0

I have a binary file which runs a bpf server. The BPF is "loosely" defined as follows: 

struct bpf{ 
length = 0x64
code = &c
}

A snippet of the code portion is: 0x00000028 0x00000004 0x61000015 0x00000028 I am looking at this through GDB. How can I look at the above memory addresses and determine which parts go into the sock_filter struct?

How would I determine which hexidecimal value maps to which specific BPF instruction?

John Conrad Geenty
  • 31
  • 1
  • 4
  • Found! But for anyone that is interested, you have to look in filter.h in order to get the exact definitions of each BPF instruction, then remember that things are packed in reverse order and then you can figure out the struct. – John Conrad Geenty Jun 22 '17 at 20:32
  • Still need an answer for the second question though :) – John Conrad Geenty Jun 22 '17 at 20:43
  • Not sure what you mean by “_runs a BPF server_” or by “_BPF is "loosely" defined as …_”. You have a binary that injects a BPF program into the kernel and attaches it to a socket, and you try to understand what the BPF program does? Have you tried looking at the documentation? It's at https://www.kernel.org/doc/Documentation/networking/filter.txt. – Qeole Jun 23 '17 at 07:29
  • Yes, I am trying to understand and figure out what packets the bpf binary is filtering out. It has a socket that is modified using setsockopt with SO_ATTACH_FILTER and a bunch of bpf code and instructions. I have the instruction in hex format, like above. As a side note, when the instruction has a number in the true or false field, does that mean jump that many instructions? – John Conrad Geenty Jun 26 '17 at 16:33
  • And thank you very much for your help! I really appreciate it! – John Conrad Geenty Jun 26 '17 at 16:34
  • Also, what is the structure of a packet for a bpf? I assume it would be the same a a regular packet, but I am unsure about this. – John Conrad Geenty Jun 26 '17 at 18:10
  • Ok, attached to a socket then. I suppose this is the “classic” version of BPF (not eBPF). Packets processed are regular packets, starting either from the Ethernet or from the IP header depending on the socket type if I remember correctly. You might want to look at this question: https://stackoverflow.com/questions/39540291/classic-bpf-on-linux-filter-does-not-work (not the same, but that's about attaching a filter on a socket, and a BPF program is commented step by step). And yes the “jump if true/false” instructions take an offset _n_ (and jumps to _n+1_ th instruction, instead of _1_). – Qeole Jun 27 '17 at 06:55

0 Answers0