Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"pppoes" filter for IEEE802_11_RADIO link: invalid bpf code generated! #834

Open
aliemjay opened this issue Aug 14, 2019 · 1 comment · May be fixed by #835
Open

"pppoes" filter for IEEE802_11_RADIO link: invalid bpf code generated! #834

aliemjay opened this issue Aug 14, 2019 · 1 comment · May be fixed by #835
Labels
BPF related

Comments

@aliemjay
Copy link

aliemjay commented Aug 14, 2019
edited
Loading

Hello,

I noticed that "pppoes" filter fails to capture PPPoES from IEEE_802_11_RADIO link type.

tcpdump fails with the following message when trying a live capture:


root@host:~# tcpdump -i mon0 pppoes
Warning: Kernel filter failed: Invalid argument
tcpdump: can't remove kernel filter: No such file or directory

Examining the BPF code clearly shows that M[0] is never set and, yet, is loaded at (20):


root@host:~# tcpdump -i mon0 -d pppoes
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[1]
(006) tax      
(007) txa      
(008) add      #24
(009) st       M[1]
(010) ldb      [x + 0]
(011) jset     #0x8             jt 12   jf 17
(012) jset     #0x4             jt 17   jf 13
(013) jset     #0x80            jt 14   jf 17
(014) ld       M[1]
(015) add      #2
(016) st       M[1]
(017) ldx      M[0]
(018) ldb      [x + 0]
(019) jset     #0x4             jt 27   jf 20
(020) ldx      M[0]
(021) ldb      [x + 0]
(022) jset     #0x8             jt 23   jf 27
(023) ldx      M[1]
(024) ldh      [x + 6]
(025) jeq      #0x8864          jt 26   jf 27
(026) ret      #262144
(027) ret      #0


root@host:~# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.10.0-PRE-GIT (with TPACKET_V3)
OpenSSL 1.1.1b  26 Feb 2019
@aliemjay aliemjay linked a pull request Aug 14, 2019 that will close this issue
Open
@infrastation infrastation changed the title "pppoes" filter for IEEE_802_11_RADIO link: invalid bpf code generated! "pppoes" filter for IEEE802_11_RADIO link: invalid bpf code generated! Sep 7, 2024
@infrastation
Copy link
Member

As far as the bytecode goes, the problem still stands for the current master branch (note the correct spelling of the DLT):

tcpdump -d -y IEEE802_11_RADIO pppoes
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[1]
(006) tax      
(007) txa      
(008) add      #24
(009) st       M[1]
(010) ldb      [x + 0]
(011) jset     #0x8             jt 12	jf 17
(012) jset     #0x4             jt 17	jf 13
(013) jset     #0x80            jt 14	jf 17
(014) ld       M[1]
(015) add      #2
(016) st       M[1]
(017) ldx      M[0]
(018) ldb      [x + 0]
(019) jset     #0x4             jt 27	jf 20
(020) ldx      M[0]
(021) ldb      [x + 0]
(022) jset     #0x8             jt 23	jf 27
(023) ldx      M[1]
(024) ldh      [x + 6]
(025) jeq      #0x8864          jt 26	jf 27
(026) ret      #262144
(027) ret      #0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BPF related
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix "pppoes" filter for links with variable-length prefix to link header aliemjay/libpcap
3 participants
@mcr @infrastation @aliemjay