Re: Patches for wlan filtering

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

----- Original Message ----- 
From: "Guy Harris" <guy () alum mit edu>
To: <tcpdump-workers () lists tcpdump org>
Sent: Monday, November 05, 2007 6:12 PM
Subject: Re: [tcpdump-workers] Patches for wlan filtering


> On Nov 5, 2007, at 2:49 PM, Gianluca Varenni wrote:
>
> > I plan to compare this with the old version with the three possible  link 
> > layers (bare 802.11, radiotap, PPI)
>
> Actually, there are also 802.11+Prism radio header and 802.11+AVS  radio 
> header; I have some captures with, I think, all of those except  for PPI, 
> and will do some tests with those (I looked at the generated  code for 
> "tcp" for 802.11 and 802.11+radiotap, and checked the  generated code for 
> 802.11+Prism and 802.11+AVS to make sure the code  to compute the offsets 
> added in the fixed length of the radio header).

I've uploaded a PPI capture on the wireshark wiki at

http://wiki.wireshark.org/SampleCaptures#head-8200ea41fe91ebefa1b6ea9f86d344c290241276

The capture contains an HTTP session captured on an 802.11n network. What's 
important is that
- the capture uses the PPI encapsulation
- the DATA frames contain the QoS field

I just tried filtering the file ("ip") with the new wlan filtering code you 
committed, and it doesn't work properly, while the code I submitted works 
ok.
I'm examining now the differences in the generated BPF code. At the moment, 
I already noticed that the new BPF code doesn't check the link-type in the 
PPI header properly: the check against the linktype should be done before 
checking if the frame is a data frame. This issue should not cause the 
filter to fail in the sample capture, anyway.

[working BPF code, WinPcap 4.1beta]
(000) ldb      [3]
(001) lsh      #8
(002) tax
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax
(007) ld       [4]
(008) jeq      #0x69000000      jt 9    jf 26
(009) ldx      M[0]
(010) ldb      [x + 0]
(011) jset     #0x4             jt 26   jf 12
(012) ldx      M[0]
(013) ldb      [x + 0]
(014) jset     #0x8             jt 15   jf 26
(015) ldx      M[0]
(016) ldb      [x + 0]
(017) jset     #0x8             jt 18   jf 23
(018) jset     #0x4             jt 23   jf 19
(019) jset     #0x80            jt 20   jf 23
(020) ld       #0x2
(021) add      x
(022) tax
(023) ldh      [x + 30]
(024) jeq      #0x800           jt 25   jf 26
(025) ret      #65535
(026) ret      #0

[new BPF code, CVS snapshot. Not working]
(000) ldb      [3]
(001) lsh      #8
(002) tax
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax
(007) txa
(008) add      #24
(009) st       M[1]
(010) ldb      [x + 0]
(011) jset     #0x8             jt 12   jf 17
(012) jset     #0x4             jt 17   jf 13
(013) jset     #0x80            jt 14   jf 17
(014) ld       #0x2
(015) add      x
(016) st       M[1]
(017) ld       [4]
(018) jeq      #0x69000000      jt 19   jf 29   <=== this should be done 
before (010)
(019) ldx      M[0]
(020) ldb      [x + 0]
(021) jset     #0x4             jt 29   jf 22
(022) ldx      M[0]
(023) ldb      [x + 0]
(024) jset     #0x8             jt 25   jf 29
(025) ldx      M[1]
(026) ldh      [x + 6]
(027) jeq      #0x800           jt 28   jf 29
(028) ret      #65535
(029) ret      #0


Have a nice day
GV





> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe. 

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.