tcpdump mailing list archives

Variable length mac headers and gencode.c (and DLT request)

From: Darren Reed <darren.reed () oracle com>
Date: Tue, 10 May 2011 13:40:44 -0700

To pursue this a little further, experimenting has
determined that the best layout thus far would be
something similar to this:

bits  field
00-07 version (1)
08-15 pad (0)
16-31 pre-mac payload length
32-63 dlt (DLT_*)
64-79 ethernet protocol number
80-95 pad (0)

The pads are to ensure that fields start on byte boundaries
that align with their sizes. Similarly, the final pad is to
ensure that this header has minimal impact on any alignment
requirements of data that follows it. The pre-mac payload
length is the length of all data (i.e in most cases this
will be the combined length of the above header and the mac
header) that preceeds the mac payload (where the IP header
starts.)

The design of the above is to facilitate being able to
generate a simple BPF instruction set that allows filter
expressions on network protocols.

With a few tweaks to gencode.c (see attachment),
it seems to work:

# ./tcpdump -d -vi net0 ip and tcp port 80
(000) ldh      [2]
(001) st       M[0]
(002) ldh      [8]
(003) jeq      #0x800           jt 4    jf 25
(004) ldx      M[0]
(005) ldb      [x + 9]
(006) jeq      #0x6             jt 7    jf 25
(007) ldh      [x + 6]
(008) jset     #0x1fff          jt 25   jf 9
(009) ldb      [x + 0]
(010) and      #0xf
(011) lsh      #2
(012) add      x
(013) tax
(014) ldh      [x + 0]
(015) jeq      #0x50            jt 24   jf 16
(016) ldx      M[0]
(017) ldb      [x + 0]
(018) and      #0xf
(019) lsh      #2
(020) add      x
(021) tax
(022) ldh      [x + 2]
(023) jeq      #0x50            jt 24   jf 25
(024) ret      #65535
(025) ret      #0

The premise of the above is that no matter what the
payload is after the mac header, that it will have
a corresponding ethernet protocol number.

Thus even though a "packet" for DLT_NULL on NetBSD
might have AF_INET in the DLT_NULL header, the value
for "proto" in the above header would be ETHERTYPE_IP
(0x0800). It is the responsibility of the code that
is constructing the header to make this translation.

The presence of the dlt field in the header allows the
entire packet to be printed out by tcpdump, etc, as it
unravels the packet headers.

The attached diff uses DLT_LINK and unless anyone has
an objection, I'd like to request that this name be
assigned a DLT number that's associated with the header
described above.

Thoughts? Comments?

Darren

Attachment: gencode.c.diff
Description:

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Variable length mac headers and gencode.c (and DLT request) Darren Reed (May 10)
- Re: Variable length mac headers and gencode.c (and Darren Reed (May 12)
- Re: Variable length mac headers and gencode.c (and DLT request) Guy Harris (May 12)
  - Re: Variable length mac headers and gencode.c (and Darren Reed (May 13)
    - Re: Variable length mac headers and gencode.c (and DLT request) Guy Harris (May 13)
    - Re: Variable length mac headers and gencode.c (and Darren Reed (May 13)
    - Re: Variable length mac headers and gencode.c (and Darren Reed (Jun 03)