Wireshark mailing list archives

Re: dumpcap and bpf assembler

From: Sake Blok <sake () euronet nl>
Date: Wed, 27 May 2015 15:39:47 +0200

Richard,

I have the same interest, different reason and did not find anything on my last search (a couple of years ago). 
However, there is a lot you can do with using offsets and stuff yourself. For instance:

Multiple vlans:
vlan and (ether[14:2]&0x0fff = 4092 or ether[14:2]&0x0fff = 4094)

SIP over IPoverIP:
ip proto 4 and (ip[((ip[0]&0x0f)<<2)+9]=17 or ip[((ip[0]&0x0f)<<2)+9]=6) and 
(ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+0:2]=5060 or 
ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+2:2]=5060)


As you can see, you can just use the highest protocol that BPF does understand correctly and work with offsets from 
there. Do you have an example capture file that you can share, then I might be able to help you.

Cheers,
Sake


On 26 mei 2015, at 22:21, Richard Stearn wrote:

Is there a way of handing dumpcap a BPF assembler file rather than a
libpcap expression?

I have RTFM'd, googled and not found an answer.

Of course my reading ability and googlefu could be well broken :-)

Why, because I wish to filter on the protocol the network interface
currently believes the packet to be (skb->protocol), rather than what
the interface says it is and I have not found a libpcap expression that
achieves that.

-- 
Regards
      Richard

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
           mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

dumpcap and bpf assembler Richard Stearn (May 26)
- Re: dumpcap and bpf assembler Sake Blok (May 27)
  - Re: dumpcap and bpf assembler Richard Stearn (May 27)
    - Re: dumpcap and bpf assembler Sake Blok (May 27)
    - Re: dumpcap and bpf assembler Richard Stearn (May 28)
    - Re: dumpcap and bpf assembler Guy Harris (May 28)
    - Re: dumpcap and bpf assembler Sake Blok (May 29)