Hi,
I have attached to this mail the nrm packet pcap trace.
Here with the non patched tcpdump:
# tcpdump -i eth0 -vvv -XX -e ip proto egp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68
bytes
16:11:43.836584 00:11:09:01:bd:75 > 00:08:54:16:c8:0e, ethertype IPv4
(0x0800), length 44: IP (tos 0x0, ttl 255, id 666, offset 0, flags [none],
length: 30) 63.251.83.56 > localhost: [|egp]
0x0000: 0008 5416 c80e 0011 0901 bd75 0800 4500 ..T........u..E.
0x0010: 001e 029a 0000 ff08 a709 3ffb 5338 7f00 ..........?.S8..
0x0020: 0001 0205 0100 fcee 0006 0006 ............
But, i am working on an egp packet generator. And if y i send the same
packet with 6 bytes containing nothing at the end of the packet.
It look like this:
#tcpdump -i eth0 -vvv -XX -e ip proto egp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68
bytes
16:07:10.109633 00:11:09:01:bd:75 > 00:08:54:16:c8:0e, ethertype IPv4
(0x0800), length 50: IP (tos 0x0, ttl 255, id 666, offset 0, flags [none],
length: 36) 63.251.83.56 > localhost: egp: as:6 seq:6 i-h-u
state:indeterminate
0x0000: 0008 5416 c80e 0011 0901 bd75 0800 4500 ..T........u..E.
0x0010: 0024 029a 0000 ff08 a703 3ffb 5338 7f00 .$........?.S8..
0x0020: 0001 0205 0100 fcee 0006 0006 0000 0000 ................
0x0030: 0000 ..
We can see the flags as, seq, code and state with the correct value.
Now with the patch:
# ./tcpdump -i eth0 -vvv -XX -e ip proto egp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68
bytes
16:11:04.680417 00:11:09:01:bd:75 > 00:08:54:16:c8:0e, ethertype IPv4
(0x0800), length 44: IP (tos 0x0, ttl 255, id 666, offset 0, flags [none],
length: 30) 63.251.83.56 > localhost: egp: as:6 seq:6 i-h-u
state:indeterminate
0x0000: 0008 5416 c80e 0011 0901 bd75 0800 4500 ..T........u..E.
0x0010: 001e 029a 0000 ff08 a709 3ffb 5338 7f00 ..........?.S8..
0x0020: 0001 0205 0100 fcee 0006 0006 ............
I have included the pcap capture for the first case (because the last
capture is the same).
There is maybe another way to patch the print-egp.c, i think if you had an
void * in both unions of egp packet structure the sizeof on egp struct
could
be correct.
I hope it will be sufficient.
Nicolas FERRERO
> nicolas,
>
> i would be grateful if you could send me a .pcap trace of an EGP packet
> that we can add to the test section;
>
> /hannes
>
> On Fri, Jan 07, 2005 at 07:45:32PM +0100, [EMAIL PROTECTED] wrote:
> |
> | Hi,
> | There is a bug in egp_print fonction from print-egp.c
> | tcpdump don't print correct egp packet smaller than 32bytes, because
> their
> | size was inferior to egp struct size.
> | Here you'll find the patch.
> | I have posted it on sourceforge. But i don't know how sf patch
> submitting
> | system works.
> | So I send it to this mailing list.
> | I hope it's the appropriate place...
> | Does the patch will be integrated to the next version of tcpdump?
> |
> | Nicolas FERRERO
> |
> |
> | diff -urN tcpdump-3.8.3/interface.h tcpdump/interface.h
> | --- tcpdump-3.8.3/interface.h 2004-03-17 20:47:48.000000000 +0100
> | +++ tcpdump/interface.h 2004-12-23 03:48:12.796318448 +0100
> | @@ -216,7 +216,7 @@
> | extern void default_print(const u_char *, u_int);
> | extern void default_print_unaligned(const u_char *, u_int);
> | extern void dvmrp_print(const u_char *, u_int);
> | -extern void egp_print(const u_char *);
> | +extern void egp_print(const u_char *, u_int);
> | extern u_int enc_if_print(const struct pcap_pkthdr *, const u_char *);
> | extern u_int pflog_if_print(const struct pcap_pkthdr *, const u_char *);
> | extern u_int arcnet_if_print(const struct pcap_pkthdr *, const u_char
> *);
> | diff -urN tcpdump-3.8.3/print-egp.c tcpdump/print-egp.c
> | --- tcpdump-3.8.3/print-egp.c 2003-11-16 09:51:18.000000000 +0100
> | +++ tcpdump/print-egp.c 2004-12-23 04:51:21.991273256 +0100
> | @@ -214,7 +214,7 @@
> | }
> |
> | void
> | -egp_print(register const u_int8_t *bp)
> | +egp_print(register const u_int8_t *bp, register u_int length)
> | {
> | register const struct egp_packet *egp;
> | register int status;
> | @@ -222,7 +222,7 @@
> | register int type;
> |
> | egp = (struct egp_packet *)bp;
> | - if (!TTEST(*egp)) {
> | + if (!TTEST2(*egp, length)) {
> | printf("[|egp]");
> | return;
> | }
> | diff -urN tcpdump-3.8.3/print-ip.c tcpdump/print-ip.c
> | --- tcpdump-3.8.3/print-ip.c 2004-03-24 10:01:39.000000000 +0100
> | +++ tcpdump/print-ip.c 2004-12-23 03:47:18.108632240 +0100
> | @@ -551,7 +551,7 @@
> | break;
> |
> | case IPPROTO_EGP:
> | - egp_print(cp);
> | + egp_print(cp, len);
> | break;
> |
> | case IPPROTO_OSPF:
> |
> |
> |
> |
> |
> | -
> | This is the tcpdump-workers list.
> | Visit https://lists.sandelman.ca/ to unsubscribe.
> |
>
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
