for "Novell 802.3" frames, which are 802.3 frames (i.e., the type/length
field is a length field, i.e. it's <= ETHERMTU) with 0xFFFF as the first
2 bytes. We don't yet check for ETHERTYPE_IPX as well.
When checking for OSI packets on Linux cooked captures, check for 802.2
frames by testing the packet type for LINUX_SLL_P_802_2 rather than by
checking whether the type field is <= ETHERMTU (it's always a type field
in DLT_LINUX_SLL captures).
Ring, and RFC 1483-style ATM, as well as on Ethernet.
Support checking for LLC SAP protocols other than OSI protocols on
Ethernet - for now, we check only the DSAP on those, rather than
checking both the DSAP and SSAP as we do for OSI, as I think, in some
cases, the SSAP isn't the same as the DSAP.
When generating protocol type checks on link-layer types with no type
field, where packets are always IP (SLIP, BSD/OS SLIP, raw IP), generate
a "test" that always succeeds if the protocol being checked for is IP or
IPv6 and a "test" that always fails otherwise. (We originally did
"gen_true()" if the protocol is IP, and bogusly generated code to check
the field at an offset of -1 otherwise; a subsequent change caused us
always to do "gen_true()", but that doesn't properly handle attempts to
check for other protocols - those attempts should generate code that
always fails, meaning that if you try to look for ARP packets in such a
capture the BPF compiler will return "expression rejects all packets" as
an error - and still generated extra code not all of which was removed
by the optimizer. The current code generates no *more* BPF code.)
Add "stp", which checks for the LLC SAP for the Spanning Tree Protocol.
#5228, to correctly check for Appletalk for EtherTalk phase II - they
use 802.3 with LLC SNAP packets, rather than D/I/X Ethernet packets.
His patch made "atalk" check for Appletalk ARP as well as other
Appletalk packets; I've instead added a separate "aarp" packet type,
leaving "atalk" checking only for ETHERTYPE_ATALK, so you can check for
ETHERTYPE_ATALK, ETHERTYPE_AARP, or both.
filter, always attach a copy, as "pcap-linux.c" does; that way, after a
program uses "pcap_setfilter()", it can safely use "pcap_freecode()" to
free up the BPF instructions allocated by "pcap_compile()". Also,
always free it up when the "pcap_t" is closed.
Get rid of the "pcap_t *" argument to "pcap_freecode()", as it's not
necessary.
Document "pcap_freecode()", for the benefit of programs that might
repeatedly compile filter programs and attach them, so that they can
free them up after attaching them and avoid leaking memory for them.
letting you filter based on the VLAN to which a packet belongs, and an
improvement to the printing of VLAN packets (adding an extra space to
separate the VLAN priority and flags from the next stuff printed).
core if the YY_FLUSH_BUFFER macro is called when there's no current
buffer (e.g., before any scanning has been done).
So, instead, when using Flex, we use "yy_scan_string()" to specify that
the scanner should read from the filter expression string, rather than
defining our own YY_INPUT macro, and we add a "lex_cleanup()" routine,
called after parsing is complete, to delete the buffer allocated by
"yy_scan_string()", which arranges that, when we next hand the scanner a
string, it doesn't then return to the parser cruft left over from the
previous parse.
./configure --enable-ipv6 (requires getaddrinfo(3) and getnameinfo(3)).
TODO: make it work even without getaddrinfo(3) or getnameinfo(3)
(or, tcpdump/configure.in should provide alternative version by
AC_REPLACE_FUNCS)
TODO: make IPv6 filtering code work by default
TODO: make "protochain" friendly with optimization
fenner