socket混杂模式+BPF过滤
生成BPF过滤规则
借助tcpdump工具 -dd
tcpdump ‘udp and (dst port 67 or dst port 1460)’ -dd | tcpdump ‘udp and (dst port 67 or dst port 1460)’ -d | 说明 |
---|---|---|
{ 0x28, 0, 0, 0x0000000c }, | (000) ldh [12] | 加载报文偏移12字节,ethetype字段(2byte) |
{ 0x15, 0, 4, 0x000086dd }, | (001) jeq #0x86dd jt 2 jf 6 | 非ipv6跳到 (006) |
{ 0x30, 0, 0, 0x00000014 }, | (002) ldb [20] | |
{ 0x15, 0, 12, 0x00000011 }, | (003) jeq #0x11 jt 4 jf 16 | udp protocol |
{ 0x28, 0, 0, 0x00000038 }, | (004) ldh [56] | dport |
{ 0x15, 9, 8, 0x00000043 }, | (005) jeq #0x43 jt 15 jf 14 | 67 |
{ 0x15, 0, 9, 0x00000800 }, | (006) jeq #0x800 jt 7 jf 16 | 非ipv4跳至 (016) |
{ 0x30, 0, 0, 0x00000017 }, | (007) ldb [23] | |
{ 0x15, 0, 7, 0x00000011 }, | (008) jeq #0x11 jt 9 jf 16 | udp protocol |
{ 0x28, 0, 0, 0x00000014 }, | (009) ldh [20] | |
{ 0x45, 5, 0, 0x00001fff }, | (010) jset #0x1fff jt 16 jf 11 | 检测是否是IP分片,是则不处理 |
{ 0xb1, 0, 0, 0x0000000e }, | (011) ldxb 4*([14]&0xf) | IP头的length字段 (20) |
{ 0x48, 0, 0, 0x00000010 }, | (012) ldh [x + 16] | dport ([hw]14 + [ip]20 + [sport]2) |
{ 0x15, 1, 0, 0x00000043 }, | (013) jeq #0x43 jt 15 jf 14 | 67 |
{ 0x15, 0, 1, 0x000005b4 }, | (014) jeq #0x5b4 jt 15 jf 16 | 1460 |
{ 0x6, 0, 0, 0x00040000 }, | (015) ret #262144 | 匹配中规则返回 |
{ 0x6, 0, 0, 0x00000000 }, | (016) ret #0 | 过滤掉 |
IPV6 LDH [12]
IPV5 LDB [20]
IPV6 LDH [56]
IPV4 LDB [23]
IPV4 LDXB 4*([14]&0xf)
IPV4 LDH [x + 16]