Simple way to verify valid BPF filter

Question

What is the simplest way to verify a BPF filter as a normal user?

Easiest I have found is to run tcpdump with a small pcap file as input to the -r option.

$ tcpdump -r one_packet.pcap -F invalid_bpf.conf 2> /dev/null ; echo $?
1
$ tcpdump -r one_packet.pcap -F valid_bpf.conf 2> /dev/null ; echo $?
0

Returns standard error codes for invalid or valid BPF filters. This requires that I have a PCAP file to provide as input.

Is there a way to do this simple test without a PCAP file or special privileges?

Answer 1

There is no such thing called BPF filter. OP refers to pcap-filter(7) domain language.

tcpdump -d <pcap-filter-expr> will print out BPF program which implements a pcap-filter-expr. As a side effect, it will validate pcap-filter. Example:

smarkovi@bos-lhvoja:~$ tcpdump -d tcp and src 1.1.1.1
Warning: assuming Ethernet
(000) ldh      [12]
(001) jeq      #0x86dd          jt 8    jf 2
(002) jeq      #0x800           jt 3    jf 8
(003) ldb      [23]
(004) jeq      #0x6             jt 5    jf 8
(005) ld       [26]
(006) jeq      #0x1010101       jt 7    jf 8
(007) ret      #262144
(008) ret      #0
smarkovi@bos-lhvoja:~$ echo $?
0

Answer 2

IF you have a shell that has a built-in "echo" command that supports escape sequences, one somewhat-perverse way of doing this would be to do

echo -en "\0324\0303\0262\0241\02\0\04\0\0\0\0\0\0\0\0\0\0377\0377\0\0\01\0\0\0"|\ 
    ./tcpdump -r - -F bpf.conf 2>/dev/null; echo $?

This worked for me on OS X 10.8, which has bash 3.2.48(1)-release (x86_64-apple-darwin12).

That "echo" command writes out a short pcap file with no packets in it, and with a link-layer header type of DLT_EN10MB. That will test whether the filter is valid for Ethernet; there are filters that are valid for some link-layer header types but not valid for others, such as "not broadcast", which is valid for Ethernet but not for PPP, so you'll need to choose some link-layer header type to use when testing.