Hi,
I am using a pcap filter to catch 90 bytes long packets on port 123 (NTP
packets). I am only interested in the packets to and from the computer I am
running pcap on. It is usually not a problem because I am running PCAP in
non-promiscuous mode. However, when I run for example tcpdump I get all NTP
packets on the hub. I understand why, but not how to get rid of the problem
with a generic solution, so I don't need to change my filter for all different
computer names the program is run on.
*What should a simple "string"-filter look like to filter for packets to and
from the local host? (tcpdump "port 123 and host localhost" doesnt work)
*Does anyone know what I should add to the filter below in order to make it do
what I want?
Regards,
Erik Corell
/* bpf filter code for 'port 123' with a snap size of 90 bytes */
static struct bpf_insn bpf_filter[] =
{{ 0x28, 0, 0, 0x0000000c }, /* ldh [12]
*/
{ 0x15, 0, 10, 0x00000800 }, /* jeq #0x800 jt 2 jf 12
*/
{ 0x30, 0, 0, 0x00000017 }, /* ldb [23]
*/
{ 0x15, 0, 8, 0x00000011 }, /* jeq #0x11 jt 4 jf 12
*/
{ 0x28, 0, 0, 0x00000014 }, /* ldh [20]
*/
{ 0x45, 6, 0, 0x00001fff }, /* jset #0x1fff jt 12 jf 6
*/
{ 0xb1, 0, 0, 0x0000000e }, /* ldxb 4*([14]&0xf)
*/
{ 0x48, 0, 0, 0x0000000e }, /* ldh [x + 14]
*/
{ 0x15, 2, 0, 0x0000007b }, /* jeq #0x7b jt 11 jf 9
*/
{ 0x48, 0, 0, 0x00000010 }, /* ldh [x + 16]
*/
{ 0x15, 0, 1, 0x0000007b }, /* jeq #0x7b jt 11 jf 12
*/
{ 0x6, 0, 0, 0x0000005a }, /* ret #90
*/
{ 0x6, 0, 0, 0x00000000 }}; /* ret #0
*/
bpf_filter_program.bf_insns = bpf_filter;
bpf_filter_program.bf_len = sizeof(bpf_filter) / sizeof(struct bpf_insn);
return bpf_filter_program;
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
