Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2017-12-07 06:15:04 +0000

Guy Harris gravatar image

If you want to see the BPF compiled code for that expression FOR A PARTICULAR LINK-LAYER TYPE, do:

tcpdump -i {interface} 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'

or, in Wireshark, select Capture > Options from the menu bar, select the interface in question, type

ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))

into the capture filter box, and click "Compile BPFs". The first of those will display the compiled capture filter on the terminal; the second of those will pop up a window that displays the compiled capture filter. For the interface, you'd have to pick an interface that has the link-layer type you want; BPF filters are NOT independent of the link-layer type of the header - for example:

$ tcpdump -d -i en0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 21
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [20]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 26]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 14]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [20]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([14]&0xf)
(018) ldh      [x + 16]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

but:

$ tcpdump -d -i lo0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ld       [0]
(001) jeq      #0x2000000       jt 2    jf 21
(002) ldb      [13]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [10]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([4]&0xf)
(007) ldb      [x + 16]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 4]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [10]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([4]&0xf)
(018) ldh      [x + 6]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

To convert that to code you can directly put into a C/C++/etc. program, you'd have to read the bpf.h header and translate it yourself.

Or you could put the filter expression into a C string and pass it to pcap_compile(), which is the routine in libpcap that does that translation in tcpdump and dumpcap and TShark and Wireshark and..., letting pcap_compile() do the work for you.

If you want to see the BPF compiled code for that expression FOR A PARTICULAR LINK-LAYER TYPE, do:

tcpdump -i {interface} 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'

or, in Wireshark, select Capture > Options from the menu bar, select the interface in question, type

ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))
53))

into the capture filter box, and click "Compile BPFs". The first of those will display the compiled capture filter on the terminal; the second of those will pop up a window that displays the compiled capture filter. For the interface, you'd have to pick an interface that has the link-layer type you want; BPF filters are NOT independent of the link-layer type of the header - for example:

$ tcpdump -d -i en0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 21
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [20]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 26]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 14]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [20]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([14]&0xf)
(018) ldh      [x + 16]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

but:

$ tcpdump -d -i lo0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ld       [0]
(001) jeq      #0x2000000       jt 2    jf 21
(002) ldb      [13]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [10]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([4]&0xf)
(007) ldb      [x + 16]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 4]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [10]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([4]&0xf)
(018) ldh      [x + 6]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

To convert that to code you can directly put into a C/C++/etc. program, you'd have to read the bpf.h header and translate it yourself.

Or you could put the filter expression into a C string and pass it to pcap_compile(), which is the routine in libpcap that does that translation in tcpdump and dumpcap and TShark and Wireshark and..., letting pcap_compile() do the work for you.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2