- icmptype (offset of ICMP type field)
- icmpcode (offset of ICMP code field)
- tcpflags (offset of TCP flags field)
and field values:
- icmp-echoreply, icmp-unreach, icmp-sourcequench,
icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timxceed, icmp-paramprob,
icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply,
icmp-maskreq, icmp-maskreply
- tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg
This allows expressions like the following:
icmp[0] = 3
(tcp[13] & 0x02) != 0
to be written as:
icmp[icmptype] = icmp-unreach
(tcp[tcpflags] & tcp-syn) != 0
which is a bit more user-friendly for e.g. writing packet filter rules.
pointed by Gui Harris.
---
Fix a hairy optimizer bug that causes the expression:
'ip and ((icmp and dst host 1.1.1.1 and not host 2.2.2.2) or (host 1.1.1.1 and src host 3.3.3.3))'
to compile incorrectly. Details about to be mailed to LBL.
from tcpdump.org, although with a slightly different signature.
The tcpdump.org version has no way to report an error string back
to the caller. This version takes an additional "errbuf" argument
(similar to pcap_open_*()).
sync with more-recent LBL 0.4, about loopback interface detection
(/^lo[0-9]?$/).
CAVEAT: with GENERIC kernel on laptops laptops, pcap_lookupdev would almost
always pick eon0 as the interface, and fails because eon0 has no bpf
attachment. we may want to change pcap_lookup{,dev} to check if the
interface has bpf attachment or not.
almost in sync with tcpdump.org source code tree.
date (NOTE: there are multiple version 0.4 with different datestamp!)
v0.4 Sat Jul 25 12:40:09 PDT 1998
libpcap CHANGES reads:
- Fixed bug in pcap_dispatch() that kept it from returning on packet
timeouts.
(this fixes nmap hangup if we use /usr/lib/libpcap.a with nmap)
- oldstyle and PHDS IPv4+ARP; RARP, IPv6, Appletalk are matched now.
- in case this is an unfragmented or first-fragment IPv4, IPv6, ARP, RARP or
Appletalk packet, matching inside the payload is possible to the extent
already supported by tcpdump/libpcap. For 2nd and next fragments, this
won't work; it also won't work for oldstyle (RFC1051) IPv4 and ARP.
"tcp" will match both IPv4 TCP and IPv6 TCP.
"ip6" will match IPv6.
you can chase header chain by using "protochain" instead of "proto"
(but bpf code is not optimizable in this case)
commit to tcpdump will follow.
I've sent this fix to LBL guys to get no response. I wonder why it was.
qualifiers are DLT_SLIP and DLT_PPP (i.e. old-style serial encap PPP).
If an attempt to use these qualifiers is used for any other link type,
cause a BPF program compilation error.
martin