Grabbed the latest: Building netsniff-ng toolkit (0.5.8-rc0) for x86_64-linux-gnu: Building netsniff-ng: -e CC bpf.c bpf.c: In function ‘bpf_parse_rules’: bpf.c:780:21: error: storage size of ‘bpfp’ isn’t known bpf.c:780:21: warning: unused variable ‘bpfp’ [-Wunused-variable] make: *** [netsniff-ng/bpf.o] Error 1
On Fri, Jan 25, 2013 at 9:53 AM, Daniel Borkmann <[email protected]> wrote: > On Fri, Jan 25, 2013 at 4:27 AM, Jon Schipp <[email protected]> wrote: > >> I'm confused about the the terminology here too. I imagine that >> "-L|--lla Compile low-level BPF" means compile to >> low-level BPF rather than _output_ a low-level >> filter. I think it's just the ambiguous wording because mnemonics like >> ld, jeq look higher level than 0x20, 0x28. > > Right, I've just removed that in upstream. > > Also, for a better user experience, I've decided to add support for > tcpdump-like filtering syntax. > > For netsniff-ng this means, e.g.: > > - netsniff-ng -i eth0 udp or tcp > - netsniff-ng -i eth0 -f "udp or tcp" -V -o out.pcap --silent > - netsniff-ng -i eth0 -f filter.bpfo -V -o out.pcap --silent > > Where ``cat filter.bpfo'' contains sth. like these opcodes ... > > { 0x20, 0, 0, 0x00000008 }, > { 0x15, 0, 3, 0xccddeeff }, > { 0x28, 0, 0, 0x00000006 }, > { 0x15, 0, 1, 0x0000aabb }, > { 0x6, 0, 0, 0xffffffff }, > { 0x6, 0, 0, 0x00000000 }, > > .... that were produced by bpfc. This means, now you have the full > program. ;-) For low-level debugging or advanced filtering (i.e. Linux > socket filter extensions), you can use bpfc, compile it into a file, > pass it to netsniff-ng, for high-level filtering everyone knows > tcpdump-like syntax, so you can pass this as well via -f. Internally, > it's checked if the parameter you've passed is a file or not. --
