C Structs mnemonics in Linux Socket Filter. trying to make sense

0

I am trying to discover details about C Linux Socket filter or C Linux BPS sockets. The network filter for socket on this link and other places on this link https://www.kernel.org/doc/Documentation/networking/filter.txt is something like this

                /* From the example above: tcpdump -i em1 port 22 -dd */
    struct sock_filter code[] = {
    { 0x28,  0,  0, 0x0000000c },
    { 0x15,  0,  8, 0x000086dd },
    { 0x30,  0,  0, 0x00000014 },
    { 0x15,  2,  0, 0x00000084 },
    { 0x15,  1,  0, 0x00000006 },
    { 0x15,  0, 17, 0x00000011 },
    { 0x28,  0,  0, 0x00000036 },
    { 0x15, 14,  0, 0x00000016 },
    { 0x28,  0,  0, 0x00000038 },
    { 0x15, 12, 13, 0x00000016 },
    { 0x15,  0, 12, 0x00000800 },
    { 0x30,  0,  0, 0x00000017 },
    { 0x15,  2,  0, 0x00000084 },
    { 0x15,  1,  0, 0x00000006 },
    { 0x15,  0,  8, 0x00000011 },
    { 0x28,  0,  0, 0x00000014 },
    { 0x45,  6,  0, 0x00001fff },
    { 0xb1,  0,  0, 0x0000000e },
    { 0x48,  0,  0, 0x0000000e },
    { 0x15,  2,  0, 0x00000016 },
    { 0x48,  0,  0, 0x00000010 },
    { 0x15,  0,  1, 0x00000016 },
    { 0x06,  0,  0, 0x0000ffff },
    { 0x06,  0,  0, 0x00000000 },
};

when I run the command of tcp dump

 tcpdump -i eth0  -s 1500 port not 22

it shows packets coming in eth0. and probably also packets going out (you tell me).

I like to make sense of the C filter structs and how to make sense of the codes above and connection to jt, jf and k value in the sock_filter struct. some info how can I delve deeper into this to understand these hex codes in sock_filter. I am also finding as of now about JIT and assembly language so please guide me with some info about how to start making sense of the struct and its definition.

In the sample filter code in the link mentioned this tcpdump command

     tcpdump -i em1 port 22 -dd

when I try this in terminal it says no device is detected. Is this the command to generate the hex codes (also please try to explain a bit may be a few elements of array of sock_filter data above).

c
linux
networking
firewall
raw-sockets
asked on Stack Overflow Sep 6, 2020 by Alex

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0