BPF Exam

Denis Ovsienko denis at ovsienko.info
Sun Jun 5 13:11:19 EDT 2022

Hello list.

A while ago I tried to comprehend a few BPF-related bug reports in
libpcap and found it difficult to follow the logic of filter
compilation and optimization.  On one hand, there is the universally
available, but basic "tcpdump -d" pseudocode listing.  On the other,
there is the off-by-default optimizer debug mode in libpcap and the
associated visopts.py script (and the C source code, of course).  But it
seemed as if something in between of these levels of detail would be
more convenient in some cases.

One of the bug reports (798) contained a block of BPF bytecode
disassembly with visualized conditional jump instructions, which seemed
useful and led me to discover Radare2.  After some experimentation and
integration it became possible to produce several different types of
debugging information easily on one page (called "BPF Exam"):


As usual, there is some space for future improvements, but this revision
looks ready for general use.  Currently the page allows at most 1 form
submission per second to limit the impact on the server resources,
other than that everything should be self-explanatory.  Feedback is
welcome on the list.


    Denis Ovsienko

More information about the tcpdump-workers mailing list