From owner-freebsd-net@freebsd.org  Thu Jan  7 17:17:31 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32497A65150
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu,  7 Jan 2016 17:17:31 +0000 (UTC)
 (envelope-from mybsdmailing@gmail.com)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com
 [IPv6:2607:f8b0:4003:c01::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0276A10C3
 for <freebsd-net@freebsd.org>; Thu,  7 Jan 2016 17:17:31 +0000 (UTC)
 (envelope-from mybsdmailing@gmail.com)
Received: by mail-ob0-x22f.google.com with SMTP id xn1so58086511obc.2
 for <freebsd-net@freebsd.org>; Thu, 07 Jan 2016 09:17:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=SRw8f4CfBye7OmIaBKuHphtTYeCOwDjJEvMTta3BiG0=;
 b=sTbYBRvgtqLHYIk2enTaP4ZAcQYudrl/WRoduM2pYELEIK+LJ+RMQkxsOWKCuZmikH
 y5mxNXdPS5Es5tNbRdg0RzmTcyq4qMpUObQMXKQc1e+cp4u6J/ngu1dagVdGsYIS3uSw
 Fu9p3abSP2dHgDjCL5gxdmOuOget5ri7g4rZtIfJCCHZ3CsPV+n5JeIjspxYBR/h+Ngw
 bgmdc+mNkBBkjHTEF1sQKa/NsspWtMLa0chBLEdCcfR3KVPEEi4qnFL3CjByz6/ouN7C
 ujikgFiYuggTeaEmoW/DSDPtsmjjKOCHPiE/Vp82TBH5EErWwepFSyvyjGswkqiprLaL
 qoew==
MIME-Version: 1.0
X-Received: by 10.182.103.167 with SMTP id fx7mr75457353obb.36.1452187050399; 
 Thu, 07 Jan 2016 09:17:30 -0800 (PST)
Received: by 10.202.177.69 with HTTP; Thu, 7 Jan 2016 09:17:30 -0800 (PST)
Date: Thu, 7 Jan 2016 11:17:30 -0600
Message-ID: <CAAN2wCA6mu-dFaE7W88z0zBydxaEBiX4W+jTLBOgRXG_cUw8DQ@mail.gmail.com>
Subject: tcpdump filter length Question
From: Juan Herrera <mybsdmailing@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2016 17:17:31 -0000

Hello all,

I am trying to do a tcpdump filter like below
The idea is to filter all ethernet frames and where the frame ends as I
understand keyword *len *has the total length of the captured packet,
substracts 85 positions and compare if byte in position len - 85 is equal
to hex 0x2.

Does anybody know what am I doing wrong?,

As tcpdump does not complain when executing that command, but the filter
when attached to my C program does not work I am attaching that code with
setsockopt(2) - SO_ATTACH_FILTER

sudo tcpdump 'ether [ len ] - 85 = 0x2' -dd
{ 0x80, 0, 0, 0x00000000 },
{ 0x7, 0, 0, 0x00000000 },
{ 0x50, 0, 0, 0x00000000 },
{ 0x14, 0, 0, 0x00000055 },
{ 0x54, 0, 0, 0x000000ff },
{ 0x15, 0, 1, 0x00000002 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },


Thanks!