Home page logo

tcpdump mailing list archives

Re: bpf filtering for new DLT type
From: Guy Harris <guy () alum mit edu>
Date: Fri, 15 Jan 2010 10:41:15 -0800

On Jan 15, 2010, at 8:31 AM, Lidwa, Eric (GSFC-582.0)[SGT INC] wrote:

I am trying to find information on what is needed to implement bpf filtering for a new DLT type (in my case DLT_AOS).

Initially I added to gencode.c in libpcap the following:

              case DLT_AOS:
               * Currently, only raw "link[N:M]" filtering is supported.
              off_linktype = -1;
              off_macpl = -1;
              off_nl = -1;
              off_nl_nosnap = -1;

Now I would like to implement bpf filtering for AOS protocol. Could somebody please point me to info on the steps to 
take? Would this require rebuilding of the kernel (I am on linux)?

Do I need to modify grammar.y and scanner.l ? If yes, what else needs to be done?

The first thing you need to do is decide what filtering primitives you need.

If it's sufficient to have primitives such as "link[0:4] = 0x40" (that particular example tests whether bytes 0-3 of 
the packet, interpreted as a big-endian integer, have the value 0x40), there's nothing you need to do, as per the 

If an IP datagram can be encapsulated in a single Space Data Protocol packet, and you want to filter on IP addresses, 
TCP and UDP port numbers, and the like, you would only have to change gencode.c.  You'd add a DLT_AOS case to 
gen_linktype() and generate the appropriate BPF code to check whether there's an IP datagram in the packet, and would 
have to make other changes as well.

If you want to add filters for fields in the packet that you can put in a tcpdump/Wireshark capture filter expression, 
so that you don't have to use expressions such as "link[0:4] = 0x40", you would, in fact, have to modify grammar.y and 
scanner.l, and might have to modify gencode.c as well.

You would *NOT* have to rebuild the kernel.  The way that filtering works is that libpcap, and the kernels of various 
UN*Xes (*BSD, Mac OS X, Linux, Tru64 UNIX) and the WinPcap driver, have an interpreter for a pseudo-machine-language, 
and a filter is translated into a program in that pseudo-machine-language and loaded into the kernel (or interpreted by 
libpcap on platforms that don't have an in-kernel interpreter).  Most of the instructions are generic; there are some 
that perform IP-specific operations, but that's just to let some very common operations be done in one instruction.  
See, for example:

This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]