On Sat, Jan 26, 2013 at 1:35 AM, Jon Schipp <[email protected]> wrote: > Grabbed the latest: > > Building netsniff-ng toolkit (0.5.8-rc0) for x86_64-linux-gnu: > Building netsniff-ng: > -e CC bpf.c > bpf.c: In function ‘bpf_parse_rules’: > bpf.c:780:21: error: storage size of ‘bpfp’ isn’t known > bpf.c:780:21: warning: unused variable ‘bpfp’ [-Wunused-variable] > make: *** [netsniff-ng/bpf.o] Error 1
Hmm, compilation works fine for me on Fedora. Do you have libpcap-dev/devel installed? It's used (only) to generate a tcpdump-like BPF filter. Do you have this file? * /usr/include/pcap/pcap.h Would it work if you change the include in bpf.c to <pcap.h> only? Let me know. > On Fri, Jan 25, 2013 at 9:53 AM, Daniel Borkmann <[email protected]> > wrote: >> On Fri, Jan 25, 2013 at 4:27 AM, Jon Schipp <[email protected]> wrote: >> >>> I'm confused about the the terminology here too. I imagine that >>> "-L|--lla Compile low-level BPF" means compile to >>> low-level BPF rather than _output_ a low-level >>> filter. I think it's just the ambiguous wording because mnemonics like >>> ld, jeq look higher level than 0x20, 0x28. >> >> Right, I've just removed that in upstream. >> >> Also, for a better user experience, I've decided to add support for >> tcpdump-like filtering syntax. >> >> For netsniff-ng this means, e.g.: >> >> - netsniff-ng -i eth0 udp or tcp >> - netsniff-ng -i eth0 -f "udp or tcp" -V -o out.pcap --silent >> - netsniff-ng -i eth0 -f filter.bpfo -V -o out.pcap --silent >> >> Where ``cat filter.bpfo'' contains sth. like these opcodes ... >> >> { 0x20, 0, 0, 0x00000008 }, >> { 0x15, 0, 3, 0xccddeeff }, >> { 0x28, 0, 0, 0x00000006 }, >> { 0x15, 0, 1, 0x0000aabb }, >> { 0x6, 0, 0, 0xffffffff }, >> { 0x6, 0, 0, 0x00000000 }, >> >> .... that were produced by bpfc. This means, now you have the full >> program. ;-) For low-level debugging or advanced filtering (i.e. Linux >> socket filter extensions), you can use bpfc, compile it into a file, >> pass it to netsniff-ng, for high-level filtering everyone knows >> tcpdump-like syntax, so you can pass this as well via -f. Internally, >> it's checked if the parameter you've passed is a file or not. > > -- > > --
