On Apr 8, 2011, at 7:51 PM, Darren Reed <darren.r...@oracle.com> wrote:
> Printing PPI packets with tcpdump does not turn out
> to be that hard.
>
> My simple tests have produced the output as below.
Your simple tests were with invalid PPI files; as the PPI spec:
http://www.cacetech.com/documents/PPI%20Header%20format%201.0.7.pdf
says:
Multi-byte integers in the packet header and field headers MUST be
stored as little-endian. The endianness of field data may be either big- or
little-endian, and MUST be noted in the field description. The total length of
the packet header plus all field headers and field data MUST be padded to a
32-bit boundary.
and the code does
len = EXTRACT_16BITS(&hdr->ppi_len);
dlt = EXTRACT_32BITS(&hdr->ppi_dlt);
which treats the fields in the packet header as big-endian, not little-endian,
so...
> 19:20:51.470264 , DLT IPV4 (228) len 0, length 76: ip: (tos 0x0, ttl 255, id
> 509, offset 0, flags [+, DF], proto ICMP (1), length 68)
> 1.1.1.1 > 1.1.1.2: ICMP echo request, id 35462, seq 3, length 48
> 0x0000: 0000 0000 0000 00e4 4500 0044 01fd 6000
> 0x0010: ff01 55b7 0101 0101 0101 0102 0800 45bd
> 0x0020: 8a86 0003 4d9f c283 0007 2c8c 0809 0a0b
> 0x0030: 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
> 0x0040: 1c1d 1e1f 2021 2223 2425 2627
...if that packet really had 0x00 0xE4 rather than 0xE4 0x00 in the DLT field,
that packet has a DLT value of 58368, which is not a currently-assigned
LINKTYPE_/DLT_ value.
I've checked a fix in to treat the length and DLT values as little-endian.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
