tcpdump mailing list archives
Re: issue with -e in IEEE802_11_RADIO mode
From: Denis Ovsienko <denis () ovsienko info>
Date: Tue, 21 Aug 2018 13:09:13 +0100
---- On Wed, 04 Apr 2018 21:14:56 +0100 Peter J. Philipp <tcpdump () centroid eu> wrote ----
Hi, I get a totally bogus output with -e and -X flags set on a wlan0 interface in monitor mode. I have spent a lot of time looking into this and I have finally figured out what I needed to do here. Last I'll paste my patch, it's easy. I know it isn't via github but I don't have a github login and can't even write an issue wihtout having logged in, so I resorted to this sane historical way.
Hello Peter. Thank you for sending the proposed bug fix. If it requires a specific 802.11 frame to reproduce, could you post a sample .pcap file?
I want to show you the outputs of tcpdump with the -e flag (which is now
correct):
root@epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X -e -c 1 -n
-s 100 -i
wlan0 -l 'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
0x0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), ca
pture size 100
bytes
21:57:51.598450 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0
BSSID:18:d6:c7:51:
55:86 DA:ff:ff:ff:ff:ff:ff SA:18:d6:c7:51:55:86 Beacon () [1.0* 2.0 5.5
11.0 6.0
9.0 12.0 18.0 Mbit] IBSS CH:
13[|802.11]
0x0000: 8000 0000 ffff ffff ffff 18d6 c751 5586
.............QU.
0x0010: 18d6 c751 5586 c0fa 8061 bb4b 0200 0000
...QU....a.K....
0x0020: 6400 0000 0000 0108 8204 0b16 0c12 1824 d..............$
0x0030: 0301 0d05 0401 0200 0032 0430 4860 6c2d .........2.0H`l-
0x0040: 1aee 111b ffff ff00 0000 ..........
1 packet captured
1 packet received by filter
0 packets dropped by kernel
I understand you are saying the above is now correct.
and without the -e flag (which is probably everythign after the wlan
header):
root@epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X -c 1 -n -s
100 -i wl
an0 -l 'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
0x0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), ca
pture size 100
bytes
21:58:05.627380 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0 Beacon ()
[1.0* 2.
0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] IBSS CH:
13[|802.11]
0x0000: 8071 914c 0200 0000 6400 0000 0000 0108
.q.L....d.......
0x0010: 8204 0b16 0c12 1824 0301 0d05 0400 0200
.......$........
0x0020: 0032 0430 4860 6c2d 1aee 111b ffff ff00 .2.0H`l-........
0x0030: 0000 ..
1 packet captured
2 packets received by filter
0 packets dropped by kernel
I understand the above is now correct as well, right? What is the incorrect version? Is it incorrect for both "-X -e" and "-e" or just for one of those cases?
Lastly as indicated here is my small patch:
--- print-802_11.c.old 2018-04-04 19:40:56.458530097
+0200
+++ print-802_11.c 2018-04-04 21:44:15.494773874
+0200
@@ -3349,7 +3360,18 @@
ieee802_11_radio_if_print(netdissect_options
*ndo,
const struct pcap_pkthdr *h, const u_char
*p)
{
- return ieee802_11_radio_print(ndo, p, h->len,
h->caplen);
+ const struct ieee80211_radiotap_header
*hdr;
+ u_int hdrlen, len;
+
+ hdr = (const struct ieee80211_radiotap_header
*)p;
+ len =
EXTRACT_LE_16BITS(&hdr->it_len);
+
+ hdrlen = ieee802_11_radio_print(ndo, p, h->len,
h->caplen);
+ if (ndo->ndo_eflag && hdrlen > len)
{
+ return len;
+ }
+
+ return hdrlen;
}
/*
--
Denis Ovsienko
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Re: issue with -e in IEEE802_11_RADIO mode Denis Ovsienko (Aug 21)