| Hi,
I'm struggling with my BPF code... I've managed to read frames in with the following filter:
struct bpf_insn progcodes[] = { BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), // inspect ethernet_frame_type BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x88CC, 0, 1), // if LLDP frame, continue with next instruction, else jump BPF_STMT(BPF_RET+BPF_K, (u_int)-1), BPF_STMT(BPF_RET+BPF_K, 0) };
struct bpf_program prog = { 4, (struct bpf_insn*) &progcodes };
if(ioctl(lldp_port->socket, BIOCSETF, (u_int)&prog) < 0) { printf("[Error] (%d) : %s (%s:%d)\n", errno, strerror(errno), __FUNCTION__, __LINE__); }
But my frames have an unexpected 18 bytes tacked on to the front of the header... is this normal?
Here's the portion of the header I'm not expecting to see:
[INT] (en0) Raw BPF Frame: 000 | 46 02 24 af 00 05 ef 62 00 00 00 ba 00 00 00 ba | F.$....b........ 010 | 00 12
And here's the full frame dump for reference (01 80 c2 00 00 0e is the frame dest):
[INT] (en0) Raw BPF Frame: 000 | 46 02 24 af 00 05 ef 62 00 00 00 ba 00 00 00 ba | F.$....b........ 010 | 00 12 01 80 c2 00 00 0e 00 01 e6 da d0 d1 88 cc | ................ 020 | 02 07 04 00 01 e6 da d0 80 04 03 07 34 37 06 02 | ............47.. 030 | 00 78 08 02 34 37 0a 17 48 50 20 50 72 6f 43 75 | .x..47..HP ProCu 040 | 72 76 65 20 53 77 69 74 63 68 20 32 36 35 30 0c | rve Switch 2650. 050 | 56 50 72 6f 43 75 72 76 65 20 4a 34 38 39 39 41 | VProCurve J4899A 060 | 20 53 77 69 74 63 68 20 32 36 35 30 2c 20 72 65 | Switch 2650, re 070 | 76 69 73 69 6f 6e 20 48 2e 31 30 2e 32 39 2c 20 | vision H.10.29, 080 | 52 4f 4d 20 48 2e 30 38 2e 30 32 20 28 2f 73 77 | ROM H.08.02 (/sw 090 | 2f 63 6f 64 65 2f 62 75 69 6c 64 2f 66 69 73 68 | /code/build/fish 0a0 | 28 6d 6b 66 73 29 29 0e 04 00 14 00 04 10 0c 05 | (mkfs))......... 0b0 | 01 ac 17 00 03 02 00 00 00 3f 00 fe 09 00 12 0f | .........?...... 0c0 | 01 03 6c 00 00 10 00 00 02 07 48 1f | ..l.......H.
One other question...
I'm attempting to send a similar frame out my BPF. When I issue a write, I actually see the frame with a subsequent read, but my frame doesn't appear to actually hit the wire... Can someone explain why that might be happening?
Here's a frame that my program attempts to send. The frame never ends up on the wire, but my program reads it from the BPF after the send is attempted:
[INT] (en0) Raw BPF Frame: 000 | 46 02 25 b3 00 07 53 71 00 00 00 69 00 00 00 69 | F.%...Sq...i...i 010 | 00 12 01 80 c2 00 00 0e 00 0d 93 6c 93 84 88 cc | ...........l.... 020 | 02 07 04 10 00 00 00 00 00 04 04 05 65 6e 30 06 | ............en0. 030 | 02 00 78 08 03 65 6e 30 0a 0d 53 70 72 69 6e 6b | ..x..en0..Sprink 040 | 2e 6c 6f 63 61 6c 2e 0c 1c 50 6f 77 65 72 20 4d | .local...Power M 050 | 61 63 69 6e 74 6f 73 68 2f 44 61 72 77 69 6e 20 | acintosh/Darwin 060 | 38 2e 39 2e 30 0e 04 00 80 00 80 10 0c 05 01 00 | 8.9.0........... 070 | 00 00 00 03 00 00 00 00 00 00 00 | ...........
Again, the frame has 18 extra bytes of header... the only thing I can figure is that's some sort of BPF thing (is that my filter or something?).
Any suggestions are appreciated.
Thanks,
- Terry
|