gerald Combs (Apr 28)
- Re: only outbound traffic Andrej van der Zee (Apr 28)
- Re: only outbound traffic Guy Harris (Apr 28)
- Re: only outbound traffic Andrej van der Zee (Apr 29)
- Re: only outbound traffic Seth Hall (May 02)
- Re: only outbound traffic Gerald Combs (Apr 28)
- Re: only outbound traffic Andrej van der Zee (Apr 28)