Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!udel!haven.umd.edu!cs.wvu.wvnet.edu!cerc.wvu.wvnet.edu!cathedral!taku
From: taku@cathedral.cerc.wvu.wvnet.edu (Takumei So)
Newsgroups: comp.unix.ultrix
Subject: Help with "programming" packet filter
Keywords: packetfilter, ultrix, ethernet
Message-ID: <1712@babcock.cerc.wvu.wvnet.edu>
Date: 7 May 91 18:57:56 GMT
Sender: news@cerc.wvu.wvnet.edu
Distribution: usa
Lines: 73


     I am trying to "program" the packet filter available on ultrix
machines so that it will accept only packets whose the destination
ethernet address is 8:0:2b:17:b3:a0.

     It's not working, however (read() returns 0 bytes), and I would
like someone to point out what I'm doing wrong.  I have reasons to 
suspect I'm not setting the filter up correctly.

     The following is the code for filter that I adapted from the man
page with some modifications.  What am I doning wrong here?

>struct enfilter Filter =
>{
>   36, 12,
>   ENF_PUSHWORD + 0,
>   ENF_PUSHLIT, 0x0008, /* 0x0800 */
>   ENF_CAND,
>   ENF_PUSHWORD + 1,
>   ENF_PUSHLIT, 0x172b, /* 0x2b17 */
>   ENF_CAND,
>   ENF_PUSHWORD + 2,
>   ENF_PUSHLIT, 0xa0b3, /* 0xb3a0 */
>   ENF_EQ
>};

    Specifically, am I setting up the byte order correctly?  And
is the filter command list length set corectly (I set it to 12
shortwords)?

     man page for packetfilter gives the following example:

>          struct enfilter f =
>          {
>              36, 0,                /* priority and length */
>              ENF_PUSHWORD + 6,
>              ENF_PUSHLIT, 0x3580,
>              ENF_CAND,             /* Ethernet type == 0x8035 (RARP) */
>              ENF_PUSHWORD + 10,
>              ENF_PUSHLIT, 0x0300,
>              ENF_CAND,             /* reverse request type = 0003 */
>              ENF_PUSHWORD + 0,
>              ENF_PUSHLIT, 0xFFFF,
>              ENF_CAND,             /* dest addr = FF-FF */
>              ENF_PUSHWORD + 1,
>              ENF_PUSHLIT, 0xFFFF,
>              ENF_CAND,             /* dest addr = FF-FF */
>              ENF_PUSHWORD + 2,
>              ENF_PUSHLIT, 0xFFFF,
>              ENF_EQ                /* dest addr = FF-FF */
>          };

    This example "first checks the Ethernet type of the packet.  If it
is not a RARP packet, it is discarded.  Then, the RARP type field is
checked for a reverse request (type 3), followed by a check for a
broadcast destination address."

    In this example, I don't understand why packet length is set to 0.
Could it be a mistake in man page?

    The machine I'm using is a ultrix machine, DECstation 5000 running
ULTRIX V4.0 Rev.179.  I'm running it as su, and the interface is set to
promiscuous mode.

    Any help, or example codes for using packetfilter, will be greatly 
appreciated!!!

-Taku

Taku So    
taku@cerc.wvu.wvnet.edu
Concurrent Engineering Research Center
Morgantown, WV  26505