[tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected

Aparna Nagarajan aparna.nagarajan26 at gmail.com
Thu Nov 6 01:41:05 EST 2014


>
> Hi All,
>
> I am trying to add some BPF code for capture filters.
>
> I am basically trying to load data into accumilator from some offset,
> Mask it and them match it with some value.
>
> Here is the OPcode:
>
> { 0x20, 0, 0, 0x00000013 }, { 0x54, 0, 0, 0x0ffc0000 }, { 0x15, 0, 1,
> 0x01000000 }, { 0x6, 0, 0, 0x0000ffff }, { 0x6, 0, 0, 0x00000000 },
>
> The packets are not only matching 0x1000000 but also 0xf000000.
> The other way round is not happening.
>
> Here are the two example packets:
>
> 0 0 0 0 0 bc 6b 6b 6b 6b 6b 6b fc fc 80 8 0 46 fe 71 0 1 0 0 c9 ef 0 0
> 1e e7 2 ff ff fd 0 ff ff fd 22 38 0 0 6c 0 0 0 51 13 ff ff 0 0 0 0 14
> 0 0 0 2 0 0 0 0 0 0 c8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 0 0 50 0 0 0
> d0 0 1 4 2f 3 0 0 0 57 d5
>
> and
>
> 0 0 0 0 ee 0 0 0 0 0 0 a fc fc 91 6 0 e2 ff 7f 0 40 0 1 0 0 0 10 1 0
> 20 ff fa 4 0 ff fa 4 1 0 0 2 0 0 0 0 ff ff ff ff 0 0 0 0 0 0 0 0 0 0 0
> 13 0 0 0 5 9 5c 84 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ff fa 4 0 ff
> fa 4 0 0 c 37 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 6 8 20 0 6 8 20 0 0 7a
> 49 0 8 b9 52 7c 74 d3 2b 7f 2b d6 6e 8f bd 17 a4 9a 1c 76 dd 84 3b 39
> d4 9f 2b ba 6c 88 db 67 aa e3 21 fd 60 95 d0 8b 14 fb 61 83 8b 1f 9a
> 2f b9 b6 a5 96 3a e0 cf e 7f fa c8 ec 83 a3 53 2d 86 74 2a e6 a fa 71
> 1e f6 d3 a1 81 f2 3b b0 ab f1 56 41 2b 36 10 39 b6 a 1 a2 8d a4 f5 bb
> 2b 6a e5 11 74
>
> Hope you can give me some solution to this.
>
> Thanks and Regards,
> Aparna N
>


More information about the tcpdump-workers mailing list