Compare Antrea BPF generation for PacketCapture to tcpdump / libpcap

[antoninbas]

This code generates BPF code for packet filters defined in the PacketCapture CRD: https://github.com/antrea-io/antrea/blob/main/pkg/agent/packetcapture/capture/bpf.go. The code is tested using manually-generated test cases: https://github.com/antrea-io/antrea/blob/main/pkg/agent/packetcapture/capture/bpf_test.go. This approach is tedious and error-prone, and limits the amount of testing we can do.

Given that the code attempts to mimic the BPF generation done by tcpdump, we should consider the following approach:

1. ask AI to generate comprehensive test inputs
2. use tcpdump to generate reference BPF code for the inputs
3. use our own code (PacketCapture implementation) to generate the BPF code:

   antrea/pkg/agent/packetcapture/capture/bpf.go

   Lines 375 to 379 in 930b29f

   	// compilePacketFilter acts as the main entry point for BPF filter generation.
   	// It inspects the IP family specified in the CRD and dispatches the request
   	// to the unified compiler with the appropriate protocol-specific handler
   	// (ipv4Handler for IPv4, ipv6Handler for IPv6).
   	func compilePacketFilter(packetSpec *crdv1alpha1.Packet, srcIP, dstIP net.IP, direction crdv1alpha1.CaptureDirection) []bpf.Instruction {

4. compare the generated BPF for equality
5. in case of difference, analyze whether the generated BPF is incorrect or equivalent for our purposes
6. if possible, update our own BPF generation to match the tcpdump one
7. commit all test cases and run them as part of CI

More background on the PacketCapture feature: https://github.com/antrea-io/antrea/blob/main/docs/packetcapture-guide.md
The reason for having our own BPF generation code is to avoid pulling in impractical runtime dependencies (e.g., libraries using libpcap and requiring cgo). In contrast, it is perfectly fine to use tcpdump offline to generate test cases.

[AR21SM]

Hi @antoninbas , I’m interested in working on this. The tcpdump-based reference approach for validating PacketCapture BPF generation looks solid. Happy to help move this forward.

[antoninbas]

This issue is reserved for the upcoming LFX mentorship term (Q1 2026). We will not be reviewing PRs for this issue, so please don't submit them.

Please keep the following in mind:

• don't DM / email mentors directly
• don't post comments on the Github issues for the LFX mentorship projects just to express your interest in participating
  don't announce on our Slack channel that you have submitted an application, there is no need. Feel free to ask for help though if something is not clear.
• if you want to tackle a "good first issue" ahead of application review, please open a PR directly and we will review it in a timely fashion. Do not post a comment on the Github issue asking to "get the issue assigned to you". What happens most of the time is we assign someone and they don't end up submitting a PR, or they don't do the task to completion, potentially denying someone else the opportunity to do it
• keep your cover letter short, no need to use any template
• pay close attention to the instructions for the test task (to be announced)
• don't submit a PR to antrea-io/antrea with your test task submission

I don't mean to sound callous, and I understand that submitting a complete application takes time, but it's also a big time commitment for us (mentors) and not following these rules just creates a lot of noise.

[antoninbas]

We have published the test task that will help us select the right candidate for the mentorship program: #7743

Please keep in mind the guidelines above.