Merge pull request #3 from jschwinger233/gray/filter

Solve the issues when setting filters
jschwinger233 · Mar 12, 2023 · 44f6fec · 44f6fec
2 parents 79533b0 + 3b406bb
commit 44f6fec
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 146 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,15 @@ This tool is created by the following motives:
 4. tcpdump(8) doesn't reflect the information of direction: egress or ingress;
 5. tcpdump(8) can't capture the skb metadata in the `struct __sk_buff`;
 
-However, tcpdump(8) does have something I really appriciate, such as pcap-filter(8) for packet filtering, and I want to make sure my tool can still leverage the power of that.
+However, tcpdump(8) does have something I really appriciate, such as [pcap-filter(7)](https://linux.die.net/man/7/pcap-filter) for packet filtering, and I want to make sure my tool can still leverage the power of that.
+
+# Installation
+
+Please download the latest binary in the [releases](https://github.com/jschwinger233/skbdump/releases).
+
+### Requirements
+
+`tcpdump(8)` is required to generate cbpf bytecode, please install it.
 
 # Usage
 
@@ -24,15 +32,14 @@ Usage of skbdump:
 
 Please be aware that every capture will dump two files, one is `pcap` file which I recommand you open it by wireshark, and the other is `skb` text file just simply recording skb metadata in JSON.
 
-## Some examples:
+### Some examples:
 
-1. skbdump -i eth0 port 80
-2. skbdump -i eth0 udp
-3. skbdump -i eth0 host 10.10.1.1
-4. skbdump -i any dst 10.10.1.20
+1. skbdump -i eth0 port 80 and host 10.10.1.1
+2. skbdump -i eth0 udp or arp
+3. skbdump -i any icmp or icmp6
+4. skbdump -i any ip6 and dst host fd04::18ab
+5. skbdump -i veth 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
 
 # Known Issues
 
-1. There are some bugs of transforming cbpf to ebpf, and now the tool will break for `skbdump -i lo arp`. To workaround the issue you can use the equivalent filter expression such as `skbdump -i lo ether proto arp`.
-3. Some complicated filter expression doesn't work as expected, such as `'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'`.
 2. Currently the tool only supports capturing packets with maximum 1500 bytes.
diff --git a/go.mod b/go.mod
@@ -8,10 +8,10 @@ require (
 	github.com/elastic/go-sysinfo v1.9.0
 	github.com/florianl/go-tc v0.4.2
 	github.com/google/gopacket v1.1.19
-	github.com/packetcap/go-pcap v0.0.0-20230225181818-eba71accde5b
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
+	golang.org/x/net v0.7.0
 	golang.org/x/sys v0.5.0
 )
 
@@ -23,8 +23,9 @@ require (
 	github.com/mdlayher/netlink v1.6.0 // indirect
 	github.com/mdlayher/socket v0.1.1 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/stretchr/testify v1.4.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
-	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	gopkg.in/yaml.v2 v2.2.8 // indirect
 	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
 )