"Geoffrey Sisson" wrote:
>N.B. the last
> change in the change log is 2002, so there's a possibility of bit rot.
Actually the SourceForge repository has more recent activity:
http://sourceforge.net/projects/ssldump/d
Aaron Turner wrote:
> Last I checked, tcpdump supports decrypting IPSec, but not SSL.
> However, Wireshark decrypts SSL. You'll need the SSL private key of
> the webserver to do it.
There's also ssldump, written by Eric Rescorla (RFC 5246 co-author):
http://www.rtfm.com/ssldump/
I used ss
Sam Roberts wrote:
> Since you are contemplating writing BPF filters by hand, you probably
> already have considered this,
> but I think you could modify tcpdump to create a bpf_program from your
> input, bypassing its call to pcap_compile(). Maybe use -F to provide
> the raw instructions.
That
Darren Reed wrote:
> Geoffrey Sisson wrote:
>
> > I was disappointed that you can't loop, but I totally understand
> > why they did that.
> >
> > A domain name can have at most 128 labels. At five instructions per
> > iteration, that works out to
Guy Harris wrote:
>
> On Jul 10, 2011, at 6:57 PM, Geoffrey Sisson wrote:
>
> > The catch is that domain names comprise a variable number of
> > variable-length fields.
>
> ...and include pointers back to other labels, for compression.
It's unlikely this would be
Guy Harris wrote:
> What sort of variable-length fields are you processing?-
Labels in the wire representation of a domain name.
>From RFC 1035:
Domain names in messages are expressed in terms of a sequence
of labels. Each label is represented as a one octet length field
followed by
Guy Harris wrote:
> What are you trying to do? If it's a type of test that the filter
> language doesn't support, the filter language should perhaps be extended
> to support it.
It's for walking through some variable-length fields, and involves
iteratively using values in the packet as offsets
Is there any way to use BPF filters directly from tcpdump, i.e., supply
tcpdump with a filter in BPF psuedo-machine format? I had a cursory
look at the code and couldn't find any obvious way to do this. What I'd
like to be able to do is supply a BPF filter in bpf_insn struct format, e.g.:
