Ah, I understand now. I keep thinking high-level filters. I'll write this up. Thanks!
On Tue, Oct 16, 2012 at 9:03 AM, Daniel Borkmann <[email protected]> wrote: > On Tue, Oct 16, 2012 at 2:58 PM, Jon Schipp <[email protected]> wrote: >> I'm having a little trouble understanding how to use bpfc. Using: bpfc 0.5.8 >> I've read the man page, this, and grepp'd through the Documentation >> directory for "bpfc": >> https://github.com/gnumaniacs/netsniff-ng/blob/master/Documentation/Bpfc >> >> It seems that bpfc only reads from a file. I tried putting a normal >> BPF into a file >> e.g. echo "arp" > test.bpf ; bpfc -i test.bpf >> Syntax error at line 2: ! syntax error, unexpected $end, expecting ':'! >> >> I also tried using tcpdump to create a filter and than pass the file >> to bpfc to see what would happen >> e.g. tcpdump -dd arp >test.bpf ; bpfc -i test.bpf >> Syntax error at line 1: {! lex Unknown character! >> >> If bpfc takes a file, what goes into it? How do I create filters? > > Have a look at src/examples/bpfc. If you would like to build a filter > for arp, create a file 'foo' and fill it with: > > ldh [12] ; Load Ethernet type field > jeq #0x806, Keep, Drop ; Check ethertype against 0x806 > Keep: ret #0xffffffff ; Return full packet > Drop: ret #0 ; Discard packet > > The comments behind each instruction explain it, but more in-depth in > the documentation that you've mentioned. > > You can give this to bpfc with "bpfc foo" and it will compile this > into opcodes the kernel/netsniff-ng understands, e.g.: > > { 0x28, 0, 0, 0x0000000c }, > { 0x15, 0, 1, 0x00000806 }, > { 0x6, 0, 0, 0xffffffff }, > { 0x6, 0, 0, 0x00000000 }, > > So you can push this into a file like "bpfc foo > bar" and give > netsniff-ng this via --filter, i.e. netsniff-ng --filter bar. > > -- > > --
