From owner-freebsd-net@FreeBSD.ORG Fri Mar 8 09:00:23 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D869C1FF for ; Fri, 8 Mar 2013 09:00:23 +0000 (UTC) (envelope-from vpenkoff@gmail.com) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 44D1A201 for ; Fri, 8 Mar 2013 09:00:23 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id fj20so1449973lab.34 for ; Fri, 08 Mar 2013 01:00:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=+bXbQQ2fs383BOb+yIayLEKGoTbSeLuz7zSRzDzVAE8=; b=MTBCh2kszzfrSRh1GhKQcZ628lhaakDYWk0g8KRnRirGsDcjI4lJcqq24/p045BenL CqWdwYtR7qVk/GOGB1U9ePEFfay/ZAxluobSobXg5O1Z42rf5zRSUMzNvloEfZAA5wXk XgOBpcQYillkbJCX59xJ3wZJyw9epdtE6H3OKmhTlfREDOvIfmZaQiiYx65IBVJ4mtuF xDQadyyDcxwQKxPr4EDLmsPHxFHlUI0wjTk2CuFrNB54AyhSK5JtecPIdfc4d0faaaD3 eGEPDIW8UAFBiCP1Ax2itTsYnqrzSsccMcSmrCtTqR0bbRtzbuQ54sy7en7nJu0on5Rf Ckhw== MIME-Version: 1.0 X-Received: by 10.112.16.199 with SMTP id i7mr757383lbd.65.1362733222135; Fri, 08 Mar 2013 01:00:22 -0800 (PST) Received: by 10.112.18.43 with HTTP; Fri, 8 Mar 2013 01:00:22 -0800 (PST) Date: Fri, 8 Mar 2013 11:00:22 +0200 Message-ID: Subject: BPF data representation From: Viktor Penkoff To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 09:00:23 -0000 Hi guys. I'm diggin some bpf stuff and i can't figure out, why there are 3 types of data representations: words, halfwords and bytes? I mean how can i know, which one is best in a place to use? In some basic example, e.g. for packet capturing, considering BPF's manual, i use for ETHERTYPE in the ethernet header a halfword representation, but for a IP address - word representation. Let's say we have some read instructions: BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, X, Y), .... BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), BPF_JUMP(BPF_JMP+BPF+JEQ+BPF_K, 0xABABABAB, X,Y) Can someone explain? Thanks!