1 | initial version |
If you want to see the BPF compiled code for that expression FOR A PARTICULAR LINK-LAYER TYPE, do:
tcpdump -i {interface} 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
or, in Wireshark, select Capture > Options from the menu bar, select the interface in question, type
ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))
into the capture filter box, and click "Compile BPFs". The first of those will display the compiled capture filter on the terminal; the second of those will pop up a window that displays the compiled capture filter. For the interface, you'd have to pick an interface that has the link-layer type you want; BPF filters are NOT independent of the link-layer type of the header - for example:
$ tcpdump -d -i en0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 21
(002) ldb [23]
(003) jeq #0x6 jt 4 jf 14
(004) ldh [20]
(005) jset #0x1fff jt 21 jf 6
(006) ldxb 4*([14]&0xf)
(007) ldb [x + 26]
(008) and #0xf0
(009) rsh #2
(010) add x
(011) tax
(012) ld [x + 14]
(013) jeq #0x47455420 jt 20 jf 21
(014) jeq #0x11 jt 15 jf 21
(015) ldh [20]
(016) jset #0x1fff jt 21 jf 17
(017) ldxb 4*([14]&0xf)
(018) ldh [x + 16]
(019) jeq #0x35 jt 20 jf 21
(020) ret #262144
(021) ret #0
but:
$ tcpdump -d -i lo0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ld [0]
(001) jeq #0x2000000 jt 2 jf 21
(002) ldb [13]
(003) jeq #0x6 jt 4 jf 14
(004) ldh [10]
(005) jset #0x1fff jt 21 jf 6
(006) ldxb 4*([4]&0xf)
(007) ldb [x + 16]
(008) and #0xf0
(009) rsh #2
(010) add x
(011) tax
(012) ld [x + 4]
(013) jeq #0x47455420 jt 20 jf 21
(014) jeq #0x11 jt 15 jf 21
(015) ldh [10]
(016) jset #0x1fff jt 21 jf 17
(017) ldxb 4*([4]&0xf)
(018) ldh [x + 6]
(019) jeq #0x35 jt 20 jf 21
(020) ret #262144
(021) ret #0
To convert that to code you can directly put into a C/C++/etc. program, you'd have to read the bpf.h
header and translate it yourself.
Or you could put the filter expression into a C string and pass it to pcap_compile()
, which is the routine in libpcap that does that translation in tcpdump and dumpcap and TShark and Wireshark and..., letting pcap_compile()
do the work for you.
2 | No.2 Revision |
If you want to see the BPF compiled code for that expression FOR A PARTICULAR LINK-LAYER TYPE, do:
tcpdump -i {interface} 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
or, in Wireshark, select Capture > Options from the menu bar, select the interface in question, type
ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port into the capture filter box, and click "Compile BPFs". The first of those will display the compiled capture filter on the terminal; the second of those will pop up a window that displays the compiled capture filter. For the interface, you'd have to pick an interface that has the link-layer type you want; BPF filters are NOT independent of the link-layer type of the header - for example:
$ tcpdump -d -i en0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 21
(002) ldb [23]
(003) jeq #0x6 jt 4 jf 14
(004) ldh [20]
(005) jset #0x1fff jt 21 jf 6
(006) ldxb 4*([14]&0xf)
(007) ldb [x + 26]
(008) and #0xf0
(009) rsh #2
(010) add x
(011) tax
(012) ld [x + 14]
(013) jeq #0x47455420 jt 20 jf 21
(014) jeq #0x11 jt 15 jf 21
(015) ldh [20]
(016) jset #0x1fff jt 21 jf 17
(017) ldxb 4*([14]&0xf)
(018) ldh [x + 16]
(019) jeq #0x35 jt 20 jf 21
(020) ret #262144
(021) ret #0
but:
$ tcpdump -d -i lo0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ld [0]
(001) jeq #0x2000000 jt 2 jf 21
(002) ldb [13]
(003) jeq #0x6 jt 4 jf 14
(004) ldh [10]
(005) jset #0x1fff jt 21 jf 6
(006) ldxb 4*([4]&0xf)
(007) ldb [x + 16]
(008) and #0xf0
(009) rsh #2
(010) add x
(011) tax
(012) ld [x + 4]
(013) jeq #0x47455420 jt 20 jf 21
(014) jeq #0x11 jt 15 jf 21
(015) ldh [10]
(016) jset #0x1fff jt 21 jf 17
(017) ldxb 4*([4]&0xf)
(018) ldh [x + 6]
(019) jeq #0x35 jt 20 jf 21
(020) ret #262144
(021) ret #0
To convert that to code you can directly put into a C/C++/etc. program, you'd have to read the bpf.h
header and translate it yourself.
Or you could put the filter expression into a C string and pass it to pcap_compile()
, which is the routine in libpcap that does that translation in tcpdump and dumpcap and TShark and Wireshark and..., letting pcap_compile()
do the work for you.