[CDBUG-talk] BPF Berkeley Packet Filter Question

Dustin J. Mitchell dustin at v.igoro.us
Thu Dec 31 09:19:24 EST 2015


I don't know enough BPF to help, but I'm really curious what the
overall project here is - data exfiltratation?  ARP 2.0?

Dustin

On Wed, Dec 30, 2015 at 10:39 AM, Juan Herrera <mybsdmailing at gmail.com> wrote:
> Hello Steve, Greg
>
> Indeed I am skipping IP, TCP, UDP headers
> I am using raw ethernet, and testing with ARP
>
> Brief Explanation of what I want to do
>
> I am sending ARP requests packets(encapsulated with my metadata at the end),
> so it is Raw Ethernet like this "ARP Req bytes + Metadata bytes", I already
> did a test to filter with BPF jumbo ethernet packets and I can filter if I
> want against the last byte in the packet, but to do this I need to place in
> my program code the C filter code (generated with tcpdump), exacly the byte
> position I want to use for filtering, so the issue with this is that when I
> receive another ethernet frame that it is not an ARP Req, the byte position
> to filter will not be the right one(because it moves) to use because the
> packet is bigger or smaller so my metadata has shift left or shift right
> depending on the case, so I want BPF to read the total packet length to
> return it in a variable, and then I use this variable to calculate the right
> byte to use for filtering, depending on the packet length.
>
> I need to match with a specific metadata field base on length, but dont know
> how to use BPF to read packet's length
>
>
> Thanks!
>
>
> 2015-12-30 9:09 GMT-06:00 Greg Troxel <gdt at lexort.com>:
>>
>>
>> First, it's not clear from your mail that what you are doing is
>> sensible.  You seem to be skipping IP and perhaps using raw Ethernet,
>> and insisting on adding fields at the end vs encapsulating.   But you
>> didn't explain and didn't ask...
>>
>> The bpf language is fairly powerful, but you'll have to write in BPF
>> assembler because libpcap doesn't already have compilation support to do
>> what you need.  See bpf(4) - I suspect it is adequate to find the
>> metadata field based on length.  Certainly it can find the UDP header
>> based on IP header length, and things like that.
>>
>>
>
>
> _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk



More information about the CDBUG-talk mailing list