Wireshark · Ethereal-dev: RE: [Ethereal-dev] An interesting project for somebody

Ethereal-dev: RE: [Ethereal-dev] An interesting project for somebody

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>

Date: Tue, 15 Oct 2002 10:47:18 +0100

> (Note that BPF does *NOT* support loops; BPF branches can only branch
> forward.  That was done so that BPF programs cannot loop infinitely,
> so that the kernel's BPF-program-checking code has fewer things to
worry
> about.  This means that a BPF program that loops checking multiple
> offsets is impossible, so that's not a valid BPF filter to check for a
> string that can exist anywhere in the packet.)

Ok, the paper I have (Steven McCanney and Van Jacobsony '92) is not at
great pains to point that out in exquisite detail, but it does agree:
"Since jump offsets are encoded in eight bits, the longest [conditional]
jump is 256 instructions."

With IP/TCP overhead and a maximum packet length of 1500 bytes or so, it
is still possible. Ugly and slow agreed, but possible.

> What would the BPF code be to check for a string anywhere in the
packet?

MACRO isthisat(fourchars,addr,yes,no)
	LD [x+addr]
      JEQ #fourchars, yes,no
ENDMACRO
...
Load X with start of search address
...
      isthisat ('ASTR', 0, GOT1,L1)
L1:   isthisat ('ASTR', 1, GOT1,L2)
L2:   isthisat ('ASTR', 2, GOT1,L3)
...
L119: isthisat ('ASTR', 120, GOT1,L120)
GOT1: RET #-1
L120: isthisat ('ASTR', 120, GOT2,L121)
L121: isthisat ('ASTR', 121, GOT2,L122)
L122: isthisat ('ASTR', 122, GOT2,L123)
L123: isthisat ('ASTR', 123, GOT2,L124)
L124: isthisat ('ASTR', 124, GOT2,L125)
...

Many cases of an indeterminate search may be made determinate with
sufficiently strong parsing.

The size of an indeterminate search may be controllable by altering the
MTU.


It would be possible, and not at all ugly or slow, to enable capture on
protocol fields that libpcap does not recognise, with variable but
determinate field positions.


-- 
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxx

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

Follow-Ups:
- Re: [Ethereal-dev] An interesting project for somebody
  - From: Guy Harris

Prev by Date: [Ethereal-dev] check for NEED_GETOPT_H missing from configure.in?
Next by Date: Re: [Ethereal-dev] Graceful Restart for BGP Dissector support
Previous by thread: Re: [Ethereal-dev] An interesting project for somebody
Next by thread: Re: [Ethereal-dev] An interesting project for somebody
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$