Re: [libpcap] OR'ing vlans impossible in tcpdump filter (#158)

[Michael Richardson <mcr () sandelman ca>]

Please take this discussion to the tcpdump-workers list.

shohamp writes:
    > This commit by @yuguy explains this issue very well. yacc parsers the
    > bpf from left to right without saving the state, and doesn't provide a
    > tree of some kind, which would allow an easy solution. @yuguy says that
    > OR'ing vlans in the current parsing methodology is impossible.

    > But there might be a solution, if GCC used yacc in previous version to
    > parse C code, a state can be saved. We simply want yacc to parse
    > parenthesis, and using them to increment the offset, and with each 'OR'
    > it encounters, resetting the offset to it's last state. Let me explain:

    > tcpdump -d 'vlan and (vlan or arp) or ip' means: 1. filter vlan with
    > the current offset (0) and increment offset ( = 4) 2. open
    > parenthesis. push the offset in a stack 3. filter vlan with the current
    > offset (0) and increment offset ( = 8) 4. or. reset the offset to it's
    > state in the last parenthesis from the offset stack ( = 4) 5. filter
    > arp with the current offset (4) 6. close parenthesis. pop the offset's
    > state 7. or. reset the offset to it's state in the last parenthesis
    > from the offset stack ( = 0) 8. filter ip with the current offset (0)

    > As it seems to me, this will solve the issue, and would allow OR'ing
    > vlans.

    > What do you say?



_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers