On Mar 3, 2010, at 6:37 PM, Martin Visser wrote:
> On a serious note, is libpcap able to process that filter efficiently ( I am sure it is much better than using a display filter)
Code generated for Ethernet:
(000) ldh [16]
(001) jeq #0x800 jt 2 jf 16
(002) ldb [27]
(003) jeq #0x6 jt 4 jf 16
(004) ldh [24]
(005) jset #0x1fff jt 16 jf 6
(006) ldxb 4*([18]&0xf)
(007) ldb [x + 30]
(008) and #0xf0
(009) rsh #2
(010) add #8
(011) add x
(012) tax
(013) ldh [x + 18]
(014) jeq #0x2030 jt 15 jf 16
(015) ret #65535
(016) ret #0
It's not that bad. Note, though, that it doesn't handle IPv6.
The IPv4-only code for "tcp port 80" is
(000) ldh [16]
(001) jeq #0x800 jt 2 jf 12
(002) ldb [27]
(003) jeq #0x6 jt 4 jf 12
(004) ldh [24]
(005) jset #0x1fff jt 12 jf 6
(006) ldxb 4*([18]&0xf)
(007) ldh [x + 18]
(008) jeq #0x50 jt 11 jf 9
(009) ldh [x + 20]
(010) jeq #0x50 jt 11 jf 12
(011) ret #65535
(012) ret #0
so it's only 4 more BPF instructions.