Re: Re: converting tcpdump files

The -d option does something different than what botho is asking; it doesn't display the captured data in a different format, it displays the capture program that it writes.

The 'capture filter' in tcpdump works by parsing the filter string during startup, and then writing an optimized machine-language filter subroutine which is called for each packet. The -d option shows that subroutine, in assembler language, which is 'human' compared to the raw machine language that -dd or -ddd would show.

For example, if I want to capture only TCP packets, ignoring all UDP, ICMP, and non-IP packets, I would use tcpdump tcp . Adding -d and running it, I get:

$ tcpdump -d tcp
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 4
(002) ldb      [20]
(003) jeq      #0x6             jt 7    jf 8
(004) jeq      #0x800           jt 5    jf 8
(005) ldb      [23]
(006) jeq      #0x6             jt 7    jf 8
(007) ret      #96
(008) ret      #0
[download]

In (pseudo)Perl, that translates to:

use constant IPv4 => 0x0800; # Regular TCP/IP
use constant IPv6 => 0x86dd; # New and improved!
use constant TCP  => 0x06;   # As opposed to UDP or ICMP
sub filter {
  my $type = unpack 'x12 n1', $_;
  my $proto;
  if ( $type == IPv6 ) {
    $proto = unpack 'x20 C1', $_;
  elsif ( $type == IPv4 ) {
    $proto = unpack 'x23 C1', $_;
  else {
    return;
  }
  return 1 if $proto == TCP;
  return;
}
[download]

The -d option is really there for debugging the filter's parser and optimizer.

All this explains why Ethereal supports two completely different filter languages. The 'capture' filters are identical (and as efficient) to tcpdump's filters, but the slower non-compiled 'read' filters provide much more power.

Comment on Re: Re: converting tcpdump files Select or Download Code


No such thing as a small change
	PerlMonks