On Wed, 2008-11-12 at 13:39 -0500, Sebastien Roy wrote: > On Tue, 2008-11-11 at 18:44 -0500, Peter Memishian wrote: > > So am I missing something here, or do none of the primitives in > > snoop_filter.c know about IP observability devices? For instance, > > I tried to use "snoop -I ipmp0 dhcp", which didn't work -- but > > "snoop -I ipmp0 udp port 67 or udp port 68" worked fine. Looking at > > snoop_cature.c, it seems that most of the cases in primary() assume > > a link-layer header (indeed, many of the options make no sense *without* a > > link-layer header) and thus get confused. > > As far as snoop is concerned, the ipnet header is the link-layer header. > I'll need to look further into this...
I've found the problem and have come up with a fix which I've tested. The problem was with the protocol version matching in the ipnet header. The protocol field isn't a 2-byte field at offset 0, but a 1 byte field at offset 1. http://zhadum.east/ws/seb/seb-onfix/webrev/ I'd like to get both of these fixes RTI'ed today if possible. Meem, can you look this over, I believe that Phil is offline at this point? Phil has already reviewed the fix to 6770479 in snoop_pf.c, so what's left to be reviewed is the fix to 6770744 in snoop_filter.c and snoop_ether.c. -Seb
