pcap,libpcap,tcpdump,packet-capture,bpf
vlan is weird. To quote the pcap-filter man page: vlan [vlan_id] True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only true if the packet has the specified vlan_id. Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder...
networking,tcp,filter,tcpdump,bpf
tcp[12:1] is the byte at an offset of 12 bytes from the beginning of the TCP header; the 12 is not the offset from the beginning of the packet, it's the offset from the beginning of the TCP header (it's tcp[12:1], not ether[12:1] or something such as that). The "1"...
No, other than instructions that some BPF interpreters/JITs support but others don't, they have the same binary values. Compare, for example, the current libpcap pcap/bpf.h with, at least, the Linux linux/bpf_common.h and linux/filter.h in the 3.19 kernel, and note the comment in linux/filter.h that reads: /* * Try and keep...
c,linux,sockets,linux-kernel,bpf
In my setup, which is based on Fedora 21, I use very similar steps to those you linked to compile and install the latest kernel. As an additional step, I will do the following from the kernel build tree to install the kernel header files into /usr/local/include: sudo make INSTALL_HDR_PATH=/usr/local...
The syntax is incorrect because tcp-psh is not a valid syntax. The correct one is tcp-push. So the correct filter expression will be: char filter_exp[] = "src host 172.16.0.1 and tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst | tcp-push) == 0"; ...
If you want to dump only a fraction of the packets, the way you'd do that is, indeed, to have the callback ignore some packets and write out others. Pcap filters are stateless and thus can't support "only match every fifth frame" or anything such as that.