Ethereal-dev: Re: [Ethereal-dev] An interesting project for somebody

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 15 Oct 2002 12:04:39 -0700
On Tue, Oct 15, 2002 at 10:47:18AM +0100, Richard Urwin wrote:
> > What would the BPF code be to check for a string anywhere in the
> packet?
> 
> MACRO isthisat(fourchars,addr,yes,no)
> 	LD [x+addr]
>       JEQ #fourchars, yes,no
> ENDMACRO
> ...
> Load X with start of search address
> ...
>       isthisat ('ASTR', 0, GOT1,L1)
> L1:   isthisat ('ASTR', 1, GOT1,L2)
> L2:   isthisat ('ASTR', 2, GOT1,L3)
> ...
> L119: isthisat ('ASTR', 120, GOT1,L120)
> GOT1: RET #-1
> L120: isthisat ('ASTR', 120, GOT2,L121)
> L121: isthisat ('ASTR', 121, GOT2,L122)
> L122: isthisat ('ASTR', 122, GOT2,L123)
> L123: isthisat ('ASTR', 123, GOT2,L124)
> L124: isthisat ('ASTR', 124, GOT2,L125)
> ...

Whether that'd work well depends on the OS you're using.  BPF_MAXINSNS
is 4096 in the 2.4.18 Linux kernel, but it's 512 in the current CVS
versions of {Free,Net,Open}BSD, and that imposes a limit on the number
of instructions you can shove into the kernel, and thus on the maximum
packet size you can check.  If you're not going to do filtering in the
kernel, so that you have to do it in userland, you might as well with a
loop that does a better string match (e.g., Boyer-Moore).