--- Begin Message ---
On Fri, 6 Nov 2020 14:34:12 +0100
Linus Lüssing via tcpdump-workers <tcpdump-workers@lists.tcpdump.org>
wrote:
[...]
> Which suggests something like:
>
> $ tcpdump -i eth0 -w - | editcap -C 82 - - | tcpdump -r -
>
> However, ideally I would like to use a custom offset in a project
> based on libpcap:
>
> https://github.com/lemoer/bpfcountd
>
> Where the tcpdump/editcap approach would currently not work.
>
> So some native, custom decoding offset support for a filter
> expression would be great.
editcap would possibly do as a one-time hack given every packet is a
batman-adv packet, but a clean solution would likely need to introduce a
keyword into pcap filter language along the lines of "pppoed" and
"pppoes":
pppoes [session_id]
True if the packet is a PPP-over-Ethernet Ses‐
sion packet (Ethernet type 0x8864). If [ses‐
sion_id] is specified, only true if the packet
has the specified session_id. Note that the
first pppoes keyword encountered in expression
changes the decoding offsets for the remainder
of expression on the assumption that the packet
is a PPPoE session packet.
For example:
pppoes 0x27 && ip
filters IPv4 protocols encapsulated in PPPoE
session id 0x27.
See libpcap commit 7fb15ab for some implementation details. Could you
figure out which keywords and which parameters this problem seems to
need and post that to the list first?
--
Denis Ovsienko
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
