0

What is the simplest way to verify a BPF filter as a normal user?

Easiest I have found is to run tcpdump with a small pcap file as input to the -r option.

$ tcpdump -r one_packet.pcap -F invalid_bpf.conf 2> /dev/null ; echo $?
1
$ tcpdump -r one_packet.pcap -F valid_bpf.conf 2> /dev/null ; echo $?
0

Returns standard error codes for invalid or valid BPF filters. This requires that I have a PCAP file to provide as input.

Is there a way to do this simple test without a PCAP file or special privileges?

RyPeck
  • 7,830
  • 3
  • 38
  • 58

1 Answers1

1

IF you have a shell that has a built-in "echo" command that supports escape sequences, one somewhat-perverse way of doing this would be to do

echo -en "\0324\0303\0262\0241\02\0\04\0\0\0\0\0\0\0\0\0\0377\0377\0\0\01\0\0\0"|\ 
    ./tcpdump -r - -F bpf.conf 2>/dev/null; echo $?

This worked for me on OS X 10.8, which has bash 3.2.48(1)-release (x86_64-apple-darwin12).

That "echo" command writes out a short pcap file with no packets in it, and with a link-layer header type of DLT_EN10MB. That will test whether the filter is valid for Ethernet; there are filters that are valid for some link-layer header types but not valid for others, such as "not broadcast", which is valid for Ethernet but not for PPP, so you'll need to choose some link-layer header type to use when testing.

  • That's... awesome. I get the following error though `tcpdump: unknown file format` | on Mac OS X 10.9 `GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)` tcpdump version `tcpdump version 4.3.0 -- Apple version 56` – RyPeck Mar 20 '14 at 17:17
  • Works if I put that output from echo in a pcap file and run it against that. – RyPeck Mar 20 '14 at 17:17
  • "I get the following error though `tcpdump: unknown file format` | on Mac OS X 10.9". Looks as if Apple broke either tcpdump or libpcap. I'll look at it and file a bug. –  Mar 20 '14 at 18:13
  • It does work when I pipe the output of echo to a file and run it against that, which confused me. – RyPeck Mar 20 '14 at 19:25