1 | initial version |
What's needed is support for pppoes src and pppoes dst or some other work around.
The work-around (and as far as I'm aware the only way to handle this) is to avoid using pppoes, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using pppoes. First, what does the BPF look like if we do use pppoes? Well, it looks like this:
dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0
What is this doing?
00:00:00:00:00:01
. It's doing this in 2 parts: (1) the last 4 bytes is 00:00:00:01
and (2) the first 2 bytes are 00:00
. These are instructions 000-003.(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)
To reproduce this same BPF without using the pppoes keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:
dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0
Now all that's needed is to or
the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the pppoes keyword:
dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and pppoes and ip[15:1] & 0x0f =0x01)" (000) ld [2] (001) jeq #0x1 jt 2 jf 11 (002) ldh [0] (003) jeq #0x0 jt 4 jf 11 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 11 (006) ldh [20] (007) jeq #0x21 jt 8 jf 11 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 22 jf 11 (011) ld [8] (012) jeq #0x1 jt 13 jf 23 (013) ldh [6] (014) jeq #0x0 jt 15 jf 23 (015) ldh [12] (016) jeq #0x8864 jt 17 jf 23 (017) ldh [20] (018) jeq #0x21 jt 19 jf 23 (019) ldb [37] (020) and #0xf (021) jeq #0x1 jt 22 jf 23 (022) ret #262144 (023) ret #0
And the second way, without using the pppoes keyword at all:
dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[37:1] & 0x0f = 0x01)" (000) ld [2] (001) jeq #0x1 jt 2 jf 11 (002) ldh [0] (003) jeq #0x0 jt 4 jf 11 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 11 (006) ldh [20] (007) jeq #0x21 jt 8 jf 11 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 22 jf 11 (011) ld [8] (012) jeq #0x1 jt 13 jf 23 (013) ldh [6] (014) jeq #0x0 jt 15 jf 23 (015) ldh [12] (016) jeq #0x8864 jt 17 jf 23 (017) ldh [20] (018) jeq #0x21 jt 19 jf 23 (019) ldb [37] (020) and #0xf (021) jeq #0x1 jt 22 jf 23 (022) ret #262144 (023) ret #0
2 | No.2 Revision |
What's needed is support for pppoes src and pppoes dst or some other work around.
The work-around (and as far as I'm aware the only way to handle this) is to avoid using pppoes, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using pppoes. First, what does the BPF look like if we do use pppoes? Well, it looks like this:
dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0
What is this doing?
00:00:00:00:00:01
. It's doing this in 2 parts: (1) the last 4 bytes is 00:00:00:01
and (2) the first 2 bytes are 00:00
. These are instructions 000-003.(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the lower nibble of the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)
To reproduce this same BPF without using the pppoes keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:
dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0
Now all that's needed is to or
the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the pppoes keyword:
dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and pppoes and ip[15:1] & 0x0f =0x01)" (000) ld [2] (001) jeq #0x1 jt 2 jf 11 (002) ldh [0] (003) jeq #0x0 jt 4 jf 11 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 11 (006) ldh [20] (007) jeq #0x21 jt 8 jf 11 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 22 jf 11 (011) ld [8] (012) jeq #0x1 jt 13 jf 23 (013) ldh [6] (014) jeq #0x0 jt 15 jf 23 (015) ldh [12] (016) jeq #0x8864 jt 17 jf 23 (017) ldh [20] (018) jeq #0x21 jt 19 jf 23 (019) ldb [37] (020) and #0xf (021) jeq #0x1 jt 22 jf 23 (022) ret #262144 (023) ret #0
And the second way, without using the pppoes keyword at all:
dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[37:1] & 0x0f = 0x01)" (000) ld [2] (001) jeq #0x1 jt 2 jf 11 (002) ldh [0] (003) jeq #0x0 jt 4 jf 11 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 11 (006) ldh [20] (007) jeq #0x21 jt 8 jf 11 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 22 jf 11 (011) ld [8] (012) jeq #0x1 jt 13 jf 23 (013) ldh [6] (014) jeq #0x0 jt 15 jf 23 (015) ldh [12] (016) jeq #0x8864 jt 17 jf 23 (017) ldh [20] (018) jeq #0x21 jt 19 jf 23 (019) ldb [37] (020) and #0xf (021) jeq #0x1 jt 22 jf 23 (022) ret #262144 (023) ret #0