On Sep 10, 2012, at 10:50 AM, Guy Harris wrote:
>
> On Sep 10, 2012, at 3:41 AM, "David Laight" wrote:
>
What about the other OS - eg all the BSDs?
I had a vague idea that BPF was supposed to be reasonable portable.
>>>
>>> Yes, does it mean BPF is frozen ?
>>>
>>> Or is BSD so ha
On Sep 10, 2012, at 3:41 AM, "David Laight" wrote:
>>> What about the other OS - eg all the BSDs?
>>> I had a vague idea that BPF was supposed to be reasonable portable.
>>
>> Yes, does it mean BPF is frozen ?
>>
>> Or is BSD so hard to update these days ?
>
> Not really - but it some other p
> > What about the other OS - eg all the BSDs?
> > I had a vague idea that BPF was supposed to be reasonable portable.
>
> Yes, does it mean BPF is frozen ?
>
> Or is BSD so hard to update these days ?
Not really - but it some other places that need updating in order
to make this useful for cros
> On Fri, Sep 07, 2012 at 07:49:10AM +, George Bakos wrote:
> > Gents,
> > Any fundamental reason why the following (, etc.) shouldn't be
> > included in net/core/filter.c?
> >
> > case BPF_S_ALU_MOD_X:
> > if (X == 0)
> >
On Sep 6, 2012, at 12:36 AM, George Bakos wrote:
> $ tcpdump -nvr /tmp/DG2-test2 '(ip[2:2] - 20) % 5 != 0 && ip[6] &
> 0x20 = 0x20'
>
> reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet)
> 19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+],
> proto ICMP (1), length 61)
Your recommended approach certainly works:
$ tcpdump -nvr /tmp/DG2-test2 '((ip[2:2] - 20) - (((ip[2:2] - 20) /
5) * 5)) != 0 && ip[6] & 0x20 = 0x20'
reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet)
19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+],
proto ICMP (1), leng
On Sep 5, 2012, at 2:39 PM, George Bakos wrote:
> I don't see any discussion regarding adding modular operations to
> pcap, i.e. "header[offset:width] % 4 != 0". I've put together a patch
> that compiles & honors that (at least on the few systems I've tried),
Does it work if the right-hand side
I don't see any discussion regarding adding modular operations to
pcap, i.e. "header[offset:width] % 4 != 0". I've put together a patch
that compiles & honors that (at least on the few systems I've tried),
but was wondering if there were any fundamental reason to avoid it?
Thanks.
g
__
