Wireshark-users: Re: [Wireshark-users] dumpcap and bpf assembler

Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 29 May 2015 22:59:17 +0200
On 28 mei 2015, at 23:52, Guy Harris wrote:
> On May 27, 2015, at 4:26 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
> 
>> I believe that anything the BPF engine can do can be accomplished by using a capture filter expression
> 
> No.

Oops, mis formulated what I wanted to say. I meant to say that I believed that any data in the packet that BPF can look at, can be looked at by using specific filter expressions.

> For one thing, a BPF program can return different non-zero values based on the packet contents, so that, for example, somebody could have a bigger snapshot length for some packet types than others (somebody asked about that somewhere - they wanted a bigger snapshot length for DNS packets).  That's not supported in capture filter expressions - those expressions evaluate to a Boolean value, so they either match (returning a single snapshot length) or fail to match.

That is exactly the use case I had for a BPF compiler when I discussed this with Steve McCanne at Sharkfest a couple of years ago.

> For another thing, as Richard noted, there are some special tests in the Linux BPF engine that aren't currently supported by capture filter expressions.

I was not aware of that. Thanks for the insight! :-)

Cheers,
Sake