--- Begin Message ---
Hi!
I would like to use tcpdump and libpcap to filter and examine
batman-adv packets. batman-adv is a mesh routing protocol which
encapsulates layer 2 ethernet frames.
I know my way to identify batman-adv packets via raw ether filters.
What I would like to additionally do is filtering by fields of the
inner ethernet header.
I saw in the manpage that for various keys the decoding offset is
modified for the remainder of the expression.
My question is, is there a way to specify a custom decoding offset
for an encapsulating protocol that is not known by libpcap yet,
like batman-adv?
Or would I need to add batman-adv support to libpcap?
Regards, Linus
PS: The closest I found online so far is this:
https://serverfault.com/questions/617066/tcpdump-decode-packet-starting-at-non-zero-offset
Which suggests something like:
$ tcpdump -i eth0 -w - | editcap -C 82 - - | tcpdump -r -
However, ideally I would like to use a custom offset in a project
based on libpcap:
https://github.com/lemoer/bpfcountd
Where the tcpdump/editcap approach would currently not work.
So some native, custom decoding offset support for a filter
expression would be great.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
