[tcpdump-workers] BPF Extended: addressing BPF's shortcomings

Michael Richardson mcr at sandelman.ca
Thu Jun 11 09:50:20 EDT 2015


"Paul \"LeoNerd\" Evans" <leonerd at leonerd.org.uk> wrote:
    >> >   2) A few more AD constants added to the Linux "auxdata" area,
    >> > giving information about the transport layer.
    >>
    >> Can you please expand on this?

    > See the SKF_NET_OFF and SKF_LL_OFF constants.
    > I wanted to simply add another, SKF_TRANS_OFF

    > This would give an offset into a virtual view of the "transport" layer;
    > i.e. the start of the TCP/UDP/whatever header, regardless where it
    > starts in the packet.

    > Now, filtering for a given TCP port only needs to compare the value of
    > SKF_AD_TRANSPORT (which we'd also have to add), and then look at
    > certain indexes into SKF_TRANS_OFF; it doesn't have to *find* the TCP
    > header at all, doesn't care if it's IPv4 or IPv6 or whatever...

Is Linux even going to set that if it's for a VLAN or an IP address that
is not recognized as local?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [





More information about the tcpdump-workers mailing list