On Fri, Jan 25, 2013 at 4:27 AM, Jon Schipp <[email protected]> wrote:
> I'm confused about the the terminology here too. I imagine that
> "-L|--lla Compile low-level BPF" means compile to
> low-level BPF rather than _output_ a low-level
> filter. I think it's just the ambiguous wording because mnemonics like
> ld, jeq look higher level than 0x20, 0x28.
Right, I've just removed that in upstream.
Also, for a better user experience, I've decided to add support for
tcpdump-like filtering syntax.
For netsniff-ng this means, e.g.:
- netsniff-ng -i eth0 udp or tcp
- netsniff-ng -i eth0 -f "udp or tcp" -V -o out.pcap --silent
- netsniff-ng -i eth0 -f filter.bpfo -V -o out.pcap --silent
Where ``cat filter.bpfo'' contains sth. like these opcodes ...
{ 0x20, 0, 0, 0x00000008 },
{ 0x15, 0, 3, 0xccddeeff },
{ 0x28, 0, 0, 0x00000006 },
{ 0x15, 0, 1, 0x0000aabb },
{ 0x6, 0, 0, 0xffffffff },
{ 0x6, 0, 0, 0x00000000 },
.... that were produced by bpfc. This means, now you have the full
program. ;-) For low-level debugging or advanced filtering (i.e. Linux
socket filter extensions), you can use bpfc, compile it into a file,
pass it to netsniff-ng, for high-level filtering everyone knows
tcpdump-like syntax, so you can pass this as well via -f. Internally,
it's checked if the parameter you've passed is a file or not.
