https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116
--- Comment #24 from Christopher Maynard <christopher.mayn...@igt.com> ---
(In reply to Guy Harris from comment #13)
> (In reply to michal.pecuch from comment #3)
> > dumpcap -f "vlan 545" -d
> > Capturing on 'enp0s31f6'
> > (000) ldb [-4048]
> > (001) jeq #0x1 jt 2 jf 5
>
> In the Magical World of Linux Networking, the outermost VLAN tags are either
> not put into the raw packet data in the "skbuff" (kernel data structure for
> packet data on a socket) or are removed from it, with the information in the
> absent VLAN tag being stored in fields in the skbuff.
>
> This means that a BPF filter for a live capture can't test fields in the
> VLAN tag by looking at packet data; instead, it needs to use Special Magical
> Negative Packet Offsets to request that the kernel's BPF interpreter/JIT
> compiler fetch data from the skbuff fields.
>
> -4048 is -4096 + 48, or SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT, meaning "fetch
> the Special Magical Field containing an indication of whether this packet
> *has* a VLAN tag or not - it's 0 if it doesn't and 1 if it does.
Thanks for this information (and what followed, omitted for brevity). This has
been an education for me, as it wasn't at all obvious what these negative
offsets meant.
I'm curious about the values of the offsets though. I see them defined in
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/filter.h?h=v5.3.5#n60,
but the offsets don't seem to match the sk_buff fields as defined in
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/bpf.h?h=v5.3.5#n2931.
For example, __sk_buff begins as follows:
struct __sk_buff {
__u32 len;
__u32 pkt_type;
__u32 mark;
__u32 queue_mapping;
__u32 protocol;
__u32 vlan_present;
...
... so I'd expect the vlan_present offset to be at offset 20 and yet we have:
#define SKF_AD_VLAN_TAG_PRESENT 48
Obviously, I'm missing something here. It would seem that the defined offsets
are not correlated to their offset position within the sk_buff struct.
Also, since most of us probably won't memorize which negative offset
corresponds to which field, in order to help make the BPF code more readable
and understandable, would it help if libpcap, instead of displaying BPF code
using negative offsets would take a page out of bpfc
(http://man7.org/linux/man-pages/man8/bpfc.8.html) and display them using vlan
names instead?
For example, instead of displaying:
(000) ldb [-4048]
.. it instead displays one of these (assuming my use of these are correct):
(000) ldb [vlanp]
(000) ldb #vlanp
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
