[tcpdump-workers] BPF Extended: addressing BPF's shortcomings

Paul "LeoNerd" Evans leonerd at leonerd.org.uk
Thu Jun 11 09:33:52 EDT 2015


On Thu, 11 Jun 2015 20:12:00 +1000
Darren Reed <darrenr at netbsd.org> wrote:

> >   2) A few more AD constants added to the Linux "auxdata" area,
> > giving information about the transport layer.
> 
> Can you please expand on this?

See the SKF_NET_OFF and SKF_LL_OFF constants.
I wanted to simply add another, SKF_TRANS_OFF

This would give an offset into a virtual view of the "transport" layer;
i.e. the start of the TCP/UDP/whatever header, regardless where it
starts in the packet.

Now, filtering for a given TCP port only needs to compare the value of
SKF_AD_TRANSPORT (which we'd also have to add), and then look at
certain indexes into SKF_TRANS_OFF; it doesn't have to *find* the TCP
header at all, doesn't care if it's IPv4 or IPv6 or whatever...

-- 
Paul "LeoNerd" Evans

leonerd at leonerd.org.uk
http://www.leonerd.org.uk/  |  https://metacpan.org/author/PEVANS


More information about the tcpdump-workers mailing list