--On Tuesday, June 07, 2005 5:23 PM -0500 Burton Strauss
<[EMAIL PROTECTED]> wrote:
Every subnetwork has a broadcast address, it's the all 1s. So
192.168.0.0/24's broadcast is 192.168.0.255 etc. Also 255.255.255.255 is
used.
I believe the issue is in libpcap's gen_broadcast. Using tcpdump to view
the generated filter, I see this:
[EMAIL PROTECTED] root]# tcpdump ip broadcast -d -O
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 9
(002) ld [30]
(003) and #0xf000000
(004) jeq #0x0 jt 8 jf 5
(005) ld [30]
(006) and #0xf000000
(007) jeq #0xf000000 jt 8 jf 9
(008) ret #96
(009) ret #0
The first two instructions make sure it's IP over Ethernet. The remaining
stuff looks for all zeros or all ones in the low 4 bits of a /28
destination address. (The source address isn't considered.) What's missing
is a check that the destination address is in the same subnet, by comparing
the netmasked address with the netmasked interface address. So any remote
address with all zeros or all ones in the low 4 bits gets reported as a
broadcast.
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
