search

the-tcpdump-group / libpcap

the LIBpcap interface to various kernel packet capture mechanism
https://www.tcpdump.org/
Other
2.7k stars 852 forks source link

"pppoes" filter for IEEE802_11_RADIO link: invalid bpf code generated! #834

Open aliemjay opened 5 years ago

aliemjay commented 5 years ago

Hello,

I noticed that "pppoes" filter fails to capture PPPoES from IEEE_802_11_RADIO link type.

tcpdump fails with the following message when trying a live capture:


root@host:~# tcpdump -i mon0 pppoes
Warning: Kernel filter failed: Invalid argument
tcpdump: can't remove kernel filter: No such file or directory
Examining the BPF code clearly shows that M[0] is never set and, yet, is loaded at (20): 

root@host:~# tcpdump -i mon0 -d pppoes
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[1]
(006) tax      
(007) txa      
(008) add      #24
(009) st       M[1]
(010) ldb      [x + 0]
(011) jset     #0x8             jt 12   jf 17
(012) jset     #0x4             jt 17   jf 13
(013) jset     #0x80            jt 14   jf 17
(014) ld       M[1]
(015) add      #2
(016) st       M[1]
(017) ldx      M[0]
(018) ldb      [x + 0]
(019) jset     #0x4             jt 27   jf 20
(020) ldx      M[0]
(021) ldb      [x + 0]
(022) jset     #0x8             jt 23   jf 27
(023) ldx      M[1]
(024) ldh      [x + 6]
(025) jeq      #0x8864          jt 26   jf 27
(026) ret      #262144
(027) ret      #0


root@host:~# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.10.0-PRE-GIT (with TPACKET_V3)
OpenSSL 1.1.1b  26 Feb 2019
infrastation commented 2 months ago

As far as the bytecode goes, the problem still stands for the current master branch (note the correct spelling of the DLT):

tcpdump -d -y IEEE802_11_RADIO pppoes
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[1]
(006) tax      
(007) txa      
(008) add      #24
(009) st       M[1]
(010) ldb      [x + 0]
(011) jset     #0x8             jt 12   jf 17
(012) jset     #0x4             jt 17   jf 13
(013) jset     #0x80            jt 14   jf 17
(014) ld       M[1]
(015) add      #2
(016) st       M[1]
(017) ldx      M[0]
(018) ldb      [x + 0]
(019) jset     #0x4             jt 27   jf 20
(020) ldx      M[0]
(021) ldb      [x + 0]
(022) jset     #0x8             jt 23   jf 27
(023) ldx      M[1]
(024) ldh      [x + 6]
(025) jeq      #0x8864          jt 26   jf 27
(026) ret      #262144
(027) ret      #0