In reading the man pages for tcpdump, I saw that the -dd arguement would output the dump as a fragment of a C file. In what situations is that useful? I take it this is to quickly include and compile the fragment in a program that will be used to process the data according to code we write ourselves? Does this have its utility with unknown or new protocols? Is there some other common, standing situation in which this is needed? Just curious.
Asked
Active
Viewed 181 times
1 Answers
1
It's useful if you're writing a program using libpcap/WinPcap that would use a filter but that, for whatever reason, wouldn't run pcap_compile() to translate a filter string into BPF machine code; it lets you do the compilation with tcpdump and generate some text that you could use in the initialization of an array of struct bpf_insn (a pointer to which, and a count of elements in which, you'd put in a struct bpf_program).
I'm not sure who would do that, however.
-
Okay, thanks. I thought it would be for plugging it into lex and yacc, but I was surprised that it might be done so often that an option for it had been built into tcpdump. – gladiola Jul 17 '15 at 18:58
-
No, what `-dd` prints is the output of something that's *already* plugged into lex and yacc (or Flex and Bison or Berkeley YACC), to parse pcap filter expressions and generate BPF code for them. – Jul 18 '15 at 00:26