those that always use 802.2;
those that never use 802.2;
Ethernet (where 802.2 is used for 802.3 and is not used for
Ethernet II);
correctly. This requires having two variables for the offset of the
network layer header, one for use with protocols that would not run atop
802.2 on Ethernet and would run atop 802.2+SNAP on link layers that
always use 802.2, and one for use with protosol that would run atop
raw 802.2 (no SNAP) on Ethernet and on link layers that always use
802.2.
Fix the network layer offset for 802.11, and the link-layer offset for
RFC 1483 ATM (there's no link layer, there's just 802.2 LLC).
define a structure used by <pcap-namedb.h> (only a pointer to the
structure is used in <pcap-namedb.h>, so code will compile no matter
which order you include them in, but it's a bit cleaner to include
<netdb.h> first). Indicate why we're including <netdb.h>.
This allows correct compilation of multiple expressions
containing the "vlan" keyword in the same program.
Reported by: Jon Dugan <jdugan@ncsa.uiuc.edu>, on the bro@lbl.gov list
<Miklos.Szeredi@eth.ericsson.se> - "pcap_ether_aton()" allocates memory
for the MAC address, but we don't free it when we're done with it.
Code inspection revealed that there's a similar problem with
"pcap_ether_hostton()"; fix that as well.
Ethernet, so, at least on Ethernet, when checking for IPX frames, check
for all of them, including Ethernet_II and Ethernet_SNAP.
Add an "llc.h" file with LLC SAP values, taken from tcpdump's "llc.h"
file, and use those, rather than defining them ourselves in "gencode.c".
for "Novell 802.3" frames, which are 802.3 frames (i.e., the type/length
field is a length field, i.e. it's <= ETHERMTU) with 0xFFFF as the first
2 bytes. We don't yet check for ETHERTYPE_IPX as well.
When checking for OSI packets on Linux cooked captures, check for 802.2
frames by testing the packet type for LINUX_SLL_P_802_2 rather than by
checking whether the type field is <= ETHERMTU (it's always a type field
in DLT_LINUX_SLL captures).
Set "off_linktype" to the correct value for the offset of the Ethernet
type field in the fake header for Linux cooked captures, so that the
correct code is generated for tests of that field.
Ring, and RFC 1483-style ATM, as well as on Ethernet.
Support checking for LLC SAP protocols other than OSI protocols on
Ethernet - for now, we check only the DSAP on those, rather than
checking both the DSAP and SSAP as we do for OSI, as I think, in some
cases, the SSAP isn't the same as the DSAP.
When generating protocol type checks on link-layer types with no type
field, where packets are always IP (SLIP, BSD/OS SLIP, raw IP), generate
a "test" that always succeeds if the protocol being checked for is IP or
IPv6 and a "test" that always fails otherwise. (We originally did
"gen_true()" if the protocol is IP, and bogusly generated code to check
the field at an offset of -1 otherwise; a subsequent change caused us
always to do "gen_true()", but that doesn't properly handle attempts to
check for other protocols - those attempts should generate code that
always fails, meaning that if you try to look for ARP packets in such a
capture the BPF compiler will return "expression rejects all packets" as
an error - and still generated extra code not all of which was removed
by the optimizer. The current code generates no *more* BPF code.)
Add "stp", which checks for the LLC SAP for the Spanning Tree Protocol.
live captures with a "cooked" (SOCK_DGRAM) rather than a "raw"
(SOCK_RAW) PF_PACKET socket; it includes a bunch of the fields from the
"struct sockaddr_ll" you get in a "recvfrom()", including the Ethernet
protocol field.
This requires us to rewrite the BPF program if we're stuffing it into
the kernel; as long as we're doing *ex post facto* rewriting, we might
as well also do the "ret <snaplen>" -> "ret 65535" fixup there as well,
rather than in the code generator.
means that we should "htonl()" it before using it in BPF expressions
*but*, if we're reading a capture file from a machine with the opposite
byte order from ours, we should byte-swap it before "htonl()"ing it.
Handle OpenBSD DLT_LOOP as well - it's like DLT_NULL except that the AF_
value is in *network* byte order.
Don't support checking for inbound or outbound packets except on those
data link types that supply an inbound/outbound qualifier (DLT_SLIP and
DLT_PPP) - this came from OpenBSD's libpcap, delta 1.12 to "gencode.c".
"ether host XX:XX:XX:XX:XX:XX", but the device on which you're capturing
isn't a device with Ethernet-style link-layer addresses, report
"ethernet addresses supported only on ethernet, FDDI or token ring", not
"ethernet address used in non-ether expression", as the error.
"pcap_compile()", rather than a routine that duplicates a lot of code in
"pcap_compile()", so that we don't run the risk of having
"pcap_compile_nopcap()" fail to take actions that "pcap_compile()"
takes.
as DLT_ values are defined with decimal values in "net/bpf.h".
Cast the last argument to "gen_cmp()" to "bpf_int32", not "long", as
it's a "bpf_int32".
#5228, to correctly check for Appletalk for EtherTalk phase II - they
use 802.3 with LLC SNAP packets, rather than D/I/X Ethernet packets.
His patch made "atalk" check for Appletalk ARP as well as other
Appletalk packets; I've instead added a separate "aarp" packet type,
leaving "atalk" checking only for ETHERTYPE_ATALK, so you can check for
ETHERTYPE_ATALK, ETHERTYPE_AARP, or both.
filter, always attach a copy, as "pcap-linux.c" does; that way, after a
program uses "pcap_setfilter()", it can safely use "pcap_freecode()" to
free up the BPF instructions allocated by "pcap_compile()". Also,
always free it up when the "pcap_t" is closed.
Get rid of the "pcap_t *" argument to "pcap_freecode()", as it's not
necessary.
Document "pcap_freecode()", for the benefit of programs that might
repeatedly compile filter programs and attach them, so that they can
free them up after attaching them and avoid leaking memory for them.
"pcap_compile()", not just if we return with an error, so that we don't
leak memory by allocating a Flex buffer for the expression to be parsed
but not freeing it.
letting you filter based on the VLAN to which a packet belongs, and an
improvement to the printing of VLAN packets (adding an extra space to
separate the VLAN priority and flags from the next stuff printed).
application won't build with any other version of libpcap, which means
that a lot of applications won't use them. In addition,
"pcap_linktype()" needs to return DLT_ values, so that platforms that
build libpcap as a shared library won't break binary compatibility if
they update to this version of libpcap.
Instead, we map from DLT_ values to LINKTYPE_ values when writing
savefiles, and map from LINKTYPE_ values to DLT_ values when reading
savefiles, so that savefiles don't have platform-dependent DLT_ values
in the header as the link type, they have platform-independent LINKTYPE_
values.
This means we don't need to make DLT_ATM_RFC1483, DLT_RAW, etc. have
platform-independent values starting at 100 - only the values in the
savefile header need to be like that.
"linux-includes/netinet/if_ether.h" to "ethertype.h", and remove
includes of <netinet/if_ether.h> from files that only include it to get
ETHERTYPE_ values defined.
the equivalent PCAP_ENCAP_ codes to the corresponding PCAP_ENCAP_ code
so that the code generator need check only the PCAP_ENCAP_ codes.
Handle PCAP_ENCAP_PPP_HDLC just like PCAP_ENCAP_PPP.
itojun