Re: Hex Offset Needed

[Guy Harris <guy () alum mit edu>]

On Mar 3, 2010, at 6:37 PM, Martin Visser wrote:

> On a serious note, is libpcap able to process that filter efficiently ( I am sure it is much better than using a 
> display filter)

Code generated for Ethernet:

(000) ldh      [16]
(001) jeq      #0x800           jt 2    jf 16
(002) ldb      [27]
(003) jeq      #0x6             jt 4    jf 16
(004) ldh      [24]
(005) jset     #0x1fff          jt 16   jf 6
(006) ldxb     4*([18]&0xf)
(007) ldb      [x + 30]
(008) and      #0xf0
(009) rsh      #2
(010) add      #8
(011) add      x
(012) tax      
(013) ldh      [x + 18]
(014) jeq      #0x2030          jt 15   jf 16
(015) ret      #65535
(016) ret      #0

It's not that bad.  Note, though, that it doesn't handle IPv6.

The IPv4-only code for "tcp port 80" is

(000) ldh      [16]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [27]
(003) jeq      #0x6             jt 4    jf 12
(004) ldh      [24]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([18]&0xf)
(007) ldh      [x + 18]
(008) jeq      #0x50            jt 11   jf 9
(009) ldh      [x + 20]
(010) jeq      #0x50            jt 11   jf 12
(011) ret      #65535
(012) ret      #0

so it's only 4 more BPF instructions.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe