F.M
Reputation: 511
How can I return the packets using bpf
I want to filter packets using bpf. I studied the bpf manual and write the filter. This is the last line of my filter:
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 16),
I loaded the ip packet length. Now I want to return sizeof(struct ether_header) plus the length abov.
How can I write this filter?
Upvotes: 2
Views: 300
Answers (1)
Ctx
Reputation: 18420
Here, you load a word from your packet into the accumulator:
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 16),
First, you have to add the size of the ethernet header (14 bytes) to the accumulator:
BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, 14),
and then, you return this value in the accumulator to get the data to userspace:
BPF_STMT(BPF_RET+BPF_A, 0)
Note:
If you mean to extract the IP total length, you have to load a halfword in your first statement (the ip total length is only a 16-bit value, so use BPF_H instead of BPF_W)
Upvotes: 2
Related Questions
- Is it possible to create and send a packet from a bpf program?
- display the contents of the packet in c
- Why I don't receive any packets using BPF with udp socket?
- get data with recvfrom
- BSD Packet Interception (Not Copying)
- Get packet in a raw form with netfilter
- What's the BPF for HTTP?
- C: recv() -- distinguish packets
- How to use berkeley packet filter (BPF) on ubuntu
- capturing network packet in c