-
Notifications
You must be signed in to change notification settings - Fork 861
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libpcap doesn't adjust for eth priority tag when filtering for other fields? #1256
Comments
That would be ideal, but it means more complicated BPF code, which also means more complicated compiler code, so it's not easy to do. (And it would be even more complicated if it had to handle an arbitrary number of tags, given that it would involve looping BPF code), but, fortunately, that probably wouldn't be necessary.) |
I think storing the "stack pointer" (what offset into a packet the BPF references relative to) and restoring it when writing hierarchical filter code would already go a long way. Currently, every mention of "vlan" seems to shift this offset to the right by 2 bytes, but even if enclosed in brackets, the previous offset is not restored. From memory, something like "host1 or (vlan 10 and host2) or (vlan 20 and host3)" will match host1 only on untagged traffic (maybe also in a Q-tagged, but IIRC the vlan token stops that internal extended match), host2 with one Q tag, and host3 only with 2 successive Q-tags, and every instance of "vlan" shifts the offset right by 2... Not 100% sure though, but there was definitly something amiss with the "vlan" token and the handling of the offset beyond the current scope of the expression. |
With regard to the original problem, there is a certain sense behind the current implementation: in the packet above the EtherType is 802.1Q, not IPv4 or IPv6, and the 802.1Q header is present, as far as the stack of headers goes. The VLAN ID equals 0, which indeed demands particular semantics in processing of the packet, but not at the encoding level, where BPF operates. Wireshark seems to define its "host" filter to chase certain headers, but BPF does not (not with the current syntax, anyway). So if you consider the expected behaviour and the observed behaviour, it may make more sense, separately in Wireshark filters and separately in BPF. That said, the current expected behaviour of |
While working on some improvements with the freebsd iscsi initiator - which offers among other things the capability to set the
IP DSCP and Eth PCP specifically, I found that
would only capture relevant packets, when no vlan tag was present; when the PCP is set, and a packet is sent with the special vlan id 0
in the vlan header (on a non-tagged interface, if that plays a role), the filter would not capture the packet.
I suspect that "untagged" but prioritized Ethernet traffic (signified by the presence of a vlan tag header, but the vlan ID equals 0) is
not special cased in the BPF code.
Capturing with
tcpdump -i en0 vlan
would capture the frames.So the capture point does provide the relevant packets, it's just not matched properly...
Shouldn't a filter for "host " capture both tagged and untagged traffic? (and tread vlan 0 not different from vlans 1..4094 or even 4095)?
Wireshark, filtered to the relevant host, captures/shows the Priority Tagged Frame just fine:
The text was updated successfully, but these errors were encountered: