Thank you very much. I am hoping not to touch the grammar/scanner files. Providing filtering for IP inside of AOS frames and then raw filtering on AOS header may be a good compromise.
Thanks again, Eric -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Guy Harris Sent: Friday, January 15, 2010 1:41 PM To: [email protected] Subject: Re: [tcpdump-workers] bpf filtering for new DLT type On Jan 15, 2010, at 8:31 AM, Lidwa, Eric (GSFC-582.0)[SGT INC] wrote: > I am trying to find information on what is needed to implement bpf filtering > for a new DLT type (in my case DLT_AOS). > > Initially I added to gencode.c in libpcap the following: > > case DLT_AOS: > /* > * Currently, only raw "link[N:M]" filtering is supported. > */ > off_linktype = -1; > off_macpl = -1; > off_nl = -1; > off_nl_nosnap = -1; > return; > > Now I would like to implement bpf filtering for AOS protocol. Could somebody > please point me to info on the steps to take? Would this require rebuilding > of the kernel (I am on linux)? > > Do I need to modify grammar.y and scanner.l ? If yes, what else needs to be > done? The first thing you need to do is decide what filtering primitives you need. If it's sufficient to have primitives such as "link[0:4] = 0x40" (that particular example tests whether bytes 0-3 of the packet, interpreted as a big-endian integer, have the value 0x40), there's nothing you need to do, as per the comment. If an IP datagram can be encapsulated in a single Space Data Protocol packet, and you want to filter on IP addresses, TCP and UDP port numbers, and the like, you would only have to change gencode.c. You'd add a DLT_AOS case to gen_linktype() and generate the appropriate BPF code to check whether there's an IP datagram in the packet, and would have to make other changes as well. If you want to add filters for fields in the packet that you can put in a tcpdump/Wireshark capture filter expression, so that you don't have to use expressions such as "link[0:4] = 0x40", you would, in fact, have to modify grammar.y and scanner.l, and might have to modify gencode.c as well. You would *NOT* have to rebuild the kernel. The way that filtering works is that libpcap, and the kernels of various UN*Xes (*BSD, Mac OS X, Linux, Tru64 UNIX) and the WinPcap driver, have an interpreter for a pseudo-machine-language, and a filter is translated into a program in that pseudo-machine-language and loaded into the kernel (or interpreted by libpcap on platforms that don't have an in-kernel interpreter). Most of the instructions are generic; there are some that perform IP-specific operations, but that's just to let some very common operations be done in one instruction. See, for example: http://www.tcpdump.org/papers/bpf-usenix93.pdf - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
