It occurs to me that BPF needs a similar "special" instruction to chase
down a particular header. At present, BPF filters will fail to match any
TCP packet that has any extension header present. Thus a "chase" or
"find" instruction is needed.
An example of such an instruction might be:
ldxbf [8
On May 10, 2011, at 1:40 PM, Darren Reed wrote:
> To pursue this a little further, experimenting has
> determined that the best layout thus far would be
> something similar to this:
>
> bits field
> 00-07 version (1)
> 08-15 pad (0)
> 16-31 pre-mac payload length
> 32-63 dlt (DLT_*)
> 64-79 eth
To follow this on, looking at the output of "tcpdump -d",
it became obvious that the opcodes could be optimised.
The optimised would need to be seriously smarter than
it currently is to detect that it has a repeating group of
six statements, of which the second can be eliminated.
That's completely
