Re: tcpdump and BPF filters

["Geoffrey Sisson" <geoff () geoff co uk>]

Darren Reed <darren.reed () oracle com> wrote:

> Geoffrey Sisson wrote:
>
> > I was disappointed that you can't loop, but I totally understand
> > why they did that.
> >
> > A domain name can have at most 128 labels.  At five instructions per
> > iteration, that works out to 640 instructions to handle the iteration
> > (plus a few extras, to provide itermediate long jumps), but that's more
> > than BPF_MAXINSNS (512), on FreeBSD at least.
>
> I think that you're going beyond what BPF was originally designed to do...
> ... and as such, performance is not going to be great.

I agree it pushes the boundaries of the original intent of the BPF,
but it does work.  Performance is linear to the number of labels, which
is rarely more than four or five in typical DNS traffic.  The exception
is for PTR RRs in ipv6.arpa, and these are still comparatively infrequent.

I do question whether there's a case for incorporating it as an
extension to libpcap's filter language, though.  My initial query was
whether there's a way to supply tcpdump with a BPF filter expression,
bypassing the libpcap filter language altogether.  This is useful for
cases where a filter can be constructed for the BPF that cannot be
expressed as a libpcap filter expression.

Geoff

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.