Hello, Guy.
You wrote on Wednesday, May 30, 2007, 10:14:07 PM:
> Anton Yuzhaninov wrote:
>> Hello.
>>
>> When libpcap build with -DINET6 pcap_compile() generates strange pbf
>> code with DLT_RAW
>>
>> cap_compile_nopcap(65535, DLT_RAW, &bp, "udp", 1, 0)
>> generates this code:
>>
>> # (000) ld #0x0
>> { code=0 jt=0 jf=0 k=0 }
>> # (001) ldb [6]
>> { code=48 jt=0 jf=0 k=6 }
>> # (002) jeq #0x11 jt 5 jf 3
>> { code=21 jt=2 jf=0 k=17 }
>> # (003) ldb [9]
>> { code=48 jt=0 jf=0 k=9 }
>> # (004) jeq #0x11 jt 5 jf 6
>> { code=21 jt=0 jf=1 k=17 }
>> # (005) ret #65535
>> { code=6 jt=0 jf=0 k=65535 }
>> # (006) ret #0
>> { code=6 jt=0 jf=0 k=0 }
>>
>> (001), (002) - check that byte with offset 6 (4 bits from flags filed
>> and 4 bits from fragment offset) equal 17 (protocol number for udp)
>> It seems to be wrong
> ...for IPv4, but not for IPv6 (if the next header is UDP).
> Since both "is this IPv4?" and "is this IPv6?" were being answered as
> "yes", it was testing both the IPv6 "next header" field and the IPv4
> "protocol" field, regardless of whether the packet is IPv4 or IPv6.
But with code generated by 0.9.4 IPv4 non-UDP packets can be matched
by expression "udp"
> I've checked in a change to, for DLT_RAW, check the version field of the
> IPv4/IPv6 header; the generated code if INET6 is enabled is now:
> (000) ldb [0]
> (001) and #0xf0
> (002) jeq #0x60 jt 3 jf 5
> (003) ldb [6]
> (004) jeq #0x11 jt 10 jf 11
> (005) ldb [0]
> (006) and #0xf0
> (007) jeq #0x40 jt 8 jf 11
> (008) ldb [9]
> (009) jeq #0x11 jt 10 jf 11
> (010) ret #65535
> (011) ret #0
It seems better. Which libpcap version was used to produce this bpf
code?
> This is checked into the main and x.9 branches.
mail = CVS head?
Is this in 0.9.5 release?
--
WBR,
Anton Yuzhaninov
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
