Your recommended approach certainly works: $ tcpdump -nvr /tmp/DG2-test2 '((ip[2:2] - 20) - (((ip[2:2] - 20) / 5) * 5)) != 0 && ip[6] & 0x20 = 0x20' reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet) 19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+], proto ICMP (1), length 61) 192.168.11.5 > 192.168.11.46: ip-proto-1
(000) ldh [12] (001) jeq #0x800 jt 2 jf 16 (002) ldh [16] (003) sub #20 (004) st M[2] (005) ldh [16] (006) sub #20 (007) div #5 (008) mul #5 (009) tax (010) ld M[2] (011) jeq x jt 16 jf 12 (012) ldb [20] (013) and #0x20 (014) jeq #0x20 jt 15 jf 16 (015) ret #65535 (016) ret #0 (obviously optimized) vs: $ tcpdump -nvr /tmp/DG2-test2 '(ip[2:2] - 20) % 5 != 0 && ip[6] & 0x20 = 0x20' reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet) 19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+], proto ICMP (1), length 61) 192.168.11.5 > 192.168.11.46: ip-proto-1 (000) ldh [12] (001) jeq #0x800 jt 2 jf 10 (002) ldh [16] (003) sub #20 (004) mod #5 (005) jeq #0x0 jt 10 jf 6 (006) ldb [20] (007) and #0x20 (008) jeq #0x20 jt 9 jf 10 (009) ret #65535 (010) ret #0 On Wed, 5 Sep 2012 16:19:11 -0700 Guy Harris <g...@alum.mit.edu> wrote: > > On Sep 5, 2012, at 2:39 PM, George Bakos wrote: > > > I don't see any discussion regarding adding modular operations to > > pcap, i.e. "header[offset:width] % 4 != 0". I've put together a patch > > that compiles & honors that (at least on the few systems I've tried), > > Does it work if the right-hand side of the % operator isn't a constant power > of 2 (e.g., by dividing the LHS by the RHS, multiplying the result by the > RHS, and subtracting the result from the LHS)? > _______________________________________________ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers -- _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
