networking wireshark packet-sniffers bpf

Why does Bpf allow ether[0:2] and ether[0:4] but not ether[0:3]?

Why does Berkeley Packet Filter allow filtering on ether[0:2] and ether[0:4] but not ether[0:3] which is the vendor?tcpdump 'ether[0:3] = 0x000000' returns with tcpdump: data size must be 1, 2, or 4

Solution

This is confirmed by the pcap-filter man page (search for “byte offset”), although it does not provide additional information either.

My guess would be that libpcap refuses to create a program that compares three bytes at a time because the classic BPF programs it generates do not have instructions to directly support such comparisons. It can load one byte, one half-word (two bytes) or one word (four bytes) into one of the registers and compare it to a value, but it is not able to work with three-byte long values.

I suppose the workaround would be to compare the value in two steps, ether[0:2] then ether[2].

csv file to host.yaml for Nornir
What are the benefits of removing fragmentation from IPv6?
How to access kind control plane port from another docker container?
Possible bug with PHP PDO and with PostgreSQL
Why do packets larger than the MTU with the "Don't Fragment" flag set still get sent?
java.net.ConnectException: failed to connect to /192.168.253.3 (port 2468): connect failed: ECONNREFUSED (Connection refused)
Linux ip routing with multiple uplinks SINGLE interface
Two wired connection at the same time
Design not showing proper result in Omnet++ after defining the network in NED file
How do i access a deployed service's exposed port
Reserved MAC-addresses (some are assigned anyway?)
How can I deploy a helm packaged app to ArgoCD?
Is it possible to export data from Android Studio Network Inspector (Electric Eel or later)
ktor upload file based on curl example
Can I resolve a domain without a port?
Check for internet connectivity in NodeJs
NSURLErrorDomain Code=-1009 "The internet connection appears to be offline
Is there a way to check if a certain port is open on server?
Peer to Peer Network in Go
How to specify a CIDR block that covers only one address?
Why does sending an email need multiple mail server hops?
C Programming: Check if the IP address is added on any given NIC
Unknown `InternetAddress` calls in log of the Dart Network Tool
Is there a way to debug why a chrome request was queued?
Shutting a ThreadPoolExecutor down with a KeyboardInterrupt
How do you find the list of all the supported HTTP methods by a webserver?
Kibana error: Unable to retrieve version information from Elasticsearch nodes. socket hang up
Is it possible to disable the network in iOS Simulator?
Can I determine the current IP from a known MAC Address?
Writing raw IP packet in Go using Conn.Write