Return to BSD News archive
Xref: sserve comp.protocols.tcp-ip:26252 comp.os.386bsd.questions:7203
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!decwrl!pa.dec.com!mogul
From: mogul@pa.dec.com (Jeffrey Mogul)
Newsgroups: comp.protocols.tcp-ip,comp.os.386bsd.questions
Subject: Re: bpf(4) examples, Where?
Date: 30 Nov 1993 01:32:46 GMT
Organization: DEC Western Research
Lines: 38
Message-ID: <2de7ru$lhh@usenet.pa.dec.com>
References: <2dbgmg$27f@gazpacho.wariat.org> <vandys.754534581@cisco.com> <2de5oa$cbf@fw.novatel.ca>
NNTP-Posting-Host: jove.pa.dec.com
In article <2de5oa$cbf@fw.novatel.ca> hpeyerl@sidney (Herb Peyerl) writes:
>Andrew Valencia (vandys@cisco.com) wrote:
>: In <2dbgmg$27f@gazpacho.wariat.org> dima@wariat.org (Dimitry A. Sazonov) writes:
>: >I build FreeBSD kernel with bpf (Berkeley Packet Filter), and
>: >what should I do next to play with bpf?
>: I think tcpdump uses BPF. Have a look at its source. My FreeBSD system
>: isn't powered on right now, but it'll be over in /usr/src/*/tcpdump, most
>: likely.
Writing BPF "programs" is not the easiest thing in the world. The simple
way to generate them is to let "tcpdump" do the work, using the -d flag.
For example,
%tcpdump -d ip host rs.internic.net and tcp port telnet
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 16
(002) ld [26]
(003) jeq #0xc6290005 jt 6 jf 4
(004) ld [30]
(005) jeq #0xc6290005 jt 6 jf 16
(006) ldb [23]
(007) jeq #0x6 jt 8 jf 16
(008) ldh [20]
(009) jset #0x1fff jt 16 jf 10
(010) ldxb 4*([14]&0xf)
(011) ldh [x + 14]
(012) jeq #0x17 jt 15 jf 13
(013) ldh [x + 16]
(014) jeq #0x17 jt 15 jf 16
(015) ret #68
(016) ret #0
%
Actually, I think there's a bug in the code that prints the targets
for some of those "jeq" statements, but this should give you the
general idea.
-Jeff