Richard,
I have the same interest, different reason and did not find anything on my last search (a couple of years ago). However, there is a lot you can do with using offsets and stuff yourself. For instance:
Multiple vlans:
vlan and (ether[14:2]&0x0fff = 4092 or ether[14:2]&0x0fff = 4094)
SIP over IPoverIP:
ip proto 4 and (ip[((ip[0]&0x0f)<<2)+9]=17 or ip[((ip[0]&0x0f)<<2)+9]=6) and (ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+0:2]=5060 or ip[((ip[0]&0x0f)<<2)+((ip[((ip[0]&0x0f)<<2)]&0x0f)<<2)+2:2]=5060)
As you can see, you can just use the highest protocol that BPF does understand correctly and work with offsets from there. Do you have an example capture file that you can share, then I might be able to help you.
Cheers,
Sake
On 26 mei 2015, at 22:21, Richard Stearn wrote:
> Is there a way of handing dumpcap a BPF assembler file rather than a
> libpcap expression?
>
> I have RTFM'd, googled and not found an answer.
>
> Of course my reading ability and googlefu could be well broken :-)
>
> Why, because I wish to filter on the protocol the network interface
> currently believes the packet to be (skb->protocol), rather than what
> the interface says it is and I have not found a libpcap expression that
> achieves that.
>
> --
> Regards
> Richard
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
