[tcpdump-workers] BPF Extended: addressing BPF's shortcomings
mcr at sandelman.ca
Thu Jun 11 09:50:20 EDT 2015
"Paul \"LeoNerd\" Evans" <leonerd at leonerd.org.uk> wrote:
>> > 2) A few more AD constants added to the Linux "auxdata" area,
>> > giving information about the transport layer.
>> Can you please expand on this?
> See the SKF_NET_OFF and SKF_LL_OFF constants.
> I wanted to simply add another, SKF_TRANS_OFF
> This would give an offset into a virtual view of the "transport" layer;
> i.e. the start of the TCP/UDP/whatever header, regardless where it
> starts in the packet.
> Now, filtering for a given TCP port only needs to compare the value of
> SKF_AD_TRANSPORT (which we'd also have to add), and then look at
> certain indexes into SKF_TRANS_OFF; it doesn't have to *find* the TCP
> header at all, doesn't care if it's IPv4 or IPv6 or whatever...
Is Linux even going to set that if it's for a VLAN or an IP address that
is not recognized as local?
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
More information about the tcpdump-workers