On 28 mei 2015, at 23:52, Guy Harris wrote:
> On May 27, 2015, at 4:26 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
>
>> I believe that anything the BPF engine can do can be accomplished by using a capture filter expression
>
> No.
Oops, mis formulated what I wanted to say. I meant to say that I believed that any data in the packet that BPF can look at, can be looked at by using specific filter expressions.
> For one thing, a BPF program can return different non-zero values based on the packet contents, so that, for example, somebody could have a bigger snapshot length for some packet types than others (somebody asked about that somewhere - they wanted a bigger snapshot length for DNS packets). That's not supported in capture filter expressions - those expressions evaluate to a Boolean value, so they either match (returning a single snapshot length) or fail to match.
That is exactly the use case I had for a BPF compiler when I discussed this with Steve McCanne at Sharkfest a couple of years ago.
> For another thing, as Richard noted, there are some special tests in the Linux BPF engine that aren't currently supported by capture filter expressions.
I was not aware of that. Thanks for the insight! :-)
Cheers,
Sake