I've noticed that using either the inbound or outbound keyword in my
capture expression results in a filter that cannot be installed in the
kernel and gets processed in user mode instead. I believe the problem
is that these filters generate BPF code that
pcap-linux.c:fix_program() is unable to rewrite. In particular,
pcap-linux.c:fix_offset() bails out on a "ldh [0]" instruction.
fix_offset() already knows how to map sll_header.sll_protocol (offset
14) to Linux's SKF_AD_PROTOCOL. Would a patch to remap sll_pkttype (0)
=> SKF_AD_PKTTYPE as well be welcome or am I missing something?
Something like:
==== libpcap/pcap-linux.c ====
4735a4736,4741
> } else if (p->k == 0) {
> /*
> * It's the packet type field; map it to the special magic
> * kernel offset for that field.
> */
> p->k = SKF_AD_OFF + SKF_AD_PKTTYPE;
fixes the problem for me.
Thanks for reading!
JC
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
