tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: BPF memstore and bpf_validate_ext()
Mindaugas Rasiukevicius wrote:
> Moreover, the usual byte-code produced by tcpdump/pcap does not
> even use the memory store so you optimisations would most of the
> time be applicable anyway!
This is not always the case. For instance,
# tcpdump -y IEEE802_11 -i urtwn0 -d not tcp
tcpdump: data link type IEEE802_11
(000) ldx #0x0
(001) txa
(002) add #24
(003) st M[0]
(004) ldb [x + 0]
(005) jset #0x8 jt 6 jf 11
(006) jset #0x4 jt 11 jf 7
(007) jset #0x80 jt 8 jf 11
(008) ld M[0]
(009) add #2
(010) st M[0]
(011) ldb [0]
(012) jset #0x4 jt 27 jf 13
(013) ldb [0]
(014) jset #0x8 jt 15 jf 27
(015) ldx M[0]
(016) ldh [x + 6]
(017) jeq #0x86dd jt 18 jf 27
(018) ldx M[0]
(019) ldb [x + 14]
(020) jeq #0x6 jt 37 jf 21
(021) ldx M[0]
(022) ldb [x + 14]
(023) jeq #0x2c jt 24 jf 27
(024) ldx M[0]
(025) ldb [x + 48]
(026) jeq #0x6 jt 37 jf 27
(027) ldb [0]
(028) jset #0x4 jt 38 jf 29
(029) ldb [0]
(030) jset #0x8 jt 31 jf 38
(031) ldx M[0]
(032) ldh [x + 6]
(033) jeq #0x800 jt 34 jf 38
(034) ldx M[0]
(035) ldb [x + 17]
(036) jeq #0x6 jt 37 jf 38
(037) ret #0
(038) ret #65535
Alex
Home |
Main Index |
Thread Index |
Old Index