[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-13 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #26 from Christopher Maynard  ---
(In reply to Guy Harris from comment #25)
> Not just VLAN names, but, yes, it should show the negative offsets
> symbolically.  File an issue at
> https://github.com/the-tcpdump-group/libpcap/issues (or a pull request at
> https://github.com/the-tcpdump-group/libpcap/pulls).

Libpcap issue #861 has been filed:
https://github.com/the-tcpdump-group/libpcap/issues/861

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-13 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #25 from Guy Harris  ---
(In reply to Christopher Maynard from comment #24)
> Thanks for this information (and what followed, omitted for brevity).  This
> has been an education for me,

Being a libpcap core developer has been a bit of an education for me,
especially about the innards of 1) Linux sockets and 2) Linux PF_PACKET
sockets. :-)

> It would seem that the defined
> offsets are not correlated to their offset position within the sk_buff
> struct.

They're not, they're just magic numbers used in a switch statement.

> Also, since most of us probably won't memorize which negative offset
> corresponds to which field, in order to help make the BPF code more readable
> and understandable, would it help if libpcap, instead of displaying BPF code
> using negative offsets would take a page out of bpfc
> (http://man7.org/linux/man-pages/man8/bpfc.8.html) and display them using
> vlan names instead?

Not just VLAN names, but, yes, it should show the negative offsets
symbolically.  File an issue at
https://github.com/the-tcpdump-group/libpcap/issues (or a pull request at
https://github.com/the-tcpdump-group/libpcap/pulls).

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-13 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #24 from Christopher Maynard  ---
(In reply to Guy Harris from comment #13)
> (In reply to michal.pecuch from comment #3)
> > dumpcap -f "vlan 545" -d 
> > Capturing on 'enp0s31f6'
> > (000) ldb  [-4048]
> > (001) jeq  #0x1 jt 2jf 5
> 
> In the Magical World of Linux Networking, the outermost VLAN tags are either
> not put into the raw packet data in the "skbuff" (kernel data structure for
> packet data on a socket) or are removed from it, with the information in the
> absent VLAN tag being stored in fields in the skbuff.
> 
> This means that a BPF filter for a live capture can't test fields in the
> VLAN tag by looking at packet data; instead, it needs to use Special Magical
> Negative Packet Offsets to request that the kernel's BPF interpreter/JIT
> compiler fetch data from the skbuff fields.
> 
> -4048 is -4096 + 48, or SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT, meaning "fetch
> the Special Magical Field containing an indication of whether this packet
> *has* a VLAN tag or not - it's 0 if it doesn't and 1 if it does.

Thanks for this information (and what followed, omitted for brevity).  This has
been an education for me, as it wasn't at all obvious what these negative
offsets meant.

I'm curious about the values of the offsets though.  I see them defined in
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/filter.h?h=v5.3.5#n60,
but the offsets don't seem to match the sk_buff fields as defined in
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/bpf.h?h=v5.3.5#n2931.
 For example, __sk_buff begins as follows:

struct __sk_buff {
__u32 len;
__u32 pkt_type;
__u32 mark;
__u32 queue_mapping;
__u32 protocol;
__u32 vlan_present;
...

... so I'd expect the vlan_present offset to be at offset 20 and yet we have:

#define SKF_AD_VLAN_TAG_PRESENT 48

Obviously, I'm missing something here.  It would seem that the defined offsets
are not correlated to their offset position within the sk_buff struct.

Also, since most of us probably won't memorize which negative offset
corresponds to which field, in order to help make the BPF code more readable
and understandable, would it help if libpcap, instead of displaying BPF code
using negative offsets would take a page out of bpfc
(http://man7.org/linux/man-pages/man8/bpfc.8.html) and display them using vlan
names instead?

For example, instead of displaying:

(000) ldb  [-4048]

.. it instead displays one of these (assuming my use of these are correct):

(000) ldb  [vlanp]
(000) ldb  #vlanp

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-10 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #23 from michal.pec...@telekom.sk ---
Tahnks for help.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #22 from Guy Harris  ---
(In reply to Guy Harris from comment #21)
> At least as I read the BPF interpreter and other parts of the networking
> stack in the 3.10.71 kernel, the load of the 16-bit value at an "offset" of
> -4052 will fetch a value with the PCP and VID fields, so the masking has to
> be done.  I'll fix the libpcap code to do so, even though the optimizer
> accidentally makes the code OK.

That's already fixed, and the fix is in 1.9.1.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #21 from Guy Harris  ---
(In reply to Guy Harris from comment #15)
> So maybe the packets in question didn't have the VLAN tag removed, and the
> 1.9.x code will handle them.

Or maybe, as a side effect of the code path for handling non-tag-removed
packets being added, the generated code now masks the PCP field out when
comparing with the specified VLAN tag value, so even if the PCP field is
non-zero, the match will be done correctly.

At least as I read the BPF interpreter and other parts of the networking stack
in the 3.10.71 kernel, the load of the 16-bit value at an "offset" of -4052
will fetch a value with the PCP and VID fields, so the masking has to be done. 
I'll fix the libpcap code to do so, even though the optimizer accidentally
makes the code OK.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

Guy Harris  changed:

   What|Removed |Added

   Hardware|x86-64  |All
 OS|Ubuntu  |Linux

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #20 from Guy Harris  ---
(In reply to Guy Harris from comment #13)
> In the Magical World of Linux Networking, the outermost VLAN tags are either
> not put into the raw packet data in the "skbuff" (kernel data structure for
> packet data on a socket) or are removed from it, with the information in the
> absent VLAN tag being stored in fields in the skbuff.
> 
> This means that a BPF filter for a live capture can't test fields in the
> VLAN tag by looking at packet data; instead, it needs to use Special Magical
> Negative Packet Offsets to request that the kernel's BPF interpreter/JIT
> compiler fetch data from the skbuff fields.

It also means that, in order for the code using libpcap to see the packet as it
was on the wire (other than perhaps being truncated by a snapshot length having
been specified  at capture time), libpcap has to move the link-layer header to
make room for the outermost VLAN tag and insert that tag into the raw packet
data.

libpcap does that, so capturing shouldn't show packets with a tag removed if,
in fact, it was removed *and* the capture mechanism indicates that.

(On some platforms, it might get removed with no indication to libpcap that
this happened.)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #19 from Guy Harris  ---
(In reply to michal.pecuch from comment #16)
> I did instal that 1.9.1
> ./configure
> make
> sudo make install
> 
> Is there a nice way how to link this new version to be used by tcpdump and
> wireshark? Or check firstly the /usr/locla/lib folder for it..

ls -l /usr/local/lib/libpcap*

Also do

ls -l /usr/lib/libpcap*

to find out the pathname for which programs linked with libpcap will probably
be looking.

> For wireshark install I use apt-get and I didn't find a way how to link it
> during install.

That's because a dpkg contains an *already-linked* executable, so there's
nothing *to* link.

It is, however, probably an executable that's dynamically linked with libpcap,
so only half of the linking process has already been done; the remainder of the
linking process is done by the run-time linker (ld.so) at startup time, and it
*might* be possible to get that to load the new version of libpcap.

Note that you'll probably have to run "sudo ldconfig" to tell the run-time
linker about the newly-installed libpcap.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #18 from Guy Harris  ---
(In reply to michal.pecuch from comment #17)
> I have manage to install new version of tcpdump which seems to work beter
> now but the dumpcap seams unaffected.

Unless

ldd {path-to-dumpcap}

reports the pathname of the newly-installed libpcap, dumpcap is still picking
up the system libpcap and thus will not change its behavior.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #17 from michal.pec...@telekom.sk ---
(In reply to Chuck Craft from comment #9)
> Can you load the 1.9.0 package? Looks like a big improvement.
> 
> # tcpdump --version
> tcpdump version 4.9.2
> libpcap version 1.8.1
> OpenSSL 1.0.2s  28 May 2019
> # tcpdump -i lo -d "vlan 545"
> (000) ldb  [-4048]
> (001) jeq  #0x1 jt 2jf 5
> (002) ldb  [-4052]
> (003) jeq  #0x221   jt 4jf 5
> (004) ret  #262144
> (005) ret  #0
> #
> 
> root@kali:~# tcpdump --version
> tcpdump version 4.9.3-PRE-GIT_2019_09_07
> libpcap version 1.9.0 (with TPACKET_V3)
> OpenSSL 1.1.1d  10 Sep 2019
> root@kali:~# tcpdump -i lo -d "vlan 545"
> (000) ldb  [-4048]
> (001) jeq  #0x1 jt 6jf 2
> (002) ldh  [12]
> (003) jeq  #0x8100  jt 6jf 4
> (004) jeq  #0x88a8  jt 6jf 5
> (005) jeq  #0x9100  jt 6jf 14
> (006) ldb  [-4048]
> (007) jeq  #0x1 jt 8jf 10
> (008) ldb  [-4052]
> (009) ja   11
> (010) ldh  [14]
> (011) and  #0xfff
> (012) jeq  #0x221   jt 13   jf 14
> (013) ret  #262144
> (014) ret  #0
> root@kali:~#


I have manage to install new version of tcpdump which seems to work beter now
but the dumpcap seams unaffected.

user@tacmerak:~$ dumpcap -f "vlan 200" -d Capturing on 'enp0s31f6'
(000) ldb  [-4048]
(001) jeq  #0x1 jt 2jf 5
(002) ldb  [-4052]
(003) jeq  #0xc8jt 4jf 5
(004) ret  #262144
(005) ret  #0
user@tacmerak:~$ tcpdump --version
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
user@tacmerak:~$ sudo tcpdump  -d "vlan 545"
(000) ldb  [-4048]
(001) jeq  #0x1 jt 6jf 2
(002) ldh  [12]
(003) jeq  #0x8100  jt 6jf 4
(004) jeq  #0x88a8  jt 6jf 5
(005) jeq  #0x9100  jt 6jf 14
(006) ldb  [-4048]
(007) jeq  #0x1 jt 8jf 10
(008) ldb  [-4052]
(009) ja   11
(010) ldh  [14]
(011) and  #0xfff
(012) jeq  #0x221   jt 13   jf 14
(013) ret  #262144
(014) ret  #0
user@tacmerak:~$

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #16 from michal.pec...@telekom.sk ---
(In reply to Guy Harris from comment #11)
> (In reply to michal.pecuch from comment #5)
> > It is the same on all interfaces.
> > 
> > For some reason I am unable to compile libpcap 1.9.1. No errors but still
> > only 1.8.1 available.
> 
> What do you mean by "unable ... No errors"?
> 
> Do you mean you download the 1.9.1 source tarball, unpack it, run
> ./configure, and run "make", and you get no errors?
> 
> And what do you mean by "only 1.8.1 available"? Compiling 1.9.1 won't
> automatically make Wireshark use it; you would have to, at minimum, do "make
> install", *and* the dynamically-linked Wireshark would have to be looking
> for it in /usr/local/lib before /usr/lib, with the name under which it's
> installed in /usr/local/lib, to find 1.9.1 rather than the 1.8.1 that you
> presumably have installed as the system libpcap.

I did instal that 1.9.1
./configure
make
sudo make install

Is there a nice way how to link this new version to be used by tcpdump and
wireshark? Or check firstly the /usr/locla/lib folder for it..
For wireshark install I use apt-get and I didn't find a way how to link it
during install.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #15 from Guy Harris  ---
(In reply to Chuck Craft from comment #9)
> Can you load the 1.9.0 package? Looks like a big improvement.
> 
> # tcpdump --version
> tcpdump version 4.9.2
> libpcap version 1.8.1
> OpenSSL 1.0.2s  28 May 2019
> # tcpdump -i lo -d "vlan 545"
> (000) ldb  [-4048]
> (001) jeq  #0x1 jt 2jf 5
> (002) ldb  [-4052]
> (003) jeq  #0x221   jt 4jf 5
> (004) ret  #262144
> (005) ret  #0

Works only if the packet's VLAN tag isn't present in the raw packet data.

> root@kali:~# tcpdump --version
> tcpdump version 4.9.3-PRE-GIT_2019_09_07
> libpcap version 1.9.0 (with TPACKET_V3)
> OpenSSL 1.1.1d  10 Sep 2019
> root@kali:~# tcpdump -i lo -d "vlan 545"
> (000) ldb  [-4048]
> (001) jeq  #0x1 jt 6jf 2

OK, so for *this* version, if the packet doesn't have the VLAN tag stripped
out, the test doesn't fail - it tests whether the packet has a VLAN tag in the
normal location in the packet, which is what the ldh (loading a big-endian
16-bit quantity at an offset of 12 from the beginning of the packet, i.e. the
type/length field) and the three jeq's (testing that field value against three
types of tag) are doing.

> (002) ldh  [12]
> (003) jeq  #0x8100  jt 6jf 4
> (004) jeq  #0x88a8  jt 6jf 5
> (005) jeq  #0x9100  jt 6jf 14

OK, now it's *again* testing the Special Magic Information.  I'm not sure why
the optimizer isn't cleaning this up, but  (Perhaps it gets confused by
blocks that do tests for which the result doesn't have anything to do with
whether the packet matches or not, just how to do *subsequent* tests.  That's
not one of its strong points, probably because back when the BPF compiler was
originally written there weren't such tests generated.)

> (006) ldb  [-4048]
> (007) jeq  #0x1 jt 8jf 10

OK, so if the VLAN tag was removed, it does this...

> (008) ldb  [-4052]
> (009) ja   11

...which loads the VLAN tag from the Special Magic Information and jumps to the
instruction at 14...

...and if the VLAN tag wasn't removed, it does this, which loads the first 16
bits of the VLAN tag...

> (010) ldh  [14]

...and now it's the common code, ANDing out the upper 4 bits of those 16 bits
and comparing them against 545.

> (011) and  #0xfff
> (012) jeq  #0x221   jt 13   jf 14
> (013) ret  #262144
> (014) ret  #0
> root@kali:~#

So maybe the packets in question didn't have the VLAN tag removed, and the
1.9.x code will handle them.

This short introduction to BPF and Linux peculiarities thereof is brought to
you by "PG might or might not shut off power to our area at midnight as a
safety precaution due to  high winds, so I want to get this out before we head
out to dinner, hoping the power outage doesn't mean the restaurant will close
early to shut things down".  If it's shut down, don't expect more from me on
this until they restore the power, which could take days.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #14 from Guy Harris  ---
(In reply to Guy Harris from comment #13)
> I.e., that's testing whether the packet has a VLAN tag.

Or, rather, it's testing whether the packet has a VLAN tag *that's not present,
at that point, in the packet data, because it wasn't inserted or it was
removed*".  If the packet hasn't had the VLAN tag removed by the adapter or by
the networking stack, that test *won't* match.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #13 from Guy Harris  ---
(In reply to michal.pecuch from comment #3)
> dumpcap -f "vlan 545" -d 
> Capturing on 'enp0s31f6'
> (000) ldb  [-4048]
> (001) jeq  #0x1 jt 2  jf 5

In the Magical World of Linux Networking, the outermost VLAN tags are either
not put into the raw packet data in the "skbuff" (kernel data structure for
packet data on a socket) or are removed from it, with the information in the
absent VLAN tag being stored in fields in the skbuff.

This means that a BPF filter for a live capture can't test fields in the VLAN
tag by looking at packet data; instead, it needs to use Special Magical
Negative Packet Offsets to request that the kernel's BPF interpreter/JIT
compiler fetch data from the skbuff fields.

-4048 is -4096 + 48, or SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT, meaning "fetch
the Special Magical Field containing an indication of whether this packet *has*
a VLAN tag or not - it's 0 if it doesn't and 1 if it does.

I.e., that's testing whether the packet has a VLAN tag.  If it does, the
program jumps to the instruction at 2, otherwise it jumps to the instruction at
5.

> (002) ldb  [-4052]
> (003) jeq  #0x221   jt 4  jf 5

-4052 is -4096 + 44, or SKF_AD_OFF + SKF_AD_VLAN_TAG, meaning "fetch the
Special Magical Field containing the VLAN tag".

So that's comparing the VLAN tag against 0x221, or 545, jumping to the
instruction at 4 if the VLAN tag is 545 and to the instruction at 5 if it
isn't.

> (004) ret  #262144

Because the program is returning a non-zero value, that says "this packet
matches, so return 262144 bytes of the packet (which is the way we say "all the
data in the packet").

> (005) ret  #0

Because the program is returning a zero value, that says "this packet *doesn't*
match".

So if the packet has a VLAN tag and it's 545, the packet matches, otherwise it
doesn't.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

Guy Harris  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |NOTOURBUG

--- Comment #12 from Guy Harris  ---
(In reply to Chuck Craft from comment #9)
> Can you load the 1.9.0 package? Looks like a big improvement.

If by "the 1.9.0 package" you mean the source package from tcpdump.org, the
current source package is 1.9.1, which also includes a fix for this issue:

https://github.com/the-tcpdump-group/libpcap/issues/461

which reports the problem as

VLAN filtering does only work if the priority field in the dot1p header is
cleared. If the field is non-null, vlan filtering doesn't work (read: doesn't
match).

In any case, if the wrong BPF code is being generated, that's a libpcap bug,
not a Wireshark bug.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #11 from Guy Harris  ---
(In reply to michal.pecuch from comment #5)
> It is the same on all interfaces.
> 
> For some reason I am unable to compile libpcap 1.9.1. No errors but still
> only 1.8.1 available.

What do you mean by "unable ... No errors"?

Do you mean you download the 1.9.1 source tarball, unpack it, run ./configure,
and run "make", and you get no errors?

And what do you mean by "only 1.8.1 available"? Compiling 1.9.1 won't
automatically make Wireshark use it; you would have to, at minimum, do "make
install", *and* the dynamically-linked Wireshark would have to be looking for
it in /usr/local/lib before /usr/lib, with the name under which it's installed
in /usr/local/lib, to find 1.9.1 rather than the 1.8.1 that you presumably have
installed as the system libpcap.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #10 from Chuck Craft  ---
On my debian system, the man page for "pcap-filter" discusses byte offsets.
Look in section on expressions: expr relop expr
"To access data inside the packet, use the following syntax:
proto [ expr : size ]"

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

Chuck Craft  changed:

   What|Removed |Added

 CC||bubbas...@gmail.com

--- Comment #9 from Chuck Craft  ---
Can you load the 1.9.0 package? Looks like a big improvement.

# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.0.2s  28 May 2019
# tcpdump -i lo -d "vlan 545"
(000) ldb  [-4048]
(001) jeq  #0x1 jt 2jf 5
(002) ldb  [-4052]
(003) jeq  #0x221   jt 4jf 5
(004) ret  #262144
(005) ret  #0
#

root@kali:~# tcpdump --version
tcpdump version 4.9.3-PRE-GIT_2019_09_07
libpcap version 1.9.0 (with TPACKET_V3)
OpenSSL 1.1.1d  10 Sep 2019
root@kali:~# tcpdump -i lo -d "vlan 545"
(000) ldb  [-4048]
(001) jeq  #0x1 jt 6jf 2
(002) ldh  [12]
(003) jeq  #0x8100  jt 6jf 4
(004) jeq  #0x88a8  jt 6jf 5
(005) jeq  #0x9100  jt 6jf 14
(006) ldb  [-4048]
(007) jeq  #0x1 jt 8jf 10
(008) ldb  [-4052]
(009) ja   11
(010) ldh  [14]
(011) and  #0xfff
(012) jeq  #0x221   jt 13   jf 14
(013) ret  #262144
(014) ret  #0
root@kali:~#

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #8 from michal.pec...@telekom.sk ---
It is some onboard ethernet port on Dell Precision 7520 it should be Intel
I219-LM network controller.


That documentation is not with the ether expresions but rather some
abbreviations and aliases rather then exact terms.
I would like more info about this "(ether[12:2]=0x8100) and
(ether[14:2]&0xfff=545)" rather then this "vlan 545" if it exists.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

Jaap Keuter  changed:

   What|Removed |Added

 CC||g...@alum.mit.edu

--- Comment #7 from Jaap Keuter  ---
(In reply to michal.pecuch from comment #3)
> dumpcap -f "vlan 545" -d 
> Capturing on 'enp0s31f6'

Could you elaborate on the type of interface enp0s31f6 is?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #6 from Christopher Maynard  ---
(In reply to michal.pecuch from comment #5)
> Is there some good documentation for the filters in this format?

I would say the authoritative source for capture filter syntax would be at:
https://www.tcpdump.org/manpages/pcap-filter.7.html

> Thank you.

You're welcome.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #5 from michal.pec...@telekom.sk ---
It is the same on all interfaces.

For some reason I am unable to compile libpcap 1.9.1. No errors but still only
1.8.1 available.

That workaround seems better. I get the same BPF code as you. I will try it on
some lines to see if it works for me.

Is there some good documentation for the filters in this format?

Thank you.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #4 from Christopher Maynard  ---
(In reply to michal.pecuch from comment #3)
> dumpcap -f "vlan 545" -d 
> Capturing on 'enp0s31f6'

Do you get the same BPF for all interfaces?

> This seems off as the first ethertype should be #0x8100. Or am I missing
> something?

Definitely looks wrong to me.

As a work-around, you could try 'dumpcap -f "(ether[12:2]=0x8100) and
(ether[14:2]&0xfff=545)" -d' instead, which produces the exact same BPF code on
my system as it did with the previous "vlan 545" capture filter.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #3 from michal.pec...@telekom.sk ---
dumpcap -f "vlan 545" -d 
Capturing on 'enp0s31f6'
(000) ldb  [-4048]
(001) jeq  #0x1 jt 2jf 5
(002) ldb  [-4052]
(003) jeq  #0x221   jt 4jf 5
(004) ret  #262144
(005) ret  #0


This seems off as the first ethertype should be #0x8100. Or am I missing
something?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

Christopher Maynard  changed:

   What|Removed |Added

  Component|GTK+ UI |Dumpcap
   Severity|Major   |Normal

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #2 from Christopher Maynard  ---
(In reply to michal.pecuch from comment #0)
> LC_IDENTIFICATION=sk_SK.UTF-8, with libpcap version 1.8.1

It's possible this is a libpcap bug.  You could try upgrading to the latest
version, currently 1.9.1, to see if this problem has been fixed?  Download
from: https://www.tcpdump.org/.  There are a couple of VLAN-related issues
mentioned in the changelog; it's possible that one of those fixed this issue. 
See: https://www.tcpdump.org/libpcap-changes.txt

> On Ubuntu 19.04 on two similar computers.
> When capturing live data using capturing filter to filter specific vlan
> (vlan 545) for some reason only ethernet frames with CoS 0 are captured.
> Frames with the same vlan tag and CoS 4 are not captured by this filter.
> Without capturing vlan filter all frames are captured.

Have you looked at the resulting BPF code for the "vlan 545" capture filter to
see if it's sane?  Running 'dumpcap -f "vlan 545" -d' on my system yields the
following, which looks correct to me:

Capturing on 'foo'
(000) ldh  [12]
(001) jeq  #0x8100  jt 2jf 6
(002) ldh  [14]
(003) and  #0xfff
(004) jeq  #0x221   jt 5jf 6
(005) ret  #65535
(006) ret  #0

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

michal.pec...@telekom.sk changed:

   What|Removed |Added

   Hardware|x86 |x86-64
 OS|Windows 10  |Ubuntu

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

2019-10-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #1 from michal.pec...@telekom.sk ---
Created attachment 17395
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17395=edit
frames captured without capturing vlan filter

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe