Latha G wrote:
Hi all,
I have a question on interpreting the output of -d option..
I used tcpdump -d option
o/p: (000) ret #96
I interpreted it as returning 96 bytes of the data.
yes
and i used tcpdump -dd option
o/p: { 0x6, 0, 0, 0x00000060 },
I interpreted, 0x6 refers to the opcode of ret instruction... 0x00000060
refers to the 96 bytes.....the remaing 0'es stands for what ?
#define BPF_RET 0x06
All BPF instructions are of a fixed size. The other two bytes (set to
zero) are not used in a return instruction. In a jump statement they
are used to index the true / false targets.
and tcpdump -ddd
o/p: 1
6 0 0 96
this is the decimal representation to the above -dd option right?
is that 1 refers to the the number of instructions??
according to my copy of bpf_dump.c, yes.
And where can i get these instructions and their corresponding opcodes.....
on BSD systems the header is in /usr/include/net/bpf.h
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bpf.h
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
