[tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected
>
> Hi All,
>
> I am trying to add some BPF code for capture filters.
>
> I am basically trying to load data into accumilator from some offset,
> Mask it and them match it with some value.
>
> Here is the OPcode:
>
> { 0x20, 0, 0, 0x0013 }, { 0x54, 0, 0, 0x0ffc }, { 0x15, 0, 1,
> 0x0100 }, { 0x6, 0, 0, 0x }, { 0x6, 0, 0, 0x },
>
> The packets are not only matching 0x100 but also 0xf00.
> The other way round is not happening.
>
> Here are the two example packets:
>
> 0 0 0 0 0 bc 6b 6b 6b 6b 6b 6b fc fc 80 8 0 46 fe 71 0 1 0 0 c9 ef 0 0
> 1e e7 2 ff ff fd 0 ff ff fd 22 38 0 0 6c 0 0 0 51 13 ff ff 0 0 0 0 14
> 0 0 0 2 0 0 0 0 0 0 c8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 0 0 50 0 0 0
> d0 0 1 4 2f 3 0 0 0 57 d5
>
> and
>
> 0 0 0 0 ee 0 0 0 0 0 0 a fc fc 91 6 0 e2 ff 7f 0 40 0 1 0 0 0 10 1 0
> 20 ff fa 4 0 ff fa 4 1 0 0 2 0 0 0 0 ff ff ff ff 0 0 0 0 0 0 0 0 0 0 0
> 13 0 0 0 5 9 5c 84 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ff fa 4 0 ff
> fa 4 0 0 c 37 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 6 8 20 0 6 8 20 0 0 7a
> 49 0 8 b9 52 7c 74 d3 2b 7f 2b d6 6e 8f bd 17 a4 9a 1c 76 dd 84 3b 39
> d4 9f 2b ba 6c 88 db 67 aa e3 21 fd 60 95 d0 8b 14 fb 61 83 8b 1f 9a
> 2f b9 b6 a5 96 3a e0 cf e 7f fa c8 ec 83 a3 53 2d 86 74 2a e6 a fa 71
> 1e f6 d3 a1 81 f2 3b b0 ab f1 56 41 2b 36 10 39 b6 a 1 a2 8d a4 f5 bb
> 2b 6a e5 11 74
>
> Hope you can give me some solution to this.
>
> Thanks and Regards,
> Aparna N
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected
Hi Guy Harris,
Here is the translated code.
/*initialization*/
static u_int off_didx = 5;
bpf_u_int32 didx_mask = 0x0ffc;
didx = didx<<18;
b0 = gen_ncmp(OR_MACPL, off_didx, BPF_W, didx_mask, BPF_JEQ, 0,
(bpf_int32)didx);
the i/p value of didx is 0x40.
here is what 'gen_ncmp' generates:
gen_load_a(offrel, offset, size); ==> { 0x20, 0, 0, 0x0013 }
load one word at offset 0x13 into accumulator(A)
new_stmt(BPF_ALU|BPF_AND|BPF_K); ===> { 0x54, 0, 0, 0x0ffc }
AND the mask entered with the value in A.
new_block(JMP(jtype)); ===> { 0x15, 0, 1,0x0100 } a jump
statement to compare value in didx with value in A.
Thanks and Regards,
Aparna
On 6 November 2014 13:04, Guy Harris wrote:
>
> On Nov 5, 2014, at 10:41 PM, Aparna Nagarajan
> wrote:
>
>>>
>>> Hi All,
>>>
>>> I am trying to add some BPF code for capture filters.
>>>
>>> I am basically trying to load data into accumilator from some offset,
>>> Mask it and them match it with some value.
>>>
>>> Here is the OPcode:
>>>
>>> { 0x20, 0, 0, 0x0013 }, { 0x54, 0, 0, 0x0ffc }, { 0x15, 0, 1,
>>> 0x0100 }, { 0x6, 0, 0, 0x }, { 0x6, 0, 0, 0x },
>
> Please translate that to BPF assembler language; I'm too busy to translate it
> myself.
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected
There seems to be a bug in libpcap version 1.4.0 . The same code works
good in 1.6.2 :)
Thanks a lot.
Aparna N
On 6 November 2014 13:56, Aparna Nagarajan wrote:
> Hi Guy Harris,
>
> Here is the translated code.
>
> /*initialization*/
> static u_int off_didx = 5;
> bpf_u_int32 didx_mask = 0x0ffc;
> didx = didx<<18;
> b0 = gen_ncmp(OR_MACPL, off_didx, BPF_W, didx_mask, BPF_JEQ, 0,
> (bpf_int32)didx);
>
> the i/p value of didx is 0x40.
>
> here is what 'gen_ncmp' generates:
> gen_load_a(offrel, offset, size); ==> { 0x20, 0, 0, 0x0013 }
> load one word at offset 0x13 into accumulator(A)
> new_stmt(BPF_ALU|BPF_AND|BPF_K); ===> { 0x54, 0, 0, 0x0ffc }
> AND the mask entered with the value in A.
> new_block(JMP(jtype)); ===> { 0x15, 0, 1,0x0100 } a jump
> statement to compare value in didx with value in A.
>
> Thanks and Regards,
> Aparna
>
>
> On 6 November 2014 13:04, Guy Harris wrote:
>>
>> On Nov 5, 2014, at 10:41 PM, Aparna Nagarajan
>> wrote:
>>
>>>>
>>>> Hi All,
>>>>
>>>> I am trying to add some BPF code for capture filters.
>>>>
>>>> I am basically trying to load data into accumilator from some offset,
>>>> Mask it and them match it with some value.
>>>>
>>>> Here is the OPcode:
>>>>
>>>> { 0x20, 0, 0, 0x0013 }, { 0x54, 0, 0, 0x0ffc }, { 0x15, 0, 1,
>>>> 0x0100 }, { 0x6, 0, 0, 0x }, { 0x6, 0, 0, 0x },
>>
>> Please translate that to BPF assembler language; I'm too busy to translate
>> it myself.
>>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
