Minimal BPF support

Open nbareil opened this issue 12 years ago • 0 comments

It would be convenient to support BPF filters in a minimal way, where the user provides directly the BPF opcodes.

Most of the work is already done by the tcpdump compiler, which can dump raw opcodes on stdout. We just need some glue (the following bpf2binary.py code) to import it into net2pcap through a setsockopt(s, SO_ATTACH_FILTER. ...)

#! /usr/bin/env python

import fileinput
import struct

out=[]
for line in fileinput.input():
    digits = map(int, line.split())
    if len(digits) != 4: # skip first line
        continue
    binary = struct.pack('=hbbI', *digits)
    out.append(binary)
print ''.join(out)

And then:

bpf_isn=$(tcpdump -i eth0 -ddd port 25 | ./bpf2binary.py)
net2pcap -i eth0 -F "$bpf_isn"

Jul 12 '13 13:07 nbareil