I am writing a little program that directly calls bpf_filter() (that as you know is in bpf_filter.c of the libpcap) As you know also bpf_filter() wants you to give it: register struct bpf_insn, register u_char, u_int, register u_int I want/need to create fake packets of this nature to send into bpf_filter. But I find myself with a serious lack of understanding of what kinds of data would be acceptable to put in these four things before I send them to bpf_filter() to be "processed."
I installed linux RH7.3pro, libpcap, and tcpdump. tcpdump is working in that it show some printout that I don't quite understand of packets that it read for the network (I'm not sure that's worded correctly). My goal was to get inside tcpdump somewhere that it has variables similar to the ones mentioned above (ex: when it has a call to bpf_filter(w,x,y,z) then obviously those four things are similar to the above mentioned variables (even though tcpdump (if I understand correctly) hardly ever uses that call to bpf_filter)) and print out their values, therefor getting a feel for the values those four things have (and the values of the individual parts of the struct that is the first one mentioned). One can you tell me about those four things so I can make my own sets of them? Two if you can't and you think it's not an unreasonable thing to try, can you tell me which methode of tcpdump I should add print statements too to look at the packet data when it's in the 4 part form mentioned above? (I ask because I've tried it in several tcpdump.c methodes and nothing happend so I'm not sure which methods are commonly used on the linux system.) Three if you think this is stupid do you have any suggestions on how I can genorate fake data in the form of those 4 above mentioned variables to "pump" into bpf_filter()? PS I know this sounds stupid, but I have to do it. John Gillick Intel Corp. [EMAIL PROTECTED] 505-893-4449 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
