On Fri, Apr 05, 2002 at 12:37:32PM +0800, Hans wrote:
> with libpcap's pcap_compile, We can set ethernet protocol type, ip
> protocol type filter. Then the issue comes, can I set 802.11 type or
> subtype filter?
libpcap doesn't support any filter expression types specifically for the
802.11 type.
However, it does support the ability to test 1, 2, and 4-byte fields at
a given offset from the beginning of various protocol headers - from the
tcpdump man page:
expr relop expr
True if the relation holds, where relop is
one of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet
data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, ppp, slip,
link, ip, arp, rarp, tcp, udp, icmp or ip6,
and indicates the protocol layer for the
index operation. (ether, fddi, tr, ppp,
slip and link all refer to the link layer.)
Note that tcp, udp and other upper-layer
protocol types only apply to IPv4, not IPv6
(this will be fixed in the future). The
byte offset, relative to the indicated pro-
tocol layer, is given by expr. Size is
optional and indicates the number of bytes
in the field of interest; it can be either
one, two, or four, and defaults to one. The
length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] &
0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This
check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0]
always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
The 802.11 type and subtype are at the beginning of the link-layer
header, so, for example, if you wanted to test for a beacon frame, you'd
do
link[0] == 8
> Is there something else implementing the same function
> as pcap_compile do?
Nothing that I know of.
> I just want the filter code from a filter string, not concerning the
> pcap type.
You can't generate code for a filter string without knowing the
link-layer type.
> Is there any detailed information about LSF?
What do you mean by "LSF"?
> Where can I find BPF manual?
On a BSD system, "man bpf" will give you information about it.
