On Dec 10, 2003, at 11:52 AM, Joshua Krage wrote:
On Wed, Dec 10, 2003 at 02:32:45AM -0800, Guy Harris wrote:What does tcpdump -d 'ip[6:2] & 0x1fff > 0' print?
$ tcpdump -d ip[6:2] & 0x1fff > 0 (000) ldh [12] (001) jeq #0x800 jt 2 jf 5 (002) ldh [20] (003) jset #0x1fff jt 5 jf 4 (004) ret #96 (005) ret #0
That's interesting. The libpcap 0.6 in Mac OS X 10.3.1 generates
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 6
(002) ldh [20]
(003) and #0x1fff
(004) jgt #0x80000000 jt 6 jf 5
(005) ret #96
(006) ret #0and the current CVS version of libpcap generates
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ldh [20]
(003) and #0x1fff
(004) ldx #0x0
(005) jgt x jt 6 jf 7
(006) ret #96
(007) ret #0(I suspect the use of the X register is bogus and
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 6
(002) ldh [20]
(003) and #0x1fff
(004) jgt #0x0 jt 5 jf 6
(005) ret #96
(006) ret #0would have sufficed, unless "jgt x" does a different sort of comparison than does "jgt #0x0").
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
