--- Begin Message ---
On Fri, Nov 06, 2020 at 02:36:13PM +0000, Denis Ovsienko via tcpdump-workers
wrote:
> Date: Fri, 6 Nov 2020 14:36:13 +0000
> From: Denis Ovsienko <de...@ovsienko.info>
> To: Linus Lüssing via tcpdump-workers <tcpdump-workers@lists.tcpdump.org>
> Subject: Re: [tcpdump-workers] Custom decoding offset? (for batman-adv)
> [...]
> editcap would possibly do as a one-time hack given every packet is a
> batman-adv packet, but a clean solution would likely need to introduce a
> keyword into pcap filter language along the lines of "pppoed" and
> "pppoes":
>
> pppoes [session_id]
> [...]
Thanks for the pointers! I got a simple "batadv" like the "pppoed"
working, which checks for the ethertype in the same way.
Next I would like to further extend it with checks for two fields
in the batman-adv header, the version and the type field. From a
user perspective I would find the following syntax the easiest:
batadv [version UINT8] [type UINT8] ...
Ideally it would be possible to interchange the version and type
attributes. And the type attribute should only be accepted if
"version" is either 14 or 15 (these are the only two versions in
use these days; 14 is further deprecated).
Later I would also like to add more pairs. For instance [ttl
UINT8]. However this one is only available for some version/type
combinations.
I couldn't find an example for this kind of syntax in the pcap-filter
manpage. Or is the only way supported or preferred by libpcap to have
separate rules for each field to test? Like for "wlan addr1",
"wlan addr2" etc.?
Regards
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
