- 论坛徽章:
- 0
|
static int create_packetfd()
{
int fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
struct sockaddr_ll sll;
memset(&sll, 0, sizeof(sll));
struct sock_filter filters[] = {
/* tcpdump -dd arp or udp port 137 */
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 17, 0, 0x00000806 },
{ 0x15, 0, 6, 0x000086dd },
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 0, 15, 0x00000011 },
{ 0x28, 0, 0, 0x00000036 },
{ 0x15, 12, 0, 0x00000089 },
{ 0x28, 0, 0, 0x00000038 },
{ 0x15, 10, 11, 0x00000089 },
{ 0x15, 0, 10, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 8, 0x00000011 },
{ 0x28, 0, 0, 0x00000014 },
{ 0x45, 6, 0, 0x00001fff },
{ 0xb1, 0, 0, 0x0000000e },
{ 0x48, 0, 0, 0x0000000e },
{ 0x15, 2, 0, 0x00000089 },
{ 0x48, 0, 0, 0x00000010 },
{ 0x15, 0, 1, 0x00000089 },
{ 0x6, 0, 0, 0x00000060 },
{ 0x6, 0, 0, 0x00000000 },
};
struct sock_fprog fprog = {
.len = sizeof(filters)/sizeof(struct sock_filter),
.filter = filters
};
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(struct sock_fprog));
return fd;
}
libpcap为把"arp or udp port 137" 这样的串编译为内核为某个socket收到包时执行的虚拟机的指令
setsockopt就是安装指令了
把-dd 换成-d可以得到如下
(000) ldh [12]
(001) jeq #0x806 jt 19 jf 2//arp?ok
(002) jeq #0x86dd jt 3 jf 9
(003) ldb [20]
(004) jeq #0x11 jt 5 jf 20
(005) ldh [54]
(006) jeq #0x89 jt 19 jf 7
(007) ldh [56]
(00 jeq #0x89 jt 19 jf 20
(009) jeq #0x800 jt 10 jf 20
(010) ldb [23]
(011) jeq #0x11 jt 12 jf 20
(012) ldh [20]
(013) jset #0x1fff jt 20 jf 14
(014) ldxb 4*([14]&0xf)
(015) ldh [x + 14]
(016) jeq #0x89 jt 19 jf 17
(017) ldh [x + 16]
(01 jeq #0x89 jt 19 jf 20
(019) ret #96
(020) ret #0
这个就是这些指令的汇编格式
关于BPF,参考这个文档
bpf-usenix9.pdf
(122.7 KB, 下载次数: 276)
|
|