On Sat, Sep 22, 2001 at 09:10:07PM -0300, Mercia Eliane Bittencourt Figueredo wrote:
> [root@gandalf ~]# tcpdump -e -i atm0 | more
> tcpdump: listening on atm0
> 20:02:46.800000 45 00 02 1c 00 00 192.168.222.24.7000 > 192.168.211.21.rfe:
> rx type 0 (512) (DF)
Congratulations! You've managed to find *two separate* bugs in
tcpdump's "cip_print()" routine!
Bug 1:
it decides whether to print the LLC header or "null
encap[sulation]" by comparing the first 6 bytes of the frame
with the first 6 bytes of an LLC+SNAP header - and prints the
LLC header if they're *not* equal, i.e. if there's a null
encapsulation.
Bug 2:
it appears to think that "etherproto_string()" prints something,
rather than just returning a string to be printed.
So it appears that, for whatever reason, the LLC header is being
stripped off - which means that it'd better not report any non-IP
traffic.
Does the ATM support - including the driver for the ATM card on your
machine (what type of ATM card is it?) - come with the kernel you're
running, or did you have to add stuff from the "ATM on Linux" site?
> >If this is an ARPHRD_ATM device, tcpdump appears to handle two different
> >types of encapsulation - one where you have the expected 802.2 LLC
> >header at the beginning of the frame, and one where there's no
> >link-layer header at all, just an IP header. However, libpcap assumes
> >that the encapsulation will include the 802.2 header, so if it doesn't,
> >filters won't work.
> I am using classical IP
Classical IP (RFC 2225) is *supposed* to use 802.2 LLC headers, by
default, as per:
Characteristics of the classical model are:
...
o Default LLC/SNAP encapsulation of IP packets.
although I guess it could use some other scheme. I'd have to see the
driver and ATM stack code in order to see what the Linux code does.
> >Unless there's some way for libpcap to determine, for a device, whether
> >it show an 802.2 header on snooped packets, we may have to treat this as
> >yet another Linux link-layer type that can only be sanely snooped in
> >cooked mode.
> >
> How Can I do it?
You'd have to modify the "pcap-linux.c" file with the attached patch,
rebuild libpcap, and rebuild tcpdump.
Index: pcap-linux.c
===================================================================
RCS file: /tcpdump/master/libpcap/pcap-linux.c,v
retrieving revision 1.66
diff -c -r1.66 pcap-linux.c
*** pcap-linux.c 2001/08/30 03:08:43 1.66
--- pcap-linux.c 2001/09/23 01:19:23
***************
*** 846,852 ****
#define ARPHRD_ATM 19
#endif
case ARPHRD_ATM:
! handle->linktype = DLT_ATM_CLIP;
break;
#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */
--- 846,852 ----
#define ARPHRD_ATM 19
#endif
case ARPHRD_ATM:
! handle->linktype = DLT_LINUX_SLL;
break;
#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */
