
BPF Tools – packet analyst toolkit - luu
https://github.com/cloudflare/bpftools
======
bhickey
Maybe I'm missing the point of bpfgen. What additional functionality does it
provide over tcpdump?

    
    
        tcpdump -i eth0 -d dst 127.0.0.1
        (000) ldh      [12]
        (001) jeq      #0x800           jt 2    jf 4
        (002) ld       [30]
        (003) jeq      #0x7f000001      jt 8    jf 9
        (004) jeq      #0x806           jt 6    jf 5
        (005) jeq      #0x8035          jt 6    jf 9
        (006) ld       [38]
        (007) jeq      #0x7f000001      jt 8    jf 9
        (008) ret      #65535
        (009) ret      #0

~~~
jsnell
The pcap filter language isn't very powerful. Once you get outside of the
primitives it supplies, even very simple things become hard or impossible. The
examples here seem to be for doing pattern matching (with wildcards) on
portions of DNS query packets. That's definitely in the range of things you
can't coerce the pcap filter language to do an even adequate job on.

(I once wanted a pcap filter that matched SYN packets with a wscale option
set; it ended up being a 8kB long filter due to needing to handle different
ordering of variable sized TCP options. It would have been pretty trivial to
do in raw BPF).

~~~
bhickey

        The examples here seem to be for doing pattern matching (with wildcards) on portions of DNS query packets. That's definitely in the range of things you can't coerce the pcap filter language to do an even adequate job on.
    

Ah-ha, thanks! I've written quite a bit of BPF but haven't dug too deeply into
pcap filters. Based on the examples it looked redundant with the pcap
language.

