On Sep 6, 2012, at 12:36 AM, George Bakos wrote: > $ tcpdump -nvr /tmp/DG2-test2 '(ip[2:2] - 20) % 5 != 0 && ip[6] & > 0x20 = 0x20' > > reading from file /tmp/DG2-test2, link-type EN10MB (Ethernet) > 19:01:51.270202 IP (tos 0x0, ttl 64, id 1, offset 40, flags [+], > proto ICMP (1), length 61) 192.168.11.5 > 192.168.11.46: ip-proto-1 > > (000) ldh [12] > (001) jeq #0x800 jt 2 jf 10 > (002) ldh [16] > (003) sub #20 > (004) mod #5 > (005) jeq #0x0 jt 10 jf 6
OK, so you presumably added a BPF_MOD instruction to the BPF interpreter as part of your changes, right? There's none in libpcap's bpf_filter.c nor in a fairly recent FreeBSD kernel's bpf_filter.c nor in Linux 3.0.4's net/core/filter.c, so that code won't work with at least those interpreters. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
