tcpdump mailing list archives
Re: tcpdump and BPF filters
From: "Geoffrey Sisson" <geoff () geoff co uk>
Date: Sun, 10 Jul 2011 18:57:16 -0700
Guy Harris <guy () alum mit edu> wrote:
What sort of variable-length fields are you processing?-
Labels in the wire representation of a domain name.
From RFC 1035:
Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero.
The filter language is generally fairly high-level, but it does have the <expr> <relop> <expr> expressions, and each <expr> is <proto>[<expr>:<size>], so you can use the result of an expression as the offset in another expression. There are definitely places where the code generated for expressions uses values in the packet as offsets; even if you ignore the variable-length IP header, there is, for example, the variable-length 802.11 header, as well as the variable-length radio metadata headers that can precede the 802.11 header.
The catch is that domain names comprise a variable number of variable-length fields. Examples of valid sequences: +---+---+---+---+---+---+---+---+---+---+---+---+---+ |007| t | c | p | d | u | m | p |003| o | r | g |000| +---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ |003| w | w | w |003| f | o | o |002| c | o |002| u | k |000| +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+ |003| e | d | u |000| +---+---+---+---+---+ +---+ |000| +---+ (XXX = numeric field length, X = ASCII data) It's not as simple as finding the first octet with a value of zero, as this is a valid sequence: +---+---+---+---+---+---+---+---+---+ |003| f |000| o |003| b |000| r |000| = f\000o.b\000r. +---+---+---+---+---+---+---+---+---+ Geoff - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 11)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 11)
- Re: tcpdump and BPF filters Darren Reed (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Sam Roberts (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 12)
- Re: tcpdump and BPF filters Geoffrey Sisson (Jul 10)
- Re: tcpdump and BPF filters Guy Harris (Jul 10)