libpcap 的 bpf
tcpdump -d //参看 bpf 编译后的代码
# tcpdump -i eth0 -n 'vlan && tcp' -d (000) ldh [12] (001) jeq #0x8100 jt 3 jf 2 (002) jeq #0x9100 jt 3 jf 14 (003) ldh [16] (004) jeq #0x86dd jt 5 jf 10 (005) ldb [24] (006) jeq #0x6 jt 13 jf 7 (007) jeq #0x2c jt 8 jf 14 (008) ldb [58] (009) jeq #0x6 jt 13 jf 14 (010) jeq #0x800 jt 11 jf 14 (011) ldb [27] (012) jeq #0x6 jt 13 jf 14 (013) ret #262144 (014) ret #0
bpf 语法
The BPF architecture consists of the following basic elements:
Element Description
A 32 bit wide accumulator
X 32 bit wide X register
M[] 16 x 32 bit wide misc registers aka "scratch memory
store", addressable from 0 to 15
Instruction Addressing mode Description ld 1, 2, 3, 4, 10 Load word into A ldi 4 Load word into A ldh 1, 2 Load half-word into A ldb 1, 2 Load byte into A ldx 3, 4, 5, 10 Load word into X ldxi 4 Load word into X ldxb 5 Load byte into X st 3 Store A into M[] stx 3 Store X into M[] jmp 6 Jump to label ja 6 Jump to label jeq 7, 8 Jump on k == A jneq 8 Jump on k != A jne 8 Jump on k != A jlt 8 Jump on k < A jle 8 Jump on k <= A jgt 7, 8 Jump on k > A jge 7, 8 Jump on k >= A jset 7, 8 Jump on k & A add 0, 4 A + <x> sub 0, 4 A - <x> mul 0, 4 A * <x> div 0, 4 A / <x> mod 0, 4 A % <x> neg 0, 4 !A and 0, 4 A & <x> or 0, 4 A | <x> xor 0, 4 A ^ <x> lsh 0, 4 A << <x> rsh 0, 4 A >> <x> tax Copy A into X txa Copy X into A ret 4, 9 Return The next table shows addressing formats from the 2nd column: Addressing mode Syntax Description 0 x/%x Register X 1 [k] BHW at byte offset k in the packet 2 [x + k] BHW at the offset X + k in the packet 3 M[k] Word at offset k in M[] 4 #k Literal value stored in k 5 4*([k]&0xf) Lower nibble * 4 at byte offset k in the packet 6 L Jump label L 7 #k,Lt,Lf Jump to Lt if true, otherwise jump to Lf 8 #k,Lt Jump to Lt if predicate is true 9 a/%a Accumulator A 10 extension BPF extension The Linux kernel also has a couple of BPF extensions that are used along with the class of load instructions by "overloading" the k argument with a negative offset + a particular extension offset. The result of such BPF extensions are loaded into A. Possible BPF extensions are shown in the following table: Extension Description len skb->len proto skb->protocol type skb->pkt_type poff Payload start offset ifidx skb->dev->ifindex nla Netlink attribute of type X with offset A nlan Nested Netlink attribute of type X with offset A mark skb->mark queue skb->queue_mapping hatype skb->dev->type rxhash skb->hash cpu raw_smp_processor_id() vlan_tci skb_vlan_tag_get(skb) vlan_avail skb_vlan_tag_present(skb) vlan_tpid skb->vlan_proto rand prandom_u32()
