Subject: lib/5228: libpcap doesn't correctly identify EtherTalk packets
To: None <gnats-bugs@gnats.netbsd.org>
From: None <monroe@pobox.com>
List: netbsd-bugs
Date: 03/29/1998 01:07:19
>Number: 5228
>Category: lib
>Synopsis: libpcap doesn't correctly identify EtherTalk packets
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lib-bug-people (Library Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Mar 29 01:20:01 1998
>Last-Modified:
>Originator: Monroe Williams
>Organization:
None
>Release: NetBSD-current supped on March 17, 1998
>Environment:
Macintosh SE/30
NetBSD-1.3.1 or -current
mac68k
System: NetBSD archaeopteryx 1.3.1 NetBSD 1.3.1 (GENERICSBC) #0: Mon Mar 16 23:13:18 CST 1998 scottr@fx1:/amd/polka/a/src/sys/arch/mac68k/compile/GENERICSBC mac68k
>Description:
bpf-programs generated by libpcap for keyword 'atalk' don't match EtherTalk
phase II packets.
>How-To-Repeat:
Use 'tcpdump atalk' on an ethernet segment with known EtherTalk phase II traffic.
Note that it isn't dumped.
>Fix:
Apply the following patch to /src/lib/libpcap/gencode.c:
*** gencode.c.orig Fri Mar 27 01:55:17 1998
--- gencode.c Sun Mar 29 00:44:02 1998
***************
*** 140,145 ****
--- 140,146 ----
static void backpatch(struct block *, struct block *);
static void merge(struct block *, struct block *);
static struct block *gen_cmp(u_int, u_int, bpf_int32);
+ static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
static struct block *gen_bcmp(u_int, u_int, const u_char *);
static struct block *gen_uncond(int);
***************
*** 401,406 ****
--- 402,425 ----
}
static struct block *
+ gen_cmp_gt(offset, size, v)
+ u_int offset, size;
+ bpf_int32 v;
+ {
+ struct slist *s;
+ struct block *b;
+
+ s = new_stmt(BPF_LD|BPF_ABS|size);
+ s->s.k = offset;
+
+ b = new_block(JMP(BPF_JGT));
+ b->stmts = s;
+ b->s.k = v;
+
+ return b;
+ }
+
+ static struct block *
gen_mcmp(offset, size, v, mask)
u_int offset, size;
bpf_int32 v;
***************
*** 619,624 ****
--- 638,677 ----
}
break;
+ case DLT_EN10MB:
+ switch(proto) {
+ case ETHERTYPE_ATALK:
+ case ETHERTYPE_AARP:
+ /* EtherTalk (AppleTalk protocols on Ethernet link layer)
+ may use 802.2 encapsulation.
+ */
+
+ /* Check for 802.2 encapsulation (EtherTalk phase 2?) */
+ b0 = gen_cmp_gt(off_linktype, BPF_H, 1500);
+ gen_not(b0);
+
+ /* The following compares the entire contents of the 802.2 LLC and
+ SNAP headers in one go. For the LLC, we check that DSAP = 0xAA,
+ SSAP = 0xAA, and cntl = 0x03. The 5-byte SNAP needs to be
+ 0x080007809B for ETHERTYPE_ATALK and 0x00000080F3 for ETHERTYPE_AARP.
+ Yes, this means that EtherTalk packets use a non-zero org code.
+ */
+ if(proto == ETHERTYPE_ATALK) {
+ b1 = gen_bcmp(14, 8, "\xAA\xAA\x03\x08\x00\x07\x80\x9B");
+ }
+ else { /* proto == ETHERTYPE_AARP */
+ b1 = gen_bcmp(14, 8, "\xAA\xAA\x03\x00\x00\x00\x80\xF3");
+ }
+ gen_and(b0, b1);
+
+ /* Check for Ethernet encapsulation (Ethertalk phase 1?) */
+ b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
+
+ gen_or(b0, b1);
+ return b1;
+ }
+ break;
+
case DLT_NULL:
/* XXX */
if (proto == ETHERTYPE_IP)
***************
*** 998,1004 ****
--- 1051,1059 ----
bpf_error("link layer applied in wrong context");
case Q_ATALK:
+ b0 = gen_linktype(ETHERTYPE_AARP);
b1 = gen_linktype(ETHERTYPE_ATALK);
+ gen_or(b0, b1);
break;
case Q_DECNET:
>Audit-Trail:
>Unformatted: