Subject: lib/5228: libpcap doesn't correctly identify EtherTalk packets
To: None <gnats-bugs@gnats.netbsd.org>
From: None <monroe@pobox.com>
List: netbsd-bugs
Date: 03/29/1998 01:07:19
>Number:         5228
>Category:       lib
>Synopsis:       libpcap doesn't correctly identify EtherTalk packets
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 29 01:20:01 1998
>Last-Modified:
>Originator:     Monroe Williams
>Organization:
	None
>Release:        NetBSD-current supped on March 17, 1998
>Environment:
	Macintosh SE/30
	NetBSD-1.3.1 or -current
	mac68k
System: NetBSD archaeopteryx 1.3.1 NetBSD 1.3.1 (GENERICSBC) #0: Mon Mar 16 23:13:18 CST 1998 scottr@fx1:/amd/polka/a/src/sys/arch/mac68k/compile/GENERICSBC mac68k


>Description:
	bpf-programs generated by libpcap for keyword 'atalk' don't match EtherTalk
	phase II packets.

>How-To-Repeat:
	Use 'tcpdump atalk' on an ethernet segment with known EtherTalk phase II traffic.
	Note that it isn't dumped.

>Fix:
	Apply the following patch to /src/lib/libpcap/gencode.c:


*** gencode.c.orig	Fri Mar 27 01:55:17 1998
--- gencode.c	Sun Mar 29 00:44:02 1998
***************
*** 140,145 ****
--- 140,146 ----
  static void backpatch(struct block *, struct block *);
  static void merge(struct block *, struct block *);
  static struct block *gen_cmp(u_int, u_int, bpf_int32);
+ static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
  static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
  static struct block *gen_bcmp(u_int, u_int, const u_char *);
  static struct block *gen_uncond(int);
***************
*** 401,406 ****
--- 402,425 ----
  }
  
  static struct block *
+ gen_cmp_gt(offset, size, v)
+ 	u_int offset, size;
+ 	bpf_int32 v;
+ {
+ 	struct slist *s;
+ 	struct block *b;
+ 
+ 	s = new_stmt(BPF_LD|BPF_ABS|size);
+ 	s->s.k = offset;
+ 
+ 	b = new_block(JMP(BPF_JGT));
+ 	b->stmts = s;
+ 	b->s.k = v;
+ 
+ 	return b;
+ }
+ 
+ static struct block *
  gen_mcmp(offset, size, v, mask)
  	u_int offset, size;
  	bpf_int32 v;
***************
*** 619,624 ****
--- 638,677 ----
  		}
  		break;
  
+ 	case DLT_EN10MB:
+ 		switch(proto) {
+ 		case ETHERTYPE_ATALK:
+ 		case ETHERTYPE_AARP:
+ 			/* EtherTalk (AppleTalk protocols on Ethernet link layer) 
+ 				may use 802.2 encapsulation.
+ 			*/
+ 
+ 			/* Check for 802.2 encapsulation (EtherTalk phase 2?) */
+ 			b0 = gen_cmp_gt(off_linktype, BPF_H, 1500);
+ 			gen_not(b0);
+ 
+ 			/* The following compares the entire contents of the 802.2 LLC and
+ 				SNAP headers in one go.  For the LLC, we check that DSAP = 0xAA,
+ 				SSAP = 0xAA, and cntl = 0x03.  The 5-byte SNAP needs to be
+ 				0x080007809B for ETHERTYPE_ATALK and 0x00000080F3 for ETHERTYPE_AARP.
+ 				Yes, this means that EtherTalk packets use a non-zero org code.
+ 			*/
+ 			if(proto == ETHERTYPE_ATALK) {
+ 				b1 = gen_bcmp(14, 8, "\xAA\xAA\x03\x08\x00\x07\x80\x9B");
+ 			}
+ 			else { /* proto == ETHERTYPE_AARP */
+ 				b1 = gen_bcmp(14, 8, "\xAA\xAA\x03\x00\x00\x00\x80\xF3");
+ 			}
+ 			gen_and(b0, b1);
+ 
+ 			/* Check for Ethernet encapsulation (Ethertalk phase 1?) */
+ 			b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+ 
+ 			gen_or(b0, b1);
+ 			return b1;
+ 		}
+ 		break;
+ 
  	case DLT_NULL:
  		/* XXX */
  		if (proto == ETHERTYPE_IP)
***************
*** 998,1004 ****
--- 1051,1059 ----
  		bpf_error("link layer applied in wrong context");
  
  	case Q_ATALK:
+ 		b0 =  gen_linktype(ETHERTYPE_AARP);
  		b1 =  gen_linktype(ETHERTYPE_ATALK);
+ 		gen_or(b0, b1);
  		break;
  
  	case Q_DECNET:
>Audit-Trail:
>Unformatted: