On Nov 30, 2011, at 2:40 AM, Fernando Gont wrote:
> Could you suggest a good reference for BPF syntax? -- So far I've only
> used pcap_compile() and hence didn't really get into BPF.
Well, for reference purposes, there's the original BPF paper:
http://www.tcpdump.org/papers/bpf-usenix93.pdf
and the bpf.h header file.
However, pcap-linux.c in libpcap already has a filter with just "ret 0" that it
uses while flushing packets that matched the old filter when changing to a new
filter:
static struct sock_filter total_insn
= BPF_STMT(BPF_RET | BPF_K, 0);
static struct sock_fprog total_fcode
= { 1, &total_insn };
It's using Linux-specific data structures (for use when making Linux calls),
but the equivalent using BPF data structures would be
static struct bpf_insn total_insn
= BPF_STMT(BPF_RET | BPF_K, 0);
static struct bpf_program total_fcode
= { 1, &total_insn };
> In anycase, I guess one could achive the same sort of result (albeit
> with a sloppy filter that rejects e.g., everything that's Ethernet when
> one is capturing on ethernet).
Unfortunately, there's no way to "reject everything that's Ethernet" - the
filter can only look at the packet data, and there's no "this is Ethernet" bit
in Ethernet packets (and it'd always be set in any case :-)).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
