Home    Product home page    Download    Order
Contents
Introduction
PSSDK basics
BPF programming
BPF instructions
BPF Assembler
FastBPF
Ethernet level BPF example
IP level BPF example
TCP/UDP level BPF example
HNPSManager
HNAdapter
HNFileAdapter
HNAdapterConfig
HNUserFilter
HNPacket
HNQueue
HNTcpManager
HNTcpSession
HNLBAdapter
HNLBSession
HNLBHosts
Structures
Constants enumerations
Events
RFC
WinPCap to PSSDK migration module
Error codes
FAQ
Packet Sniffer SDK DLL Edition

BPF example: IP level

 Previous Next

To filter a protocol encapsulated into IP you should check EthType field for ETHERTYPE_IP = 0x0800, and then analyze Protocol field in the IP packet.

ICMP packets filter example:

IPPROTO_ICMP      = 1   // ICMP protocol
IPPROTO_TCP       = 6   // TCP  protocol
IPPROTO_UDP       = 17  // UDP  protocol

See also files winsock.h/winsock2.h (Microsoft Platform SDK).

BpfAddCmd(hFtr,BPF_LD+BPF_H+BPF_ABS, 12);                  // EthType 
BpfAddJmp(hFtr,BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 3); // EthType == ETHERTYPE_IP
BpfAddCmd(hFtr,BPF_LD+BPF_B+BPF_ABS, 23);                  // Get Protocol field value
BpfAddJmp(hFtr,BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_ICMP, 0, 1); // Protocol == ICMP
BpfAddCmd(hFtr,BPF_RET+BPF_K, (UINT)-1);                   // TRUE  (Accept)
BpfAddCmd(hFtr,BPF_RET+BPF_K, 0);                          // FALSE (Reject)
#define IP_PROTO     0x800  
#define IPPROTO_ICMP 0x1
     ld   P[12:2]                // A = WORD offset 12 (protocol in the Ethernet header)
     jeq  IP_PROTO, 0, Exit      // If A <> 0x800 (IP), exit

     ld   P[23]                  // A = BYTE offset 23 (protocol in the IP header)
     jeq  IPPROTO_ICMP, 0, Exit  // If A <> 6 (ICMP), exit
     ret  -1                     // It is an ICMP packet, exit and return TRUE
Exit:
     ret  0                      // It is not an ICMP packet, exit and return FALSE

IPv4 Datagram header Format:



IP header fields:

Version

Version of the IP protocol which determines how to interpret the header. Currently the only permitted values are 4 (0100) or 6 (0110). The header format shown here is valid for IPv4 only.

IHL

Length of a header as a number of 32-bit words

Type of service

This field is often ignored by current routers but is meant to allow traffic to be prioritised (among other things).

Total Length

The length of the entire datagram including the header and data: maximum permitted it 65,535 bytes or 64K.

Identification, Flags and Fragment Offset

These values allow datagrams to be fragmented for transmission and reassembled at the destination.

Time to live

An integer which is decremented at each router "hop"; supposed to be interpreted as a number of seconds but more often treated as a "hop count". If the value reaches zero the datagram is discarded and an ICMP message is sent to the source host.

Protocol

Identifies the transport-layer protocol which will interpret the Data section. This will typically be TCP or UDP but other values are possible. Protocols are identified by a unique number as listed in an online database at http://www.iana.org.

Header checksum

This is used to verify the header, and is recalculated at each router hop. This field is left out of IPv6 which relies on the transport layer for verification.

Addresses and Options

These are 32-bit IP addresses which identify the network and host address. Routing requirements can also be specified in the Options field, along with options to do with security and debugging.

Previous Next