tech-net: Re: converting bpf programs back to text ??

Subject: Re: converting bpf programs back to text ??
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Assar Westerlund <assar@sics.se>
List: tech-net
Date: 06/18/2000 12:59:43

Darren Reed <darrenr@reed.wattle.id.au> writes:
> but when printing them out, this is the best I can do for now:
> 
> 10557 pass in  { bpf_prog len 48 }
> 27 pass in  { bpf_prog len 128 }
> 383 pass in proto tcp from any to any
> 
> anyone got a tool that'll do the right thing here and convert the
> bytecode back ? O:-)

I'm not aware of anything better than `tcpdump -d' which probably is
not what you want by a long shot.  It also seems hard to convert the
bytecode back into expressions.  Can't you keep a copy of the original
expressions around?

/assar