3 private links
bpf filter: tcp src port not 22
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 6
(002) ldb [20]
(003) jeq #0x6 jt 4 jf 15
(004) ldh [54]
(005) jeq #0x16 jt 14 jf 15
(006) jeq #0x800 jt 7 jf 15
(007) ldb [23]
(008) jeq #0x6 jt 9 jf 15
(009) ldh [20]
(010) jset #0x1fff jt 15 jf 11
(011) ldxb 4*([14]&0xf)
(012) ldh [x + 14]
(013) jeq #0x16 jt 14 jf 15
(014) ret #0
(015) ret #96
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 6
If the ethernet type is 0x86dd (ipv6) go to 2
else go to 6
(002) ldb [20]
Load the 1 byte value at packet offset 20 (ipv6 next header)
(003) jeq #0x6 jt 4 jf 15
If the next header equals 6 (tcp) jump to 4, else jump to 15
(004) ldh [54]
Load the half word value from packet offset 54 (tcp source port)
(005) jeq #0x16 jt 14 jf 15
If the source port is 0x16 (22) jump to 14, else jump to 15
(006) jeq #0x800 jt 7 jf 15
If the eth type is 0x800 (ipv4) jump to 7, else jump to 15
(007) ldb [23]
Load the 1 byte value at packet offset 23 ( ip proto )
(008) jeq #0x6 jt 9 jf 15
If the ip proto equals 6 (tcp) jump to 9, else jump to 15
(009) ldh [20]
Load the half word value at packet offset 20 (flags + frag offset)
(010) jset #0x1fff jt 15 jf 11
Only look at the last 13 bits of the data
0x1fff == 0001 1111 1111 1111 (fragment offset)
If any of the data in fragment offset is true, jump to 15, else jump to 11
Essentially, if this packet is a fragment, return true for packet match
(011) ldxb 4([14]&0xf)
x = ip header len 4
In our case lets assume that we have a default size of 20 bytes.
(012) ldh [x + 14]
Load the half word at packet offset x+14 (in our case offset 20)
20 + 14 == 34
(013) jeq #0x16 jt 14 jf 15
If the value of packet offset 34 is 0x16 (tcp source port 22) jump to 14, else
jump to 15
(014) ret #0
Return a non-match
(015) ret #96
Return a match