生成BPF过滤规则

借助tcpdump工具 -dd

tcpdump ‘udp and (dst port 67 or dst port 1460)’ -dd tcpdump ‘udp and (dst port 67 or dst port 1460)’ -d 说明
{ 0x28, 0, 0, 0x0000000c }, (000) ldh [12] 加载报文偏移12字节,ethetype字段(2byte)
{ 0x15, 0, 4, 0x000086dd }, (001) jeq #0x86dd jt 2 jf 6 非ipv6跳到 (006)
{ 0x30, 0, 0, 0x00000014 }, (002) ldb [20]  
{ 0x15, 0, 12, 0x00000011 }, (003) jeq #0x11 jt 4 jf 16 udp protocol
{ 0x28, 0, 0, 0x00000038 }, (004) ldh [56] dport
{ 0x15, 9, 8, 0x00000043 }, (005) jeq #0x43 jt 15 jf 14 67
{ 0x15, 0, 9, 0x00000800 }, (006) jeq #0x800 jt 7 jf 16 非ipv4跳至 (016)
{ 0x30, 0, 0, 0x00000017 }, (007) ldb [23]  
{ 0x15, 0, 7, 0x00000011 }, (008) jeq #0x11 jt 9 jf 16 udp protocol
{ 0x28, 0, 0, 0x00000014 }, (009) ldh [20]  
{ 0x45, 5, 0, 0x00001fff }, (010) jset #0x1fff jt 16 jf 11 检测是否是IP分片,是则不处理
{ 0xb1, 0, 0, 0x0000000e }, (011) ldxb 4*([14]&0xf) IP头的length字段 (20)
{ 0x48, 0, 0, 0x00000010 }, (012) ldh [x + 16] dport ([hw]14 + [ip]20 + [sport]2)
{ 0x15, 1, 0, 0x00000043 }, (013) jeq #0x43 jt 15 jf 14 67
{ 0x15, 0, 1, 0x000005b4 }, (014) jeq #0x5b4 jt 15 jf 16 1460
{ 0x6, 0, 0, 0x00040000 }, (015) ret #262144 匹配中规则返回
{ 0x6, 0, 0, 0x00000000 }, (016) ret #0 过滤掉

IPV6 LDH [12]

IPV6

IPV5 LDB [20]

IPV6 UDP

IPV6 LDH [56]

IPV6 UDP DPORT

IPV4 LDB [23]

UDP

IPV4 LDXB 4*([14]&0xf)

IP length

IPV4 LDH [x + 16]

UDP DPORT