Re: pcap icmptype support

Claudio Jeker Mon, 21 Mar 2011 06:28:59 -0700

On Wed, Feb 02, 2011 at 06:49:26PM +0100, Giovanni Bechis wrote:
> This diff adds support to icmptype grammar to libpcap.
> With this diff we can do:
> $ sudo tcpdump -netttv -i nfe0 icmp[icmptype] = 8
> and capture only echo requests.
> This diff is needed for an upcoming nmap update.
>  Comments ? ok ?


Looks good to me. Would be good to update the tcpdump manpage to show how
these keywords are used.

OK claudio@

>   Cheers
>    Giovanni
> Index: scanner.l
> ===================================================================
> RCS file: /cvs/src/lib/libpcap/scanner.l,v
> retrieving revision 1.21
> diff -u -p -r1.21 scanner.l
> --- scanner.l 27 Oct 2009 23:59:30 -0000      1.21
> +++ scanner.l 2 Feb 2011 17:39:32 -0000
> @@ -270,6 +270,30 @@ address4|addr4   return ADDR4;
>  #endif /*INET6*/
>                       }
>  {B}:+({B}:+)+                { bpf_error("bogus ethernet address %s", 
> yytext); }
> +icmptype             { yylval.i = 0; return NUM; }
> +icmpcode             { yylval.i = 1; return NUM; }
> +icmp-echoreply               { yylval.i = 0; return NUM; }
> +icmp-unreach         { yylval.i = 3; return NUM; }
> +icmp-sourcequench    { yylval.i = 4; return NUM; }
> +icmp-redirect                { yylval.i = 5; return NUM; }
> +icmp-echo            { yylval.i = 8; return NUM; }
> +icmp-routeradvert    { yylval.i = 9; return NUM; }
> +icmp-routersolicit   { yylval.i = 10; return NUM; }
> +icmp-timxceed                { yylval.i = 11; return NUM; }
> +icmp-paramprob               { yylval.i = 12; return NUM; }
> +icmp-tstamp          { yylval.i = 13; return NUM; }
> +icmp-tstampreply     { yylval.i = 14; return NUM; }
> +icmp-ireq            { yylval.i = 15; return NUM; }
> +icmp-ireqreply               { yylval.i = 16; return NUM; }
> +icmp-maskreq         { yylval.i = 17; return NUM; }
> +icmp-maskreply               { yylval.i = 18; return NUM; }
> +tcpflags             { yylval.i = 13; return NUM; }
> +tcp-fin                      { yylval.i = 0x01; return NUM; }
> +tcp-syn                      { yylval.i = 0x02; return NUM; }
> +tcp-rst                      { yylval.i = 0x04; return NUM; }
> +tcp-push             { yylval.i = 0x08; return NUM; }
> +tcp-ack                      { yylval.i = 0x10; return NUM; }
> +tcp-urg                      { yylval.i = 0x20; return NUM; }
>  [A-Za-z0-9][-_.A-Za-z0-9]*[.A-Za-z0-9] {
>                        yylval.s = sdup((char *)yytext); return ID; }
>  [A-Za-z] {            yylval.s = sdup((char *)yytext); return ID; }
> 

-- 
:wq Claudio

Re: pcap icmptype support

Reply via email to