Re: [tcpdump-workers] Warning on enabling ip6 protochain 6

2011-08-06 Thread Guy Harris 

On Aug 5, 2011, at 6:59 AM, Darren Reed wrote:

> On  5/08/11 01:46 AM, Guy Harris wrote:
>> ...
>> That could, in theory, be fixed - for example, BSD/OS's BPF interpreter had 
>> an instruction that would do IPv6 extension header parsing
>>   
> 
> How much interest is there in that?
> And what would the functional requirements be?
> 
> I've written a prototype BPF instruction that is a "search for header X" that 
> seems to work. This takes the loop out of BPF and puts it into the driver, 
> which has is a positive for both performance and validation.

(Presumably by "in the driver" you mean "in the kernel BPF interpreter".)

For "ip6 protochain", it needs to look at the next header field and:

if it's "hop-by-hop options", "destination options", "routing", 
"fragment", or AH, skip to the next header, and loop back to check its type 
(according to RFC 2402, there can be "destination options" headers after the AH 
header);

otherwise, stop.

It should leave the final header type in the A register, so you could, for 
example, do "ip6 protochain tcp or ip", with the protochain instruction 
followed by compare-and-branch for both 6 and 17.  It should leave in the X 
register the offset of the first byte after the IPv6 header if it didn't skip 
any headers and the first byte after the last extension header if it skipped 
any headers (i.e., skip past even the matching header), so it points to the 
payload of the protocol in question.

The operand should be the address of the beginning of the IPv6 header.  There 
should be versions of the instruction where the effective address is just the 
constant field and where it's the constant field plus the X register (ABS vs. 
IND).

(This is similar to, but, not as I read it, identical to the BSD/OS 
instruction; the BSD/OS instruction appeared to set X to the offset of the 
payload past the beginning of the IPv6 header, which works fine if the offset 
of the beginning of the IPv6 header from the beginning of the packet is a 
constant, but not quite so well if it's a variable, as it is in a number of 
cases, e.g. 802.11 and 802.11+radio information.)

For "ip4 protochain", the only protocol type that needs special treatment is 
AH; can there be AH-within-AH?  If so, that'd need a different instruction, 
otherwise, unless I'm missing something, there's no need for a loop.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] rpcap support?

2011-08-06 Thread Joerg Mayer 
I've now created an account on github and cloned mcr's repo over there.
That way it should be easier to talk about the code. It can be found at:
git://github.com/jmayer/libpcap.git

Ciao
Joerg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.