Deconstructing BPF filter in TCPdump
networking,tcp,filter,tcpdump,bpf
tcp[12:1] is the byte at an offset of 12 bytes from the beginning of the TCP header; the 12 is not the offset from the beginning of the packet, it's the offset from the beginning of the TCP header (it's tcp[12:1], not ether[12:1] or something such as that). The "1"...
How to build Linux kernel to support SO_ATTACH_BPF socket option?
c,linux,sockets,linux-kernel,bpf
In my setup, which is based on Fedora 21, I use very similar steps to those you linked to compile and install the latest kernel. As an additional step, I will do the following from the kernel build tree to install the kernel header files into /usr/local/include: sudo make INSTALL_HDR_PATH=/usr/local...
Libpcap filter strings using “vlan” are behaving weirdly
pcap,libpcap,tcpdump,packet-capture,bpf
vlan is weird. To quote the pcap-filter man page: vlan [vlan_id] True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only true if the packet has the specified vlan_id. Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder...
Using libpcap to library sample dump files
If you want to dump only a fraction of the packets, the way you'd do that is, indeed, to have the callback ignore some packets and write out others. Pcap filters are stateless and thus can't support "only match every fifth frame" or anything such as that.
Correct filter expression in libpcap for outgoing packets
The syntax is incorrect because tcp-psh is not a valid syntax. The correct one is tcp-push. So the correct filter expression will be: char filter_exp[] = "src host 172.16.0.1 and tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst | tcp-push) == 0"; ...
Are Berkeley Packet Filter opcode values implementation defined?
No, other than instructions that some BPF interpreters/JITs support but others don't, they have the same binary values. Compare, for example, the current libpcap pcap/bpf.h with, at least, the Linux linux/bpf_common.h and linux/filter.h in the 3.19 kernel, and note the comment in linux/filter.h that reads: /* * Try and keep...