Dump compiled BPF program

The expression part (please refer The format of tcpdump command) will be compiled into BPF program before processing (code is here): 

  1. ......
  2. if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
  3.     error("%s", pcap_geterr(pd));
  4. if (dflag) {
  5.     bpf_dump(&fcode, dflag);
  6.     pcap_close(pd);
  7.     free(cmdbuf);
  8.     pcap_freecode(&fcode);
  9.     exit_tcpdump(S_SUCCESS);
  10. }
  11. ......

-d“ option can be used to control how to display compiled BPF program.

a) In human readable format (like assembly code): 

  1. # tcpdump -d port 80
  2. (000) ldh      [12]
  3. (001) jeq      #0x86dd          jt 2    jf 10
  4. (002) ldb      [20]
  5. (003) jeq      #0x84            jt 6    jf 4
  6. (004) jeq      #0x6             jt 6    jf 5
  7. (005) jeq      #0x11            jt 6    jf 23
  8. (006) ldh      [54]
  9. (007) jeq      #0x50            jt 22   jf 8
  10. (008) ldh      [56]
  11. (009) jeq      #0x50            jt 22   jf 23
  12. (010) jeq      #0x800           jt 11   jf 23
  13. (011) ldb      [23]
  14. (012) jeq      #0x84            jt 15   jf 13
  15. (013) jeq      #0x6             jt 15   jf 14
  16. (014) jeq      #0x11            jt 15   jf 23
  17. (015) ldh      [20]
  18. (016) jset     #0x1fff          jt 23   jf 17
  19. (017) ldxb     4*([14]&0xf)
  20. (018) ldh      [x + 14]
  21. (019) jeq      #0x50            jt 22   jf 20
  22. (020) ldh      [x + 16]
  23. (021) jeq      #0x50            jt 22   jf 23
  24. (022) ret      #262144
  25. (023) ret      #0

b) In C program fragment format: 

  1. # tcpdump -dd port 80
  2. { 0x28, 0, 0, 0x0000000c },
  3. { 0x15, 0, 8, 0x000086dd },
  4. { 0x30, 0, 0, 0x00000014 },
  5. { 0x15, 2, 0, 0x00000084 },
  6. { 0x15, 1, 0, 0x00000006 },
  7. { 0x15, 0, 17, 0x00000011 },
  8. { 0x28, 0, 0, 0x00000036 },
  9. { 0x15, 14, 0, 0x00000050 },
  10. { 0x28, 0, 0, 0x00000038 },
  11. { 0x15, 12, 13, 0x00000050 },
  12. { 0x15, 0, 12, 0x00000800 },
  13. { 0x30, 0, 0, 0x00000017 },
  14. { 0x15, 2, 0, 0x00000084 },
  15. { 0x15, 1, 0, 0x00000006 },
  16. { 0x15, 0, 8, 0x00000011 },
  17. { 0x28, 0, 0, 0x00000014 },
  18. { 0x45, 6, 0, 0x00001fff },
  19. { 0xb1, 0, 0, 0x0000000e },
  20. { 0x48, 0, 0, 0x0000000e },
  21. { 0x15, 2, 0, 0x00000050 },
  22. { 0x48, 0, 0, 0x00000010 },
  23. { 0x15, 0, 1, 0x00000050 },
  24. { 0x6, 0, 0, 0x00040000 },
  25. { 0x6, 0, 0, 0x00000000 },

c) In raw number format: 

  1. # tcpdump -ddd port 80
  2. 24
  3. 40 0 0 12
  4. 21 0 8 34525
  5. 48 0 0 20
  6. 21 2 0 132
  7. 21 1 0 6
  8. 21 0 17 17
  9. 40 0 0 54
  10. 21 14 0 80
  11. 40 0 0 56
  12. 21 12 13 80
  13. 21 0 12 2048
  14. 48 0 0 23
  15. 21 2 0 132
  16. 21 1 0 6
  17. 21 0 8 17
  18. 40 0 0 20
  19. 69 6 0 8191
  20. 177 0 0 14
  21. 72 0 0 14
  22. 21 2 0 80
  23. 72 0 0 16
  24. 21 0 1 80
  25. 6 0 0 262144
  26. 6 0 0 0