Ethereal

Re: [Ethereal-dev] Help with linux socket filter
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-dev: April 2002

 

On Fri, Apr 05, 2002 at 12:37:32PM +0800, Hans wrote:
> 	with libpcap's pcap_compile, We can set ethernet protocol type, ip
> protocol type filter.  Then the issue comes, can I set 802.11 type or
> subtype filter?

libpcap doesn't support any filter expression types specifically for the
802.11 type.

However, it does support the ability to test 1, 2, and 4-byte fields at
a given offset from the beginning of various protocol headers - from the
tcpdump man page:

	      expr relop expr
		     True if the relation holds, where	relop  is
		     one  of  >, <, >=, <=, =, !=, and expr is an
		     arithmetic expression  composed  of  integer
		     constants	(expressed in standard C syntax),
		     the normal binary operators [+, -, *, /,  &,
		     |],  a  length  operator, and special packet
		     data accessors.  To access data  inside  the
		     packet, use the following syntax:
			  proto [ expr : size ]
		     Proto  is one of ether, fddi, tr, ppp, slip,
		     link, ip, arp, rarp, tcp, udp, icmp or  ip6,
		     and  indicates  the  protocol  layer for the
		     index operation.	(ether,  fddi,	tr,  ppp,
		     slip  and link all refer to the link layer.)
		     Note that tcp,  udp  and  other  upper-layer
		     protocol  types only apply to IPv4, not IPv6
		     (this will be fixed  in  the  future).   The
		     byte  offset, relative to the indicated pro-
		     tocol layer, is  given  by  expr.	 Size  is
		     optional  and  indicates the number of bytes
		     in the field of interest; it can  be  either
		     one, two, or four, and defaults to one.  The
		     length operator, indicated  by  the  keyword
		     len, gives the length of the packet.

		     For example, `ether[0] & 1 != 0' catches all
		     multicast traffic.  The expression `ip[0]	&
		     0xf  !=  5'  catches  all	IP  packets  with
		     options.  The expression `ip[6:2] & 0x1fff =
		     0'  catches  only unfragmented datagrams and
		     frag zero	of  fragmented	datagrams.   This
		     check  is	implicitly applied to the tcp and
		     udp index operations.  For instance,  tcp[0]
		     always  means  the  first	byte  of  the TCP
		     header, and never means the first byte of an
		     intervening fragment.

The 802.11 type and subtype are at the beginning of the link-layer
header, so, for example, if you wanted to test for a beacon frame, you'd
do

	link[0] == 8

> Is there something else implementing the same function
> as pcap_compile do?

Nothing that I know of.

> I just want the filter code from a filter string, not concerning the
> pcap type.

You can't generate code for a filter string without knowing the
link-layer type.

> 	Is there any detailed information about LSF?

What do you mean by "LSF"?

> Where can I find BPF manual?

On a BSD system, "man bpf" will give you information about it.

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.