Re: Printing PPI packets

[Guy Harris <guy () alum mit edu>]

On Apr 8, 2011, at 7:51 PM, Darren Reed <darren.reed () oracle com> wrote:

> Printing PPI packets with tcpdump does not turn out
> to be that hard.
>
> My simple tests have produced the output as below.

Your simple tests were with invalid PPI files; as the PPI spec:

        http://www.cacetech.com/documents/PPI%20Header%20format%201.0.7.pdf

says:

        Multi-byte integers in the packet header and field headers MUST be stored as little-endian. The endianness of 
field data may be either big- or little-endian, and MUST be noted in the field description. The total length of the 
packet header plus all field headers and field data MUST be padded to a 32-bit boundary.

and the code does

        len = EXTRACT_16BITS(&hdr->ppi_len);
        dlt = EXTRACT_32BITS(&hdr->ppi_dlt);

which treats the fields in the packet header as big-endian, not little-endian, so...

> 19:20:51.470264 , DLT IPV4 (228) len 0, length 76: ip: (tos 0x0, ttl 255, id 509, offset 0, flags [+, DF], proto ICMP 
> (1), length 68)
>   1.1.1.1 > 1.1.1.2: ICMP echo request, id 35462, seq 3, length 48
>       0x0000:  0000 0000 0000 00e4 4500 0044 01fd 6000
>       0x0010:  ff01 55b7 0101 0101 0101 0102 0800 45bd
>       0x0020:  8a86 0003 4d9f c283 0007 2c8c 0809 0a0b
>       0x0030:  0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
>       0x0040:  1c1d 1e1f 2021 2223 2425 2627

...if that packet really had 0x00 0xE4 rather than 0xE4 0x00 in the DLT field, that packet has a DLT value of 58368, 
which is not a currently-assigned LINKTYPE_/DLT_ value.

I've checked a fix in to treat the length and DLT values as little-endian.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers