Libpcap's BPF

Last Update:2016-01-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

tcpdump-d//See BPF compiled code

# tcpdump-i Eth0-n'VLAN && TCP'-D ( the) LDH [ A](001) JEQ #0x8100Jt3Jf2(002) JEQ #0x9100Jt3Jf -(003) LDH [ -](004) JEQ #0X86DDJt5JfTen(005) LDB [ -](006) JEQ #0x6Jt -Jf7(007) JEQ #0x2cJt8Jf -(008) LDB [ -](009) JEQ #0x6Jt -Jf -(010) JEQ #0x800Jt OneJf -(011) LDB [ -](012) JEQ #0x6Jt -Jf -(013) RET #262144(014) RET #0

BPF syntax

The BPF architecture consists of the following basic elements:  Element          Description  A +                bit wide Accumul Ator  x                wide x Register  m[] x              -bit wide misc registers aka "Scratch Memory                   Store", add Ressable from 0 to 15

instruction addressing mode DescriptionLD               1,2,3,4,TenLoad Word into A ldi4Load Word into A LDH1,2Load half-word into A ldb1,2LoadbyteInto A ldx3,4,5,TenLoad Word into X ldxi4Load Word into X ldxb5LoadbyteInto X St3Store A into m[] STX3Store X into m[] jmp6Jump to label ja6Jump to label Jeq7,8Jump on k = =A jneq8Jump on k! =A jne8Jump on k! =A JLT8Jump on K <A Jle8Jump on K <=A JGT7,8Jump on K >A Jge7,8Jump on K >=A Jset7,8Jump on K &A Add0,4A + <x>Sub0,4A-<x>Mul0,4A * <x>Div0,4A/<x>MoD0,4A% <x>neg0,4!A and0,4A & <x>or0,4A | <x>XOR0,4A ^ <x>LSH0,4A << <x>rsh0,4A >> <x>Tax copy A to X Txa Copy X into A ret 4,9returnthe Next table shows addressing formats from the 2nd column:addressing mode Syntax Description0x/%x Register x1[K] BHW atbyteOffset KinchThe packet2[x + K] BHW at the offset X + kinchThe packet3M[K] Word at offset Kinchm[]4#k Literal Value Storedinchk5               4* ([k]&0xf) Lower Nibble *4AtbyteOffset KinchThe packet6L Jump Label L7#k, LT,LF jump to Ltif true, otherwise jump to Lf8#k, lt Jump to Ltifpredicate istrue   9a/%a accumulator aTenextension BPF extensionthe Linux kernel also have a couple of BPF extensions that is used AL Ongwith the class of load instructions by"overloading"The k argument witha negative offset+a particular extension offset. The result of such bpfextensions is loaded into a.possible BPF extensions is showninchThe following table:extension Description Len skb-len Proto SKB-protocol type SKB-pkt_type poff Payload start offset ifidx SKB->dev->ifindex NLA netlink attribute of type X with offset A Nlan Nested netlink attribute of type X with offset A Mark SKB-Mark Queue SKB-queue_mapping Hatype SKB->dev->type Rxhash SKB-Hash CPU raw_smp_processor_id () Vlan_tci Skb_vlan_tag _get (SKB) vlan_avail skb_vlan_tag_present (SKB) vlan_tpid SKB-Vlan_proto Rand Prandom_u32 ()

Libpcap's BPF

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More