Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??

The -d option does something different than what botho is asking; it doesn't display the captured data in a different format, it displays the capture program that it writes.

The 'capture filter' in tcpdump works by parsing the filter string during startup, and then writing an optimized machine-language filter subroutine which is called for each packet. The -d option shows that subroutine, in assembler language, which is 'human' compared to the raw machine language that -dd or -ddd would show.

For example, if I want to capture only TCP packets, ignoring all UDP, ICMP, and non-IP packets, I would use tcpdump tcp . Adding -d and running it, I get: 

$ tcpdump -d tcp
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 4
(002) ldb      [20]
(003) jeq      #0x6             jt 7    jf 8
(004) jeq      #0x800           jt 5    jf 8
(005) ldb      [23]
(006) jeq      #0x6             jt 7    jf 8
(007) ret      #96
(008) ret      #0

[download]
In (pseudo)Perl, that translates to: 
use constant IPv4 => 0x0800; # Regular TCP/IP
use constant IPv6 => 0x86dd; # New and improved!
use constant TCP  => 0x06;   # As opposed to UDP or ICMP
sub filter {
  my $type = unpack 'x12 n1', $_;
  my $proto;
  if ( $type == IPv6 ) {
    $proto = unpack 'x20 C1', $_;
  elsif ( $type == IPv4 ) {
    $proto = unpack 'x23 C1', $_;
  else {
    return;
  }
  return 1 if $proto == TCP;
  return;
}

[download]
The -d option is really there for debugging the filter's parser and optimizer.

All this explains why Ethereal supports two completely different filter languages. The 'capture' filters are identical (and as efficient) to tcpdump's filters, but the slower non-compiled 'read' filters provide much more power.

In reply to Re: Re: converting tcpdump files by Util
in thread converting tcpdump files by botho

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (7)
As of 2024-04-16 11:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found