centralize the MPLS check into gen_linktype() and backout the
specific checks in gen_proto_abrev(), gen_proto(), gen_host()
this adds as a by-product support for IPv6
if we have a MPLS label stack deeper > 1 then generate a match
for a cleared bottom-of-stack-bit of the previous MPLS shim header
rather than just incrementing the offset;
if there is a compined expression of MPLS and IP like e.g.
"mpls && ip" | "mpls && ip host" | "mpls && ip src net"
then poison the linkoffset to make sure that other code generators
do not try to match link-layer protos like Q_ARP, Q_RARP etc.
introduce a new function gen_null() that matches against the first nibble
of the IP header and matches if the bottom-of-stack bit is set;
TODO: IPv6 stuff i.e. gen_host6() etc.
the mpls stack processing is broken:
for example "mpls 10000 && mpls 20000" does produce
reading from file ppp.pcap, link-type PPP (PPP)
(000) ldh [2]
(001) jeq #0x00000281 jt 2 jf 11
(002) ld [4]
(003) and #0xfffff000
(004) jeq #0x02710000 jt 5 jf 11
(005) ldh [6]
(006) jeq #0x00000281 jt 7 jf 11
(007) ld [8]
(008) and #0xfffff000
(009) jeq #0x04e20000 jt 10 jf 11
(010) ret #1514
(011) ret #0
the extra match for 0x281 at instruction #6 is broken and
a copy&paste artifact from the vlan code generator, which
in contrast does require the VLAN tag 0x8100 at every instance
inside a VLAN stack;
correct code should be:
(000) ldh [2]
(001) jeq #0x281 jt 2 jf 9
(002) ld [4]
(003) and #0xfffff000
(004) jeq #0x2710000 jt 5 jf 9
(005) ld [8]
(006) and #0xfffff000
(007) jeq #0x4e20000 jt 8 jf 9
(008) ret #1514
(009) ret #0
including those with fixed-length radio headers (it already refers to
the 802.11 header for radiotap).
Add a new "radio" keyword, to allow access to the radio header. In
theory, something to allow testing for specific signal strengths, etc.
might be useful, but radiotap makes that difficult as the code can't
loop through the header looking for the signal strength field, the loop
has to be unrolled, and some of the other headers might not have
standardized the meaning of some of the fields, so we require the user
to construct such a filter themselves, for now.
value arguments are to other routines. Do the same with the value
argument to "gen_atmfield_code()".
"gen_load_a()" can return more than one statement; append to the list of
statements it returns with "sappend()", rather than manually appending
to the first statement.
Fix the argument list to one "gen_ncmp()" call, and get rid of the casts
in the other calls, as the arguments already have the right types.
Fix the casts in calls to "gen_atmfield_code()".
takes an argument indicating what the offset is relative to.
Make the various comparison generators take an argument of that sort as
well.
Tweak the arguments to "gen_ncmp()" to match those of the other
comparison routines, and make all the other comparison routines just
call "gen_ncmp()".
of the link-layer, network-layer, and transport-layer (assuming the
network layer is IPv4) headers. This makes it a bit clearer what stuff
would be changed for variable-length link-layer headers or
variable-length pseudo-headers before the link-layer header.
don't have __attribute__ support in the compiler.
While we're at it, get rid of the declaration of bpf_error() in
gencode.c, as it's already declared in gencode.h.
What it does includes checking whether the packet is of the type
specified by the <proto> argument, so there's no need to add such a
check when checking whether the ISO protocol type field has a particular
value; remove the extra check against the ISO protocol.
Fix a typo in a comment.
"gen_ether_linktype()" and "gen_linux_sll_linktype()", as well as
"gen_linktype()".
Add comments for those routines to indicate how they handle the protocol
type argument.
In "gen_linux_sll_linktype()", merge together the handling of
LLCSAP_ISONS, LLCSAP_IP, and LLCSAP_NETBEUI, as was done in
"gen_ether_linktype()" and "gen_llc_linktype()".
Merge the code to handle the LLCSAP_ISONS, LLCSAP_IP, and
LLCSAP_NETBEUI.
"gen_ether_linktype()" already handles SAPs as protocol IDs; just use it
for Ethernet, rather than using "gen_llc()" (which isn't prepared to
handle Ethernet, with off_linktype pointing to the type/length field
rather than the DSAP).
That also means that "gen_linktype(LLCSAP_ISONS)" can be used to test
for OSI packets on Ethernet.
Expand some comments.
Fix a typo ("off_nl = +4" should've been "off_nl += 4").
by checking the proto against the ethermtu and bumping
the link-layer offset by two.
-add support for vlan and mpls hierarchies by not absolute
setting offsets but rather incrementing them;
example(s):
mpls 100000 && mpls 1024
=filters for outerlabel 100000 and inner label 1024
vlan 100 && vlan 200
=filters for vlan 200 encapsulated withing vlan 100
vlan 300 && mpls 17
=filters for mpls label 17 encapsulated in vlan 300
rename it again to DLT_PPP_PPPD, and rename other #defines to match.
Add backwards-compatibility #defines of DLT_PPP_WITH_DIRECTION and
DLT_LINUX_PPP_WITHDIRECTION for software that used them.
that require it, and make pcap_fddipad private to the code generator, as
that's the only place that needs it (ideally, all *its* state should be
local as well). This makes opening an FDDI device, on platforms where
the padding is supplied as part of the packet, and opening other types
of devices or opening savefiles in the same program work better, as you
don't have to be sure you compile the filter for a given pcap_t before
opening the next pcap_t.
the first byte (0xff) of the PPP header (0xff03) is tweaked to accomodate
the direction 0x00 = IN, 0x01 = OUT
the DLT_ supports the libpcap tokens "inbound" and "outbound"
DLT_IEEE802_11_RADIO (rather than supporting nothing, which keeps most
capture programs from working at all, as they set an empty filter if no
filter was explicitly supplied).
DLT_IEEE802_11_RADIO_AVS for future use with the AVS radio header.
Fix a comment.
Put in reserved LINKTYPE_USERn values corresponding to the reserved
DLT_USERn values.
beginning of the packet if the packet has an 802.2+SNAP header (3 bytes
802.2, 5 bytes SNAP), and 3 bytes from the beginning of the packet if it
has only an 802.2 header, just as is the case for DLT_ATM_CLIP, so go
back to handling them both with the same case.
Restore some comments asking whether we need to check the SSAP when
testing the 802.2 header for protocol types.
Clean up white space.
RFC 1188, RFC 1042, and RFCs 1483 and 2225 specify that SNAP
encapsulation is used for IP, not LLC encapsulation with LLCSAP_IP and,
in fact, that's what most if not all IP traffic over FDDI, 802 networks,
and LLC-encapsulated ATM use; go back to treating those link-layer types
the same way other link-layer types are handled.
which supplies different headers from BSD ARCNET, and fixes to the
ARCNET code generator (the protocol ID field is 1 byte, so the values
for it shouldn't be byte-swapped).
Whitespace cleanups.
The "NetBSD-style" ARCNET headers are used in other BSDs as well, so
just call them "BSD-style".
of packet headers so that, in all expressions after it, the tests assume
LANE encapsulation of packets. (We also assume the emulated LAN is an
Ethernet LAN, rather than a Token Ring LAN.)
Allow ATM tests to be combined with non-ATM tests in expressions, so
that you can do, for example, "lane and icmp".
each source file, only the headers that file needs, and all the headers
it needs in order to compile on various platforms and not to get any
avoidable compiler warnings on those platforms (as well as any
incomplete structure definitions needed to avoid those warnings).
That also means that <pcap.h> doesn't include <pcap-stdinc.h> on UNIX;
we don't want it to include <pcap-stdinc.h>, at least on UNIX, as doing
so
1) would mean we'd have to install that, so that programs can
build with libpcap
and
2) would mean that programs including <pcap.h> would drag in a
bunch of header files that they don't need.
Put a newline at the end of "inet.c" - the Sun C compiler doesn't like
it if the last line doesn't end with a newline.
those that always use 802.2;
those that never use 802.2;
Ethernet (where 802.2 is used for 802.3 and is not used for
Ethernet II);
correctly. This requires having two variables for the offset of the
network layer header, one for use with protocols that would not run atop
802.2 on Ethernet and would run atop 802.2+SNAP on link layers that
always use 802.2, and one for use with protosol that would run atop
raw 802.2 (no SNAP) on Ethernet and on link layers that always use
802.2.
Fix the network layer offset for 802.11, and the link-layer offset for
RFC 1483 ATM (there's no link layer, there's just 802.2 LLC).
define a structure used by <pcap-namedb.h> (only a pointer to the
structure is used in <pcap-namedb.h>, so code will compile no matter
which order you include them in, but it's a bit cleaner to include
<netdb.h> first). Indicate why we're including <netdb.h>.
This allows correct compilation of multiple expressions
containing the "vlan" keyword in the same program.
Reported by: Jon Dugan <jdugan@ncsa.uiuc.edu>, on the bro@lbl.gov list
<Miklos.Szeredi@eth.ericsson.se> - "pcap_ether_aton()" allocates memory
for the MAC address, but we don't free it when we're done with it.
Code inspection revealed that there's a similar problem with
"pcap_ether_hostton()"; fix that as well.
guy