Ask Your Question
0

help me for convert "capture filter" to "bpf"

asked 2017-12-04 08:23:46 +0000

anonymous user

Anonymous

updated 2017-12-07 06:04:27 +0000

Guy Harris gravatar image

I solved capturing only the "ipv4" version. Just add "ip".

ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))

How do I change this filter to BPF_STMT, BPF_JUMP"?

example ::

BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 11),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 14),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x4500, 0, 9),
edit retag flag offensive close merge delete

Comments

What are you trying to capture with this filter?

masonke gravatar imagemasonke ( 2017-12-06 23:31:43 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-07 06:15:04 +0000

Guy Harris gravatar image

updated 2017-12-07 06:15:31 +0000

If you want to see the BPF compiled code for that expression FOR A PARTICULAR LINK-LAYER TYPE, do:

tcpdump -i {interface} 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'

or, in Wireshark, select Capture > Options from the menu bar, select the interface in question, type

ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))

into the capture filter box, and click "Compile BPFs". The first of those will display the compiled capture filter on the terminal; the second of those will pop up a window that displays the compiled capture filter. For the interface, you'd have to pick an interface that has the link-layer type you want; BPF filters are NOT independent of the link-layer type of the header - for example:

$ tcpdump -d -i en0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 21
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [20]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 26]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 14]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [20]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([14]&0xf)
(018) ldh      [x + 16]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

but:

$ tcpdump -d -i lo0 'ip and ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) or (udp dst port 53))'
(000) ld       [0]
(001) jeq      #0x2000000       jt 2    jf 21
(002) ldb      [13]
(003) jeq      #0x6             jt 4    jf 14
(004) ldh      [10]
(005) jset     #0x1fff          jt 21   jf 6
(006) ldxb     4*([4]&0xf)
(007) ldb      [x + 16]
(008) and      #0xf0
(009) rsh      #2
(010) add      x
(011) tax      
(012) ld       [x + 4]
(013) jeq      #0x47455420      jt 20   jf 21
(014) jeq      #0x11            jt 15   jf 21
(015) ldh      [10]
(016) jset     #0x1fff          jt 21   jf 17
(017) ldxb     4*([4]&0xf)
(018) ldh      [x + 6]
(019) jeq      #0x35            jt 20   jf 21
(020) ret      #262144
(021) ret      #0

To convert that to code you can directly put into a C/C++/etc. program, you'd have to read the bpf.h header and translate it yourself.

Or you could put the filter expression into a C string and pass it to pcap_compile(), which is the routine in libpcap that does that translation in tcpdump and dumpcap and TShark and Wireshark and..., letting pcap_compile() do the work for you.

edit flag offensive delete link more

Comments

Or use the tcpdump -dd option to get C code?

Jaap gravatar imageJaap ( 2017-12-07 19:31:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-04 08:23:46 +0000

Seen: 90 times

Last updated: Dec 07