Return to BSD News archive
Xref: sserve comp.protocols.tcp-ip:26252 comp.os.386bsd.questions:7203 Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!decwrl!pa.dec.com!mogul From: mogul@pa.dec.com (Jeffrey Mogul) Newsgroups: comp.protocols.tcp-ip,comp.os.386bsd.questions Subject: Re: bpf(4) examples, Where? Date: 30 Nov 1993 01:32:46 GMT Organization: DEC Western Research Lines: 38 Message-ID: <2de7ru$lhh@usenet.pa.dec.com> References: <2dbgmg$27f@gazpacho.wariat.org> <vandys.754534581@cisco.com> <2de5oa$cbf@fw.novatel.ca> NNTP-Posting-Host: jove.pa.dec.com In article <2de5oa$cbf@fw.novatel.ca> hpeyerl@sidney (Herb Peyerl) writes: >Andrew Valencia (vandys@cisco.com) wrote: >: In <2dbgmg$27f@gazpacho.wariat.org> dima@wariat.org (Dimitry A. Sazonov) writes: >: >I build FreeBSD kernel with bpf (Berkeley Packet Filter), and >: >what should I do next to play with bpf? >: I think tcpdump uses BPF. Have a look at its source. My FreeBSD system >: isn't powered on right now, but it'll be over in /usr/src/*/tcpdump, most >: likely. Writing BPF "programs" is not the easiest thing in the world. The simple way to generate them is to let "tcpdump" do the work, using the -d flag. For example, %tcpdump -d ip host rs.internic.net and tcp port telnet (000) ldh [12] (001) jeq #0x800 jt 2 jf 16 (002) ld [26] (003) jeq #0xc6290005 jt 6 jf 4 (004) ld [30] (005) jeq #0xc6290005 jt 6 jf 16 (006) ldb [23] (007) jeq #0x6 jt 8 jf 16 (008) ldh [20] (009) jset #0x1fff jt 16 jf 10 (010) ldxb 4*([14]&0xf) (011) ldh [x + 14] (012) jeq #0x17 jt 15 jf 13 (013) ldh [x + 16] (014) jeq #0x17 jt 15 jf 16 (015) ret #68 (016) ret #0 % Actually, I think there's a bug in the code that prints the targets for some of those "jeq" statements, but this should give you the general idea. -Jeff