those that always use 802.2;
those that never use 802.2;
Ethernet (where 802.2 is used for 802.3 and is not used for
Ethernet II);
correctly. This requires having two variables for the offset of the
network layer header, one for use with protocols that would not run atop
802.2 on Ethernet and would run atop 802.2+SNAP on link layers that
always use 802.2, and one for use with protosol that would run atop
raw 802.2 (no SNAP) on Ethernet and on link layers that always use
802.2.
Fix the network layer offset for 802.11, and the link-layer offset for
RFC 1483 ATM (there's no link layer, there's just 802.2 LLC).
"struct rtentry" (in <net/if.h> on some systems, e.g. Digital UNIX 4.0,
there are prototypes for kernel functions that include "struct mbuf *"
and "struct rtentry *" arguments, and they are included even if you're
just user-mode code).
We don't need to include <netinet/if_ether.h> unless we have
"ether_hostton()", and we don't need to include <net/if.h> unless we're
including <netinet/if_ether.h>, and we don't need to define "struct
mbuf" or "struct rtentry" unless we're including <net/if.h>.
"struct rtentry" (in <net/if.h> on some systems, e.g. Digital UNIX 4.0,
there are prototypes for kernel functions that include "struct mbuf *"
and "struct rtentry *" arguments, and they are included even if you're
just user-mode code).
define a structure used by <pcap-namedb.h>, and include <sys/socket.h>
before <netdb.h>, as <sys/socket.h> is included to define a structure
used by <netdb.h> (only a pointer to the first structure is used in
<pcap-namedb.h>, and only a pointer to the second structure is used by
<netdb.h>, so code will compile no matter which order you include them
in, but it's a bit cleaner to include <sys/socket.h> before <netdb.h>
and to include <netdb.h> before <pcap-namedb.h>). Indicate why we're
including <netdb.h> and <sys/socket.h>.
define a structure used by <pcap-namedb.h> (only a pointer to the
structure is used in <pcap-namedb.h>, so code will compile no matter
which order you include them in, but it's a bit cleaner to include
<netdb.h> first). Indicate why we're including <netdb.h>.
snoopheader" is a "struct irix5_timeval" rather than a "struct timeval",
by copying the "tv_sec" and "tv_usec" members of that structure to the
time stamp in a "struct pcap_hdr".
read packets is "p->bufsize" bytes long, not MAXDLBUF bytes long
("p->bufsize" is set to (MAXDLBUF * sizeof sizeof(bpf_u_int32))), so
supply that as the "maxlen" value in the "data" argument to "getmsg()".
"struct timeval" - on Solaris 7 and 8, when compiling in LP64 or I32LPx
mode, it's a "struct timeval32" (presumably so that bufmod doesn't have
to worry about whether the stream is being read by a 32-bit program or a
64-bit program). Set the "struct timeval" "pkthdr.ts" by copying the
individual members rather than by doing a structure assignment.
1. During termination processing set up by atexit() under a 2.0.x
kernel, if a socket had been previously closed and the handle freed
due to an error, pcap_close_all() and pcap_close_linux() would
nevertheless try to work with these structures and then crash.
pcap_close_linux() is now called directly when necessary during
error processing.
2. atexit() could get called more than once because the did_atexit
flag wasn't being set.
3. If iface_get_arptype() returns an error because the ioctl() call
failed (probably due to "no such device"), live_open_new() now
returns a fatal error to pcap_open_live() and the call to
live_open_old() is short-circuited.
4. Applications using libpcap would appear to listen on an interface
that was down.
a. iface_bind() and iface_bind_old() now check for pending errors
after bind(). In turn, pcap_open_live() now returns an error
status if there was a pending error after bind().
b. After draining the socket, set_kernel_filter() now checks to see
if the error was the expected EAGAIN and returns a fatal error
to pcap_setfilter() if not. In turn, pcap_setfilter() now
returns an error status if there was a network error.
5. pcap_setfilter() was putting an error message into errbuf after a
failed call to install_bpf_program(). This was unnecessary since
install_bpf_program() puts its own error message into errbuf.
return DLT_LINUX_SLL or not, and, if that flag is false, for those
interface types where we'd used DLT_LINUX_SLL, pick a DLT_ type that
works as well as possible in raw mode, or fail.
Pass 1 as that flag if we're using a PF_PACKET socket; pass 0 as that
flag if we're using a PF_INET/SOCK_PACKET socket.
For PF_INET/SOCK_PACKET sockets, try to get the link-layer type and map
it to a DLT_ value *before* turning promiscuous mode on, so that we
don't try to put the interface into promiscuous mode unless we know we
can handle its link-layer type (and thus that we can use the interface).
ARPHRD_IEEE80211_PRISM, for sniffing on Prism II-based 802.11 interfaces
and getting the special Prism header, so we should map it to
DLT_PRISM_HEADER.
the file descriptor flags; there's no guarantee that it will actually
*affect* the file descriptor flags (consider a memory-mapped capture
mechanism such as the Linux 2.4 mechanism, where all "non-blocking mode"
means is "don't do a 'select()' or 'poll()' if there aren't any new
packets in the memory-mapped buffer") or, in fact, that there are file
descriptor flags to affect (consider WinPcap).
Don't subtract "tp_drops" from "tp_packets" - "ps_recv", on BSD,
at least, includes packets dropped due to lack of buffer space,
so it should do so on Linux as well.
The "len" argument to "getsockopt()" is a value-result
parameter, initially containing the size of the buffer being
supplied; set it before the call.
Catch "getsockopt()" errors and, if it's an error other than
EOPNOTSUPP, return an error.
the current state of non-blocking mode; this allows us to implement, for
example, memory-mapped capture devices, where "pcap_read()" uses
"select()" or "poll()" to wait for packets to arrive, and hide that
implementation detail from applications using this API
("pcap_setnonblock()" would set or clear a non-blocking mode flag in the
"pcap_t", and the "select()" or "poll()" would not be done if the
"pcap_t" is in non-blocking mode).
information plus 802.11 header (as per Tim Newsham's stuff) and for some
flavor of Aironet 802.11 link-layer header (as per Doug Ambrisko's
FreeBSD patches).
that there may be compile-time or run-time problems with the
workarounds, suggest that people send in a detailed report and fall back
on DLPI if they have those problems, and suggest that if they construct
fixes for the problems they send them to patches@tcpdump.org.
Fix the white space.
guy