tcpdump mailing list archives
TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER.
From: "Bruce Keats" <brucekeats () gmail com>
Date: Tue, 29 Aug 2006 15:18:21 -0400
Hi, I am running FC5 which comes with tcpdump 3.9.4 and libpcap 0.9.4 and I am having problems filtering 802.11 packets. When I look at the code generated for a wifi card that has the Atheros chip set and supports DLT_PRISM_HEADER, the offset to the IP header looks off. [root@dhcp43 ~]# tcpdump -L -i athm0 Data link types (use option -y to set): PRISM_HEADER (802.11 plus Prism header) [root@dhcp43 ~]# tcpdump -i athm0 -s0 -d ip tcpdump: WARNING: athm0: no IPv4 address assigned (000) ldh [318] (001) jeq #0x800 jt 2 jf 3 (002) ret #65535 (003) ret #0 [root@dhcp43 ~]# If I read this code correctly, it is loading a 2 byte half word at offset 318 (0x13e) then doing a compare against the value 0x800 for a match. The offset is wrong because the PRISM header is 144 bytes long, 24 bytes for a 801.11 data frame and 8 bytes for the LLC frame for which the last 2 bytes indicate IP (offset should be 174). If I try something like trying to find the TCP header, the generated code also seems suspect: [root@dhcp43 ~]# tcpdump -i athm0 -s0 -d tcp tcpdump: WARNING: athm0: no IPv4 address assigned (000) ldh [318] (001) jeq #0x86dd jt 2 jf 4 (002) ldb [182] (003) jeq #0x6 jt 7 jf 8 (004) jeq #0x800 jt 5 jf 8 (005) ldb [185] (006) jeq #0x6 jt 7 jf 8 (007) ret #65535 (008) ret #0 [root@dhcp43 ~]# The magic number 318 is 174+144 or "the offset to find the LLC protocol" plus "the PRISM header length". I did some google searches and I didn't come accross anything. I checked the TCPDUMP workers list and I didn't see anything, but it appears the archives might be broken on tcpdump.org and gmane.org doesn't seem to go back very far. Has anyone else reported this or something similar? Is anyone else working this problem? Does anyone have a fix for the problem? Thanks, Bruce - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER. Bruce Keats (Aug 29)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER. Bruce Keats (Sep 11)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to Guy Harris (Sep 13)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to Guy Harris (Sep 13)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to Bruce Keats (Sep 13)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to Guy Harris (Sep 13)
- Re: TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER. Bruce Keats (Sep 11)
- <Possible follow-ups>
- TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER. Bruce Keats (Aug 29)