Simple way to verify valid BPF filter

Question

What is the simplest way to verify a BPF filter as a normal user?

Easiest I have found is to run tcpdump with a small pcap file as input to the -r option.

$ tcpdump -r one_packet.pcap -F invalid_bpf.conf 2> /dev/null ; echo $?
1
$ tcpdump -r one_packet.pcap -F valid_bpf.conf 2> /dev/null ; echo $?
0

Returns standard error codes for invalid or valid BPF filters. This requires that I have a PCAP file to provide as input.

Is there a way to do this simple test without a PCAP file or special privileges?

Answer 1

IF you have a shell that has a built-in "echo" command that supports escape sequences, one somewhat-perverse way of doing this would be to do

echo -en "\0324\0303\0262\0241\02\0\04\0\0\0\0\0\0\0\0\0\0377\0377\0\0\01\0\0\0"|\ 
    ./tcpdump -r - -F bpf.conf 2>/dev/null; echo $?

This worked for me on OS X 10.8, which has bash 3.2.48(1)-release (x86_64-apple-darwin12).

That "echo" command writes out a short pcap file with no packets in it, and with a link-layer header type of DLT_EN10MB. That will test whether the filter is valid for Ethernet; there are filters that are valid for some link-layer header types but not valid for others, such as "not broadcast", which is valid for Ethernet but not for PPP, so you'll need to choose some link-layer header type to use when testing.