I was rudely surprised to find that "tcpdump -h" wasn't printing a usage
message, and I'm the person who *added* the "-h" option. Make it "-H",
and add an explicit "-h" option to print a usage message, so nobody else
makes the same mistake. Also, don't clear opterr, so that if you give
an illegal command-line option, you get an explanatory error message.
Use the same heuristic Wireshark uses, i.e. assume that FreeBSD only
reports MCS indices between 0 and 15, and that any other values with the
0x80 bit set are rate values. (Yes, those do exist.)
Also note, as I did in Wireshark, that it might be possible to extract
from the XChannel and Flags field the additional information to convert
an MCS index from the Rate field into a rate. (Whether that's possible
depends on what platforms using the FreeBSD convention do with the
channel width and guard interval information.)
Based on patches from an anonymous donor, support the radiotap RX flags and
MCS fields, and the vendor namespace, and, if Channel and XChannel are
both present, use XChannel, not Channel.
Do not try to look up a rate for an MCS value from the Rate field; you
cannot map an MCS value to a rate without also knowing the channel width
and guard interval length.
Fetch the element length early in the process, rather than fetching it
each time we need it - even after we've advanced the pointer we are
using to fetch it (doing the latter means we fetch the wrong value when
we subtract it from the remaining length).
If we were able to get the flags, we should process them, so we know
whether there's Atheros padding after the 802.11 header or if there's an
FCS at the end of the packet, and properly process them; if we weren't
able to get the flags, they're 0, so we're not doing anything
differently, and that's the best we can do.
I give up. I have no access to the 802.11s drafts, I can't find
anything that suggests whether a heuristic check for an 802.11s header
should check for To DS and From DS both being set or either being set or
unset, or whether it should check for a QoS frame type (the examples in
all the documentation I can find have To DS and From DS set, and have a
QoS field, in the 802.11 header, but that might just be an example
802.11 header showing all the fields), so I'm just adding a -h
command-line flag; you need to specify it to get tcpdump to try to guess
whether a frame has a mesh header or not. I'll leave it up to somebody
else to figure out what the best heuristic for detecting the presence of
mesh headers is (note that tcpdump and Wireshark have different
heuristics, both of which can probably get false positives, especially
with encrypted frames where the first payload byte just *happens* not to
have any of the reserved bits in the mesh header flags set).
type we see, not the *last*, so the first one gets printed. If,
however, a rates IE has a zero-length list of rates, don't save that
one; some devices send out frames with two rates IEs, one zero-length
and a later one containing the actual rates.
Have parse_elements() return an indication of whether truncation
occurred - and pass it the frame length, so it doesn't just keep parsing
until an end-of-captured-data test fails, as that would make *every*
frame look truncated.
"present but truncated", and "not present", and don't have it return an
indication of whether we ran past the end of a packet - instead, have
the routines that handle particular management frame types use macros
that check what the status of a particular tagged parameter is and:
print it if present and not truncated;
skip it if not present;
return a "packet truncated" indication if present but truncated.
This means we handle tagged parameters that aren't present, and print
parameters that are present and not truncated even if there's a
present-but-truncated field after them.
Add some additional bounds checks.
Make the table of rates bigger - there can be more than 8 rates in a
rates tagged parameter.
IEEE802_11_AP_LEN as the length of the previous AP in reassociation
frame.
Before copying variable-length fields from a management frame IE, make
sure the length isn't too large.
rather than having a separate table; this makes it clearer that unknown
manaagement frame types already have a message printed, and that you
have to add a call to print that if a new management frame type is
created.
we don't handle; there's no need to print "Unknown subtype N" as well.
Revert to using null strings for the unknown management frame types -
that way we don't have to check for a null pointer.
and make all unknown subtypes have null pointers and, if the pointer for
a subtype is null, print the subtype as "Unknown subtype".
Compute the sizes of the tables of authentication algorithm names,
status code strings, and reason code strings at compile time, and use
those values to check whether the value is in the table or not. Get rid
of trailing NULL pointers in those tables.
Fix a typo in one reason code string.
link-layer print routines if no other print routine claimed the packet.
Test whether that flag is set rather than testing whether neither of -x
or -q were specified, and have -x, -q, *and* -X set that flag, so that
-X suppresses it just as -x does. That way you don't get those pckets
dumped twice if -X was specified.
between unsigned and signed (and pointers to same) without a case - the
IEEE80211_RADIOTAP_DBM_TX_POWER item is signed, so use "cpack_int8()" to
fetch it.
that if there's an error parsing the body, we at least see the type (and
so that the code to print the subtype isn't duplicated in every
body-printing routine).
appropriately, and that GNUmakefile and the MSVC++ project file define
it apppriately, as we do with libpcap, rather than defining it in
"interface.h".
Undo the rcsid-shuffling and addition of extra #includes, as we no
longer need to arrange that "interface.h" be included before using _U_
in an RCS ID or copyright.
use "_U_" in the definitions of "rcsid[]", to eliminate
complaints about those variables being unused;
move the definitions after the include of "interface.h", or add
an include of "interface.h", so that "_U_" is defined.
Include "config.h" before including "tcpdump-stdinc.h" in
"missing/datalinks.c".
[This patch] fixes some bugs and adds a new feature. Control
packets were showing as [|802.11] because tcpdump expected for
there to be an FCS on each one (wrong assumption). Also, even
if pieces of a control packet are missing, I have made tcpdump
print its type when it knows it. The new features is that if
you give -v, the 802.11 Duration field (for virtual carrier
sense) is printed. This is useful for detecting
hardware/firmware bugs (!!) and for debugging the new crop of
802.11 drivers.
tcpdump.c. Have if_print routines return the length of the link-layer
header, so that the common code knows how to skip the link-layer header
when printing the packet in hex/ASCII.
beginning of the raw packet data, the captured length of the raw packet
data, and the length of the link-layer header, and:
if "-e" was specified, prints all the raw packet data;
if "-e" was not specified, prints all the raw packet data past
the link-layer header, if there is any.
Use that routine in all the "xxx_if_print()" routines if "-x" was
specified.
Make "arcnet_encap_print()" static - it's not used outside
"print-arcnet.c".
Add missing info printing code to "atm_if_print()".
Print the packet data in "lane_if_print()", not in "lane_print()", as
"lane_print()" can be called from other "xxx_if_print()" routines, and
those routines will also print the packet data if "-x" was specified -
no need to print it twice.
dissector really needs source and destination MAC addresses, we should
make global pointers to them - which would be null for packets lacking
MAC addresses, so dissectors that need them will need to do something
sensible if those pointers are null.)
Don't fake up an Ethernet header if there aren't any MAC addresses to
use when faking it up.
"bp_chaddr" in "print-bootp.c" is an array, so "bp->bp_chaddr" cannot be
null, and there's no need to test for it not being null.
