On Tue, Oct 16, 2012 at 2:58 PM, Jon Schipp <[email protected]> wrote:
> I'm having a little trouble understanding how to use bpfc. Using: bpfc 0.5.8
> I've read the man page, this, and grepp'd through the Documentation
> directory for "bpfc":
> https://github.com/gnumaniacs/netsniff-ng/blob/master/Documentation/Bpfc
>
> It seems that bpfc only reads from a file. I tried putting a normal
> BPF into a file
> e.g. echo "arp" > test.bpf ; bpfc -i test.bpf
> Syntax error at line 2: ! syntax error, unexpected $end, expecting ':'!
>
> I also tried using tcpdump to create a filter and than pass the file
> to bpfc to see what would happen
> e.g. tcpdump -dd arp >test.bpf ; bpfc -i test.bpf
> Syntax error at line 1: {! lex Unknown character!
>
> If bpfc takes a file, what goes into it? How do I create filters?
Have a look at src/examples/bpfc. If you would like to build a filter
for arp, create a file 'foo' and fill it with:
ldh [12] ; Load Ethernet type field
jeq #0x806, Keep, Drop ; Check ethertype against 0x806
Keep: ret #0xffffffff ; Return full packet
Drop: ret #0 ; Discard packet
The comments behind each instruction explain it, but more in-depth in
the documentation that you've mentioned.
You can give this to bpfc with "bpfc foo" and it will compile this
into opcodes the kernel/netsniff-ng understands, e.g.:
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 1, 0x00000806 },
{ 0x6, 0, 0, 0xffffffff },
{ 0x6, 0, 0, 0x00000000 },
So you can push this into a file like "bpfc foo > bar" and give
netsniff-ng this via --filter, i.e. netsniff-ng --filter bar.
--
