issue with -e in IEEE802_11_RADIO mode

["Peter J. Philipp" <tcpdump () centroid eu>]

Hi,

I get a totally bogus output with -e and -X flags set on a wlan0
interface in monitor mode.  I have spent a lot of time looking into this
and I have finally figured out what I needed to do here.  Last I'll
paste my patch, it's easy.  I know it isn't via github but I don't have
a github login and can't even write an issue wihtout having logged in,
so I resorted to this sane historical way.

I want to show you the outputs of tcpdump with the -e flag (which is now
correct):

root@epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X -e  -c 1  -n
-s 100 -i
 wlan0 -l  'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
0x0'         
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode     
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), ca
pture size 100
bytes                                                           
21:57:51.598450 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0
BSSID:18:d6:c7:51:
55:86 DA:ff:ff:ff:ff:ff:ff SA:18:d6:c7:51:55:86 Beacon () [1.0* 2.0 5.5
11.0 6.0
 9.0 12.0 18.0 Mbit] IBSS CH:
13[|802.11]                                      
        0x0000:  8000 0000 ffff ffff ffff 18d6 c751 5586 
.............QU.     
        0x0010:  18d6 c751 5586 c0fa 8061 bb4b 0200 0000 
...QU....a.K....    
        0x0020:  6400 0000 0000 0108 8204 0b16 0c12 1824  d..............$
        0x0030:  0301 0d05 0401 0200 0032 0430 4860 6c2d  .........2.0H`l-
        0x0040:  1aee 111b ffff ff00 0000                 ..........
1 packet captured
1 packet received by filter
0 packets dropped by kernel

and without the -e flag (which is probably everythign after the wlan
header):

root@epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X  -c 1  -n -s
100 -i wl
an0 -l  'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
0x0'            
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode     
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), ca
pture size 100
bytes                                                           
21:58:05.627380 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0 Beacon ()
[1.0* 2.
0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] IBSS CH:
13[|802.11]                        
        0x0000:  8071 914c 0200 0000 6400 0000 0000 0108 
.q.L....d.......     
        0x0010:  8204 0b16 0c12 1824 0301 0d05 0400 0200 
.......$........    
        0x0020:  0032 0430 4860 6c2d 1aee 111b ffff ff00  .2.0H`l-........
        0x0030:  0000                                     ..             
1 packet captured                                                  
2 packets received by filter
0 packets dropped by kernel

Lastly as indicated here is my small patch:

--- print-802_11.c.old  2018-04-04 19:40:56.458530097
+0200                   
+++ print-802_11.c      2018-04-04 21:44:15.494773874
+0200                   
@@ -3349,7 +3360,18 @@
 ieee802_11_radio_if_print(netdissect_options
*ndo,                           
                           const struct pcap_pkthdr *h, const u_char
*p)      
 {
-       return ieee802_11_radio_print(ndo, p, h->len,
h->caplen);             
+       const struct ieee80211_radiotap_header
*hdr;                          
+       u_int hdrlen, len;
+
+        hdr = (const struct ieee80211_radiotap_header
*)p;                   
+        len =
EXTRACT_LE_16BITS(&hdr->it_len);                               
+
+       hdrlen = ieee802_11_radio_print(ndo, p, h->len,
h->caplen);           
+       if (ndo->ndo_eflag && hdrlen > len)
{                                 
+               return len;
+       }
+
+       return hdrlen;
 }

 /*


Regards,

-peter

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers