[tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected

Aparna Nagarajan aparna.nagarajan26 at gmail.com
Mon Nov 10 04:32:19 EST 2014


There seems to be a bug in libpcap version 1.4.0 . The same code works
good in 1.6.2 :)

Thanks a lot.

Aparna N

On 6 November 2014 13:56, Aparna Nagarajan <aparna.nagarajan26 at gmail.com> wrote:
> Hi Guy Harris,
>
> Here is the translated code.
>
>     /*initialization*/
>     static u_int off_didx = 5;
>     bpf_u_int32 didx_mask = 0x0ffc0000;
>     didx = didx<<18;
>      b0 =  gen_ncmp(OR_MACPL, off_didx, BPF_W, didx_mask, BPF_JEQ, 0,
> (bpf_int32)didx);
>
> the i/p value of didx is 0x40.
>
> here is what  'gen_ncmp' generates:
>     gen_load_a(offrel, offset, size); ==>  { 0x20, 0, 0, 0x00000013 }
> load one word at offset 0x13 into accumulator(A)
>     new_stmt(BPF_ALU|BPF_AND|BPF_K);  ===>  { 0x54, 0, 0, 0x0ffc0000 }
> AND the mask entered with the value in A.
>     new_block(JMP(jtype)); ===>  { 0x15, 0, 1,0x01000000 } a jump
> statement to compare value in didx with value in A.
>
> Thanks and Regards,
> Aparna
>
>
> On 6 November 2014 13:04, Guy Harris <guy at alum.mit.edu> wrote:
>>
>> On Nov 5, 2014, at 10:41 PM, Aparna Nagarajan <aparna.nagarajan26 at gmail.com> wrote:
>>
>>>>
>>>> Hi All,
>>>>
>>>> I am trying to add some BPF code for capture filters.
>>>>
>>>> I am basically trying to load data into accumilator from some offset,
>>>> Mask it and them match it with some value.
>>>>
>>>> Here is the OPcode:
>>>>
>>>> { 0x20, 0, 0, 0x00000013 }, { 0x54, 0, 0, 0x0ffc0000 }, { 0x15, 0, 1,
>>>> 0x01000000 }, { 0x6, 0, 0, 0x0000ffff }, { 0x6, 0, 0, 0x00000000 },
>>
>> Please translate that to BPF assembler language; I'm too busy to translate it myself.
>>


More information about the tcpdump-workers mailing list