>From Redhat 6.1:
(000) ldh [-4096]
Looks like RedHat stores the ethernet type in a fake offset (-4096)
and starts the IP packet at 0. The tcpdump.org libpcap that you built
with doesn't have IPv6 and the RedHat does, so let's delete instructions
1 thru 8 since those are the IPv6 code:
(009) jeq #0x800 jt 10 jf 21 ; If it's IP
(010) ldb [9] ; Check the IP protocol
(011) jeq #0x6 jt 13 jf 12 ; TCP is good
(012) jeq #0x11 jt 13 jf 21 ; UDP is good too
(013) ldh [6] ; Is it a fragment?
(014) jset #0x1fff jt 21 jf 15 ; Yup, we can't filter on port
(015) ldxb 4*([0]&0xf) ; Find the IP hdr len
(016) ldh [x + 0] ; Check the UDP src port
(017) jeq #0xa2 jt 20 jf 18 ; 162? cool!
(018) ldh [x + 2] ; Check the UDP dst port
(019) jeq #0xa2 jt 20 jf 21 ; 162? cool!
(020) ret #65535 ; cool, return the whole pkt
(021) ret #0 ; no match.
>From tcpdump.org:
(000) ldh [12] ; Check the ethertype
(001) jeq #0x800 jt 2 jf 13 ; if it's IP, cool.
(002) ldb [23] ; Check the IP protocol
(003) jeq #0x6 jt 5 jf 4 ; TCP is good
(004) jeq #0x11 jt 5 jf 13 ; UDP is good too
(005) ldh [20] ; Is it a fragment?
(006) jset #0x1fff jt 13 jf 7 ; Yup, we can't filter on port
(007) ldxb 4*([14]&0xf) ; Find the IP hdr len
(008) ldh [x + 14] ; Check the UDP src port
(009) jeq #0xa2 jt 12 jf 10 ; 162? cool!
(010) ldh [x + 16] ; check the UDP dst port
(011) jeq #0xa2 jt 12 jf 13 ; 162? cool!
(012) ret #68 ; cool, return 68 bytes of pkt
(013) ret #0 ; no match.
So, they're the same once you take into account the fact that the RedHat
stuff offsets the IP header to 0.
Bill