How can I look for uneven port numbers only using BPF?

Question

How can I get a tcpdump that contains only uneven port numbers, using BPF?

Have a look at `man pcap-filter`, search for “arithmetic”: it looks like it supports normal binary operators, so maybe by checking something like `( % 2) == 1`? I have not tested it. — Qeole, Dec 16 '19 at 16:15

score 1 · Answer 1 · answered Dec 16 '19 at 16:20

You can first retrieve the source TCP port with tcp[0:2], i.e., the first 2 bytes of the TCP header. Then, checking if that value is odd, is a simple matter of checking if the last bit is 1:

tcp[0:2] & 1 == 1

To extend this to UDP ports, you shouldn't need to change anything because the source and destination ports for UDP are at the same offset in the UDP header as in the TCP header.

I'll let you extend to the destination ports :-)

How can I look for uneven port numbers only using BPF?

1 Answers1