> My understanding is that only an org code of 0:0:0 represents
> encapsulated ethernet packets, and other org codes have their own
> "ethertype" / "protocol" space.
Yes, that's the case.
> Any thoughts on this patch?
If you do that, you might want to do
u_int orgcode;
...
orgcode = EXTRACT_24BITS(llc.orgcode);
et = EXTRACT_16BITS(&llc.ethertype[0]);
switch (orgcode) {
case 0x000000:
/* This is an encapsulated Ethernet packet */
ret = ether_encap_print(et, p, length, caplen,
extracted_ethertype);
if (ret)
return (ret);
break;
case 0x080007: /* Appletalk */
if (et == ETHERTYPE_ATALK) {
/*
* No, I have no idea why Apple used one
* of their own OUIs, rather than
* 0x000000, and an Ethernet packet
* type, for Appletalk data packets,
* but used 0x000000 and an Ethernet
* packet type for AARP packets.
*/
ret = ether_encap_print(et, p, length, caplen,
extracted_ethertype);
if (ret)
return (ret);
}
break;
case 0x00000C: /* Cisco */
if (et == 0x2000) {
/*
* Cisco Discovery Protocol.
*/
cdp_print(p, length, caplen, esrc, edst);
return (1);
}
break;
}
(and perhaps put the OUIs into a header file, with #defines, rather than
using raw hex numbers for them). You'd also get rid of the current
check for CDP above that.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
