[tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected

Aparna Nagarajan aparna.nagarajan26 at gmail.com
Thu Nov 6 03:26:03 EST 2014


Hi Guy Harris,

Here is the translated code.

    /*initialization*/
    static u_int off_didx = 5;
    bpf_u_int32 didx_mask = 0x0ffc0000;
    didx = didx<<18;
     b0 =  gen_ncmp(OR_MACPL, off_didx, BPF_W, didx_mask, BPF_JEQ, 0,
(bpf_int32)didx);

the i/p value of didx is 0x40.

here is what  'gen_ncmp' generates:
    gen_load_a(offrel, offset, size); ==>  { 0x20, 0, 0, 0x00000013 }
load one word at offset 0x13 into accumulator(A)
    new_stmt(BPF_ALU|BPF_AND|BPF_K);  ===>  { 0x54, 0, 0, 0x0ffc0000 }
AND the mask entered with the value in A.
    new_block(JMP(jtype)); ===>  { 0x15, 0, 1,0x01000000 } a jump
statement to compare value in didx with value in A.

Thanks and Regards,
Aparna


On 6 November 2014 13:04, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Nov 5, 2014, at 10:41 PM, Aparna Nagarajan <aparna.nagarajan26 at gmail.com> wrote:
>
>>>
>>> Hi All,
>>>
>>> I am trying to add some BPF code for capture filters.
>>>
>>> I am basically trying to load data into accumilator from some offset,
>>> Mask it and them match it with some value.
>>>
>>> Here is the OPcode:
>>>
>>> { 0x20, 0, 0, 0x00000013 }, { 0x54, 0, 0, 0x0ffc0000 }, { 0x15, 0, 1,
>>> 0x01000000 }, { 0x6, 0, 0, 0x0000ffff }, { 0x6, 0, 0, 0x00000000 },
>
> Please translate that to BPF assembler language; I'm too busy to translate it myself.
>


More information about the tcpdump-workers mailing list