On Tue, Oct 16, 2012 at 3:30 PM, Jon Schipp <[email protected]> wrote: > Ah, I understand now. I keep thinking high-level filters. > I'll write this up. > Thanks!
Indeed, this is rather low-level, assembler-like and originally developed like this by McCanne and Van Jacobson. We're working on an own high-level implementation. For a quick-hack, use tcpdump -dd <filter>. > On Tue, Oct 16, 2012 at 9:03 AM, Daniel Borkmann <[email protected]> > wrote: >> On Tue, Oct 16, 2012 at 2:58 PM, Jon Schipp <[email protected]> wrote: >>> I'm having a little trouble understanding how to use bpfc. Using: bpfc 0.5.8 >>> I've read the man page, this, and grepp'd through the Documentation >>> directory for "bpfc": >>> https://github.com/gnumaniacs/netsniff-ng/blob/master/Documentation/Bpfc >>> >>> It seems that bpfc only reads from a file. I tried putting a normal >>> BPF into a file >>> e.g. echo "arp" > test.bpf ; bpfc -i test.bpf >>> Syntax error at line 2: ! syntax error, unexpected $end, expecting ':'! >>> >>> I also tried using tcpdump to create a filter and than pass the file >>> to bpfc to see what would happen >>> e.g. tcpdump -dd arp >test.bpf ; bpfc -i test.bpf >>> Syntax error at line 1: {! lex Unknown character! >>> >>> If bpfc takes a file, what goes into it? How do I create filters? >> >> Have a look at src/examples/bpfc. If you would like to build a filter >> for arp, create a file 'foo' and fill it with: >> >> ldh [12] ; Load Ethernet type field >> jeq #0x806, Keep, Drop ; Check ethertype against 0x806 >> Keep: ret #0xffffffff ; Return full packet >> Drop: ret #0 ; Discard packet >> >> The comments behind each instruction explain it, but more in-depth in >> the documentation that you've mentioned. >> >> You can give this to bpfc with "bpfc foo" and it will compile this >> into opcodes the kernel/netsniff-ng understands, e.g.: >> >> { 0x28, 0, 0, 0x0000000c }, >> { 0x15, 0, 1, 0x00000806 }, >> { 0x6, 0, 0, 0xffffffff }, >> { 0x6, 0, 0, 0x00000000 }, >> >> So you can push this into a file like "bpfc foo > bar" and give >> netsniff-ng this via --filter, i.e. netsniff-ng --filter bar. --
