[tcpdump-workers] issue with -e in IEEE802_11_RADIO mode

Denis Ovsienko denis at ovsienko.info
Tue Aug 21 08:09:13 EDT 2018


 ---- On Wed, 04 Apr 2018 21:14:56 +0100 Peter J. Philipp <tcpdump at centroid.eu> wrote ---- 
 > Hi,
 > 
 > I get a totally bogus output with -e and -X flags set on a wlan0
 > interface in monitor mode.  I have spent a lot of time looking into this
 > and I have finally figured out what I needed to do here.  Last I'll
 > paste my patch, it's easy.  I know it isn't via github but I don't have
 > a github login and can't even write an issue wihtout having logged in,
 > so I resorted to this sane historical way.

Hello Peter.

Thank you for sending the proposed bug fix. If it requires a specific 802.11 frame to reproduce, could you post a sample .pcap file?

 > I want to show you the outputs of tcpdump with the -e flag (which is now
 > correct):
 > 
 > root at epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X -e  -c 1  -n
 > -s 100 -i
 >  wlan0 -l  'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
 > 0x0'         
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol
 > decode     
 > listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
 > header), ca
 > pture size 100
 > bytes                                                           
 > 21:57:51.598450 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0
 > BSSID:18:d6:c7:51:
 > 55:86 DA:ff:ff:ff:ff:ff:ff SA:18:d6:c7:51:55:86 Beacon () [1.0* 2.0 5.5
 > 11.0 6.0
 >  9.0 12.0 18.0 Mbit] IBSS CH:
 > 13[|802.11]                                      
 >         0x0000:  8000 0000 ffff ffff ffff 18d6 c751 5586 
 > .............QU.     
 >         0x0010:  18d6 c751 5586 c0fa 8061 bb4b 0200 0000 
 > ...QU....a.K....    
 >         0x0020:  6400 0000 0000 0108 8204 0b16 0c12 1824  d..............$
 >         0x0030:  0301 0d05 0401 0200 0032 0430 4860 6c2d  .........2.0H`l-
 >         0x0040:  1aee 111b ffff ff00 0000                 ..........
 > 1 packet captured
 > 1 packet received by filter
 > 0 packets dropped by kernel

I understand you are saying the above is now correct.

 > and without the -e flag (which is probably everythign after the wlan
 > header):
 > 
 > root at epsilon:/home/pi/tcpdump/tcpdump-4.9.2# ./tcpdump -X  -c 1  -n -s
 > 100 -i wl
 > an0 -l  'ether[10] == 0x18 and ether[2] == 0x0 and ether[3] ==
 > 0x0'            
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol
 > decode     
 > listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
 > header), ca
 > pture size 100
 > bytes                                                           
 > 21:58:05.627380 1.0 Mb/s 2472 MHz 11b -58dBm signal antenna 0 Beacon ()
 > [1.0* 2.
 > 0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] IBSS CH:
 > 13[|802.11]                        
 >         0x0000:  8071 914c 0200 0000 6400 0000 0000 0108 
 > .q.L....d.......     
 >         0x0010:  8204 0b16 0c12 1824 0301 0d05 0400 0200 
 > .......$........    
 >         0x0020:  0032 0430 4860 6c2d 1aee 111b ffff ff00  .2.0H`l-........
 >         0x0030:  0000                                     ..             
 > 1 packet captured                                                  
 > 2 packets received by filter
 > 0 packets dropped by kernel

I understand the above is now correct as well, right? What is the incorrect version? Is it incorrect for both "-X -e" and "-e" or just for one of those cases?

 > Lastly as indicated here is my small patch:
 > 
 > --- print-802_11.c.old  2018-04-04 19:40:56.458530097
 > +0200                   
 > +++ print-802_11.c      2018-04-04 21:44:15.494773874
 > +0200                   
 > @@ -3349,7 +3360,18 @@
 >  ieee802_11_radio_if_print(netdissect_options
 > *ndo,                           
 >                            const struct pcap_pkthdr *h, const u_char
 > *p)      
 >  {
 > -       return ieee802_11_radio_print(ndo, p, h->len,
 > h->caplen);             
 > +       const struct ieee80211_radiotap_header
 > *hdr;                          
 > +       u_int hdrlen, len;
 > +
 > +        hdr = (const struct ieee80211_radiotap_header
 > *)p;                   
 > +        len =
 > EXTRACT_LE_16BITS(&hdr->it_len);                               
 > +
 > +       hdrlen = ieee802_11_radio_print(ndo, p, h->len,
 > h->caplen);           
 > +       if (ndo->ndo_eflag && hdrlen > len)
 > {                                 
 > +               return len;
 > +       }
 > +
 > +       return hdrlen;
 >  }
 > 
 >  /*

-- 
    Denis Ovsienko




More information about the tcpdump-workers mailing list