

Introducing the BPF tools - jgrahamc
http://blog.cloudflare.com/introducing-the-bpf-tools

======
rdtsc
Good stuff.

I have been using pcapy library from Python. It wraps libpcap has a bpf
compiler and a filter that checks packets against it. Then using dpkt library
to parse pcap format (and other typical stuff inside - ethernet/tcp/udp).

Having been wondering if there is way to use wireshark's plugins. They have
plugins for so many protocols (including DNS). I haven't tried it though.

~~~
majke
Yeah, there was something with "pcapy" I didn't like, I don't remember what
though. Anyway "pcappy" is pure-python and fairly simple. It is a tiny bit
buggy, but what isn't :) Finding a python pcap bindings is the least of my
worries.

Dpkt is great, but also sizeable. For the "parsedns" we needed something
straightforward, self contained and easily hackable. The least abstractions
the better.

Interesting idea with the wireshark plugins!

------
easytiger
Hmm, most of that is not required.

~~~
jgrahamc
Great. How should we simplify what we are doing?

~~~
easytiger
Well the iptables stuff is fair enough, I just don't see the need for the hex
dump stuff as it exists in plenty of other tools.

Also you can generate the bpf bc directly from tcpdump

    
    
        tcpdump -p -ni eth0 -ddd "ip and udp"|tr "\n" ","
    

See: [http://blog.cloudflare.com/bpf-the-forgotten-
bytecode](http://blog.cloudflare.com/bpf-the-forgotten-bytecode)

~~~
majke
I'm afraid Sir you are missing the point.

\- You can not generate BPF that matches DNS queries to "*.example.uk" with
tcpdump.

\- It's hard to produce BPF that is usable by xt_bpf with tcpdump.

\- There are many tools that parse DNS requests, true. We just wanted to have
a nice, flat, self contained script, without too many abstractions to allow us
to experiment rapidly with different ways of matching the traffic.

