Ask Your Question

Srivats's profile - activity

overview network karma followed questions activity
2023-07-24 18:18:43 +0000 received badge  Notable Question (source)
2023-03-02 05:11:31 +0000 commented answer Capture Filter not working due to incorrect BPF?

Thanks Chris! This is great. Two curiosity questions - 1. is there a "runtime" way to tell libpcap NOT to use bpf extens
2023-03-02 05:08:09 +0000 commented answer Capture Filter not working due to incorrect BPF?

Yup, the trouble starts only when you open an interface and discover that the socket supports BPF extensions - I think b
2023-03-01 19:52:42 +0000 received badge  Popular Question (source)
2023-02-22 05:31:49 +0000 commented answer Capture Filter not working due to incorrect BPF?

@Chuckc - thanks for updating the link to the libpcap issue here - I forgot to do that. I've seen that FAQ entry, but I

2023-02-22 05:28:34 +0000 commented answer Capture Filter not working due to incorrect BPF?

@cmaynard - yes, the Wireshark generated BPF instructions were taken on the same system as dumpcap - an Ubuntu 22.04. Th
2023-02-21 08:55:57 +0000 marked best answer Capture Filter not working due to incorrect BPF?

Hi,

Wireshark 3.6.2 (Ubuntu 22.04.1 LTS) is not able to capture packets with the below filter -

(ether[len - 4:4] == 0x1d10c0da) and not (icmp or (vlan and icmp))

The packets are UDP with VLAN and have the pattern 0x1d10c0da at the end which should match the above capture filter, but they don't.

To investigate, I used dumpcap -d with the above filter

$ dumpcap -c 5 -i enp0s9 -f "(ether[len - 4:4] == 0x1d10c0da) and not (icmp or (vlan and icmp))" -d
Capturing on 'enp0s9'
(000) ld       #0x0
(001) st       M[4]
(002) ld       #pktlen
(003) sub      #4
(004) tax
(005) ld       [x + 0]
(006) st       M[2]
(007) ld       #0x1d10c0da
(008) st       M[3]
(009) ld       M[2]
(010) jeq      #0x1d10c0da      jt 11   jf 32
(011) ldh      [12]
(012) jeq      #0x800           jt 13   jf 15
(013) ldb      [23]
(014) jeq      #0x1             jt 32   jf 15
(015) ldb      [vlanp]
(016) jeq      #0x1             jt 25   jf 17
(017) ld       #0x1d10c0de
(018) st       M[3]
(019) ld       #0x4
(020) st       M[4]
(021) ldh      [12]
(022) jeq      #0x8100          jt 25   jf 23
(023) jeq      #0x88a8          jt 25   jf 24
(024) jeq      #0x9100          jt 25   jf 31
(025) ldx      M[4]
(026) ldh      [x + 12]
(027) jeq      #0x800           jt 28   jf 31
(028) ldx      M[3]
(029) ldb      [x + 23]
(030) jeq      #0x1             jt 32   jf 31
(031) ret      #262144
(032) ret      #0

All seems ok till we come post the vlanp (vlan present) check.

If I'm reading the instructions correctly, I think the problem is (017), (018) which stores 0x1d10c0de intoM[3] which is accessed by (028), (029).

Instruction (028) seems incorrect to me as (029) expects x to be 4 similar to (026).

tcpdump -d also generates the same bpf instructions. Trying --no-optimize with tcpdump has a similar error in the unoptimized code.

However, the Wireshark Capture Options | Compile BPFs seems to generate the correct BPF instructions -

(000) ld       #pktlen
(001) sub      #4
(002) tax      
(003) ld       [x + 0]
(004) jeq      #0x1d10c0da      jt 5    jf 17
(005) ldh      [12]
(006) jeq      #0x800           jt 7    jf 9
(007) ldb      [23]
(008) jeq      #0x1             jt 17   jf 16
(009) jeq      #0x8100          jt 12   jf 10
(010) jeq      #0x88a8          jt 12   jf 11
(011) jeq      #0x9100          jt 12   jf 16
(012) ldh      [16]
(013) jeq      #0x800           jt 14   jf 16
(014) ldb      [27]
(015) jeq      #0x1             jt 17   jf 16
(016) ret      #262144
(017) ret      #0

Does Wireshark Compile BPFs use a different BPF compiler than dumpcap? Since the instructions generated by dumpcap is same as tcpdump, I assume both of them use the libpcap pcap_compile()?

dumpcap version

$ dumpcap --version
Dumpcap (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or ...
(more)
2023-02-21 08:55:57 +0000 received badge  Scholar (source)
2023-02-21 08:55:27 +0000 commented answer Capture Filter not working due to incorrect BPF?

Yes, reversing the filter works. The filter is actually part of an application and was written in the form it was to be

2023-02-20 15:50:21 +0000 commented question Capture Filter not working due to incorrect BPF?

@Chuckc I've updated dumpcap and tcpdump versions. However, I'm not sure if it's related to the issue you mentioned.

2023-02-20 15:48:37 +0000 received badge  Editor (source)
2023-02-20 15:48:37 +0000 edited question Capture Filter not working due to incorrect BPF?

Capture Filter not working due to incorrect BPF? Hi, Wireshark 3.6.2 (Ubuntu 22.04.1 LTS) is not able to capture packet
2023-02-20 12:39:26 +0000 commented question Capture Filter not working due to incorrect BPF?

@jaap - yes, same interface enp0s9 on Wireshark as well. If I remove the or (vlan and icmp) from the filter, packets sta
2023-02-20 10:26:23 +0000 asked a question Capture Filter not working due to incorrect BPF?

Capture Filter not working due to incorrect BPF? Hi, Wireshark 3.6.2 (Ubuntu 22.04.1 LTS) is not able to capture packet
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2