[tcpdump-workers] Libpcap-1.4.0 BPF_AND not filtering as exected
Aparna Nagarajan
aparna.nagarajan26 at gmail.com
Mon Nov 10 04:32:19 EST 2014
There seems to be a bug in libpcap version 1.4.0 . The same code works
good in 1.6.2 :)
Thanks a lot.
Aparna N
On 6 November 2014 13:56, Aparna Nagarajan <aparna.nagarajan26 at gmail.com> wrote:
> Hi Guy Harris,
>
> Here is the translated code.
>
> /*initialization*/
> static u_int off_didx = 5;
> bpf_u_int32 didx_mask = 0x0ffc0000;
> didx = didx<<18;
> b0 = gen_ncmp(OR_MACPL, off_didx, BPF_W, didx_mask, BPF_JEQ, 0,
> (bpf_int32)didx);
>
> the i/p value of didx is 0x40.
>
> here is what 'gen_ncmp' generates:
> gen_load_a(offrel, offset, size); ==> { 0x20, 0, 0, 0x00000013 }
> load one word at offset 0x13 into accumulator(A)
> new_stmt(BPF_ALU|BPF_AND|BPF_K); ===> { 0x54, 0, 0, 0x0ffc0000 }
> AND the mask entered with the value in A.
> new_block(JMP(jtype)); ===> { 0x15, 0, 1,0x01000000 } a jump
> statement to compare value in didx with value in A.
>
> Thanks and Regards,
> Aparna
>
>
> On 6 November 2014 13:04, Guy Harris <guy at alum.mit.edu> wrote:
>>
>> On Nov 5, 2014, at 10:41 PM, Aparna Nagarajan <aparna.nagarajan26 at gmail.com> wrote:
>>
>>>>
>>>> Hi All,
>>>>
>>>> I am trying to add some BPF code for capture filters.
>>>>
>>>> I am basically trying to load data into accumilator from some offset,
>>>> Mask it and them match it with some value.
>>>>
>>>> Here is the OPcode:
>>>>
>>>> { 0x20, 0, 0, 0x00000013 }, { 0x54, 0, 0, 0x0ffc0000 }, { 0x15, 0, 1,
>>>> 0x01000000 }, { 0x6, 0, 0, 0x0000ffff }, { 0x6, 0, 0, 0x00000000 },
>>
>> Please translate that to BPF assembler language; I'm too busy to translate it myself.
>>
More information about the tcpdump-workers
mailing list