no_optimize - we check, instead, whether the kernel rejected the
program).
Move the initialization of the bpf_dltlist structure right before its
first use.
don't have PF_PACKET support; #ifdef it out.
Move the code to compute the buffer size into live_open_new() and
live_open_old(), as it's dependent on the mechanism being used; there's
little code shared between the two variants.
the tcpdump manual page, so that documentation for other applications
using libpcap can refer to it.
Update pcap(3) to refer to it - and not to suggest sending patches to
patches@tcpdump.org, which is a spam magnet that's no longer read by
anybody.
move it into pcap-sita.c, and make --with-sita set the pcap type to
"sita", so we build pcap-sita.c instead of, rather than in addition to,
pcap-linux.c.
Use "bpf_u_int32" rather than "ulong" in the SITA code, as it's intended
to be 32 bits long (the "l" in "htonl()" and "ntohl()" is historical -
they work on 32-bit quantities, and the "l" dates back to the days when
32-bit processors were a bit newer and 16-bit Unix was more common).
Those changes also, at least in theory, makes the SITA support work on
other Unix-compatible platforms; note that in README.sita.
Clean up pcap-sita.c, making routines no longer called outside it
static, folding trivial wrappers, and fixing various warnings.
Put the routines used by fad-sita.c and defined by pcap-sita.c into
pcap-sita.h. Remove from pcap-sita.h the files that are now static to
pcap-sita.c. Include pcap-sita.h in both fad-sita.c and pcap-sita.c, so
that we do cross-file prototype checking.
Add some additional checks to bpf_validate(), from OpenBSD.
Use bpf_validate() in install_bpf_program(), so we validate programs
even when they're being processed by userland filters; we make
bpf_validate() not reject backward branches, as we use them for the
protochain operator.
For BPF, don't assume that, just because no_optimize was set, we have a
program that we can't hand to the kernel; the user of the application
might have specified no optimization (e.g., tcpdump with -O), or we
might have generated code to handle 802.11 headers (the optimizer can't
handle that code). Instead, try handing the filter to the kernel and,
if that fails, try it in userland.
Get rid of BPF_MAXINSNS - we don't have a limit on program size in
libpcap.
to users of pcap_file() that the resulting FILE * might refer to a file
> 2GB and a suggestion that they use large-file-capable calls on it or
on the result of passing it to fileno() if at all possible.
some versions that support those options don't support disabling yyunput
by defining YY_NO_UNPUT.
If it doesn't support those options, don't check if it supports
generating reentrant scanners, as we can't add any --noFUNCTION options
to suppress generation of functions.
for -o and Flex's support for it in a way that lets us more easily fail
if Lex/Flex fails (so that we don't try to compile a bogus scanner.c
that might be generated; that appears to have happened on at least one
occasion, with the resulting scanner.o missing some functions, causing
weird errors in configure scripts for programs using libpcap), and also
prepares us to handle newer versions of Flex where we want Flex to
generate a header file so we don't get "defined but not declared"
warnings.
always 144 bytes long. However, some drivers on Linux use
ARPHRD_IEEE80211_PRISM, but sometimes or always supply an AVS header, so
we have to check whether the radio header is a Prism header or an AVS
header, so, in practice, it's variable-length.
Treat DLT_PRISM_HEADER as having a variable-length header, and generate
code to find the length of the Prism header that first checks for an AVS
header and, if we have an AVS header, gets the length from the header,
and otherwise just gets a length of 144. This fixes Sourceforge bug
1847574.
Sort various references to the radio headers (case labels, functions,
etc.) into the same order (Prism, AVS, radiotap), for consistency. Put
PPI after them all.
Handle 802.11 and 802.11-plus-radio-header with a common case when
initializing.
hopefully I'm inferring correctly from the mon_bin_poll() routine that,
even with purely-mmapped access, you can use select() or poll() to wait
for packets to arrive.
some sscanf() calls:
The first change involves a sscanf() that has '%n' in the format
string, which shouldn't be checked for in the return value
(stored in "ntok"). This is done correctly elsewhere in the code
(and even commented on) such that the return value is checked for
everything but the %n modifier.
And a few lines after this, a sscanf() is done for '%d' and the
return value is stored in "ret". However, the same exact line
from the above mishap is used here, not even checking the right
variable or number of conversions! It checks "ntok" for 2 when
it should check "ret" for 1.
Changing the behaviour when the ERF type is unknown, and for ERF
TYPE_PAD.
Unknown ERF types can always be captured as DLT_ERF. TYPE_PAD
records are dropped silently.
payload, the existing value of that offset is *not* in the X register -
the offset of the MAC header is in the X register. Load the register
containing the offset of the MAC payload, add 2 to it, and store the
result back in that register.
802.11 headers - we only handle the QoS bit and fields, for now.
Clean up various other things either in the process of doing that or as
a requirement for doing that.
before compiling an expression; pcap_compile() can be called more than
once, and some registers can now be allocated and not freed in the
process of code generation (for example, the register allocated to hold
the length of a radiotap header, which can't be freed until we're
finished generating all the code).
guy