Wireshark · Ethereal-dev: Re: [ethereal-dev] Wiretap in CVS now

Ethereal-dev: Re: [ethereal-dev] Wiretap in CVS now

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: gram@xxxxxxxxxxxxxxxxxxx (Gilbert Ramirez Jr.)

Date: Thu, 12 Nov 1998 21:10:34 -0600 (CST)

As Guy Harris said:
> 
> As such, it'd be nice to have Wiretap able to generate BPF code; the
> problem is that the "libpcap" code generator and optimizer are licensed
> with a Berkeley copyright and it may not be possible to mix that with
> (L)GPLed code - if so, you'd have to roll your own.

What I am planning on doing is just that. I want to be able to define
protocol filters in a text file, and have my program roll all these
definitions into a "BPF library" of sorts. I am guessing that the vast
majority of all filters will be similar: "x bytes at offset y from beginning
of this protocol layer". As such, I want to provide an easy syntax for
creating these easy filters, but with the ability for a programmer to write
BPF assembly if he needs to. 

I'm still playing around with the syntax, but here's a sample filter file
for the token-ring layer:

#
# Token-Ring Filter
#

protocol tr "Token-Ring";

parents none;

field sr	"Source-Route Flag",
			boolean,
			and_mask(127 @ 7);

field src	"Source Hardware Address",
			ether,
			byte_offset(7);

field dst	"Destination Hardware Address",
			ether,
			byte_offset(1);

Where "ether" is defined as a 6-byte field.

A program would convert this to a collection of 3 BPF filters, and would
also create the necessary lex and yacc code for the entire library. It could
also create some nice documentation because of the description field.
Then in the filter you could say something like:

"tr.dst eq ff:ff:ff:ff:ff:ff"

This would make it easy to add arbitrary filters.

In the filter file above I also need to define a routine in BPF which
figures out which protocol layer is next. I haven't decided on the syntax
yet.

I also see the value of things like:

field hwaddr "Source or Destination Address",
			ether,
			any(src, dst);

So that "tr.hwaddr eq xx:xx:xx:xx:xx:xx" can match on either src or dst.

And:

alias addr = hwaddr;

so that "tr.addr eq xx:xx:xx:xx:xx" would also work.

Yes, I want to stick with BPF for the fact that many Unices have it built
in. I'd love to use the BPF optimizer in libpcap, but I too wonder about the
Univ. Calif. license. By reading the license it appears that as long as I
retain the copyright notice I'm in good shape. But more investigation is in
order.

--gilbert

-- 
Gilbert Ramirez                Voice:  +1 210 358 4032
Technical Services             Fax:    +1 210 358 1122
University Health System       San Antonio, Texas, USA

Prev by Date: Re: [ethereal-dev] Wiretap in CVS now
Next by Date: [ethereal-dev] wiretap updates
Previous by thread: Re: [ethereal-dev] Wiretap in CVS now
Next by thread: Re: [ethereal-dev] Wiretap in CVS now
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$