Reputation: 8177
What is the simplest way to verify a BPF filter as a normal user?
Easiest I have found is to run tcpdump with a small pcap file as input to the -r
option.
$ tcpdump -r one_packet.pcap -F invalid_bpf.conf 2> /dev/null ; echo $?
1
$ tcpdump -r one_packet.pcap -F valid_bpf.conf 2> /dev/null ; echo $?
0
Returns standard error codes for invalid or valid BPF filters. This requires that I have a PCAP file to provide as input.
Is there a way to do this simple test without a PCAP file or special privileges?
Upvotes: 0
Views: 4418
Reputation: 333
There is no such thing called BPF filter. OP refers to pcap-filter(7) domain language.
tcpdump -d <pcap-filter-expr>
will print out BPF program which implements a pcap-filter-expr. As a side effect, it will validate pcap-filter. Example:
smarkovi@bos-lhvoja:~$ tcpdump -d tcp and src 1.1.1.1
Warning: assuming Ethernet
(000) ldh [12]
(001) jeq #0x86dd jt 8 jf 2
(002) jeq #0x800 jt 3 jf 8
(003) ldb [23]
(004) jeq #0x6 jt 5 jf 8
(005) ld [26]
(006) jeq #0x1010101 jt 7 jf 8
(007) ret #262144
(008) ret #0
smarkovi@bos-lhvoja:~$ echo $?
0
Upvotes: 0
Reputation:
IF you have a shell that has a built-in "echo" command that supports escape sequences, one somewhat-perverse way of doing this would be to do
echo -en "\0324\0303\0262\0241\02\0\04\0\0\0\0\0\0\0\0\0\0377\0377\0\0\01\0\0\0"|\
./tcpdump -r - -F bpf.conf 2>/dev/null; echo $?
This worked for me on OS X 10.8, which has bash 3.2.48(1)-release (x86_64-apple-darwin12).
That "echo" command writes out a short pcap file with no packets in it, and with a link-layer header type of DLT_EN10MB
. That will test whether the filter is valid for Ethernet; there are filters that are valid for some link-layer header types but not valid for others, such as "not broadcast", which is valid for Ethernet but not for PPP, so you'll need to choose some link-layer header type to use when testing.
Upvotes: 1