at the end of the link-layer header; put it there.
Put in a comment indicating that the layout of the link-layer header
shouldn't be changed; if a new header is necessary, a new DLL_ type
should be introduced for it.
them in "print-sll.c" - as a cooked-mode capture may be reading from
non-Ethernet, non-802.x devices, it may well see some
ETH_P_/LINUX_SLL_P_ types that don't mean "this is an 802.2 LLC frame".
We currently assume that the ETH_P_ values won't change in the kernel,
so we don't have to explicitly map them.
In various link-layer packet printers, if we don't handle the next layer
up of packet type, and are printing the link-layer header, use the
correct pointer to that header (i.e., if we've stepped "p" past the
link-layer header, don't use "p", use a pointer to the beginning of the
packet), and use the correct length (i.e., if we've subtracted the
length of the link-layer header, add it back in, so that we always print
the full packet length).
live captures with a "cooked" (SOCK_DGRAM) rather than a "raw"
(SOCK_RAW) PF_PACKET socket; it includes a bunch of the fields from the
"struct sockaddr_ll" you get in a "recvfrom()", including the Ethernet
protocol field.
tip of the Hatlo hat to Pascal Hennequin <pascal.hennequin@int-evry.fr>
for catching this one.
Also, the control field in an S or I frame is little-endian; treat it as
such, fixing various #defines in "llc.h" to match.
dissectors that expected calls to "llc_print()" to set it. (Thanks and
a tip of the hat to Olaf Kirch <okir@caldera.de> for noticing this.)
Make "ether_encap_print()" and "llc_print()" take a pointer to an
extracted-Ethertype variable as an argument, have "llc_print()" pass it
to "ether_encap_print()", and have "ether_encap_print()" set what it
points to rather than setting a static "extracted_ethertype" variable.
Get rid of said static "extracted_ethertype" variable in favor of one
local to "ether_if_print()", just as other link-layer dissectors have
local "extracted_ethertype" variables.
may not be *our* byte order if we're reading a capture file from another
machine; we currently handle that by checking whether it looks like an
integer < 65536 or not and, if it's not, byte-swap it.
This also lets us handle OpenBSD DLT_LOOP as well - it's like DLT_NULL
except that the AF_ value is in *network* byte order.
(Old-style Linux loopback captures were also DLT_NULL, but the header
had an Ethernet type in it; there have also been captures where the
header was a PPP header. For now, we just continue to assume that all
DLT_NULL packets are IP, and check the IP version field to decide
whether it's IPv4, IPv6, or something else.
We may want to consider adopting Ethereal's heuristics, which would at
least mean we wouldn't be reporting bogus packet types for old-style
Linux loopback captures and those weird PPP - ISDN4BSD? - captures,
although the version of libpcap that goes with this version of tcpdump
doesn't produce bogus DLT_NULL captures for Linux loopback devices.)
remember which pcap_t's were opened (with SOCK_PACKET) in promiscuous
mode on interfaces not already in promiscuous mode, turn promiscuous
mode off when closing such a pcap_t, and arrange that, when the program
exits, all pcap_t's of that sort not already closed have their
interfaces taken out of promiscuous mode. (It's not sufficient to do
this on exit - applications may close a pcap_t without exiting, e.g.
Ethereal.)
This won't always work right (if somebody else requests promiscuous mode
after it's opened by libpcap, we'll turn promiscuous mode off when we
close the pcap_t, and if the program doesn't exit cleanly, it won't
clean up the interfaces), but neither of those problems are fixable -
the only way to get things to work correctly is to use PF_PACKET
sockets, which requires a 2.2 or later kernel.
On a 2.0[.x] kernel, when doing a "recvfrom()" on a SOCK_PACKET socket
to read a captured packet, don't pass a byte count value based on the
snapshot length - "recvfrom()" won't return the actual packet length if
you do that. (2.2 and later kernels will return the actual packet
length if MSG_TRUNC is passed in.)
Update the documentation to reflect improved Appletalk support.
for an S or I frame; have the LLC dissector pass the control field value
as an argument to the NetBEUI dissector, rather than having the NetBEUI
dissector extract the control field value itself, and have it pass a
pointer to the beginning of the LLC *payload* rather than to the control
field.
Keep the NetBEUI dissector from running past the end of the buffer.
Add support for the NetBEUI SESSION ALIVE frame.
"AF <n>" for DLT_NULL captures.
Print the packet length for DLT_NULL captures when "-e" is specified
(somebody complained on "freebsd-isp" about the lack of any packet
length from tcpdump when capturing traffic on a "tunX" device).
Make sure we always print the packet length on PPP when "-e" is
specified (the person in question also complained that the packet length
disappeared between FreeBSD 2.2.8 and FreeBSD 3.4, which was the result
of a new "print-ppp.c" that didn't print the length).
#include <netdb.h> for MAXHOSTNAMELEN on Solaris
Use EXTRACT_16BITS to extract 16-bit quantities
Print withdrawn routes if we think we can
Print must-be-zero attribute flags if they're not zero
Partly from: Jim Vaughn, http://www.tcpdump.org/lists/patches/107
or equal to 2 (the length includes the two bytes of type and length).
Don't print the values of RADIUS attributes that are supposed to be of a
particular length if they have a different length.
Don't use the result of "ctime()", unmodified, when printing an
attribute value; the string "ctime()" supplies includes a newline, which
we need to remove.
The "PRINT_HEX()" macro expands into code that modifies its first
argument; always set the variable in question to the appropriate value
before calling the macro.
