[Wireshark-bugs] [Bug 16116] when using vlan capturing filter priority frames dropped

Tue, 08 Oct 2019 20:09:03 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16116

--- Comment #13 from Guy Harris <g...@alum.mit.edu> ---
(In reply to michal.pecuch from comment #3)
> dumpcap -f "vlan 545" -d 
> Capturing on 'enp0s31f6'
> (000) ldb      [-4048]
> (001) jeq      #0x1             jt 2  jf 5

In the Magical World of Linux Networking, the outermost VLAN tags are either
not put into the raw packet data in the "skbuff" (kernel data structure for
packet data on a socket) or are removed from it, with the information in the
absent VLAN tag being stored in fields in the skbuff.

This means that a BPF filter for a live capture can't test fields in the VLAN
tag by looking at packet data; instead, it needs to use Special Magical
Negative Packet Offsets to request that the kernel's BPF interpreter/JIT
compiler fetch data from the skbuff fields.

-4048 is -4096 + 48, or SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT, meaning "fetch
the Special Magical Field containing an indication of whether this packet *has*
a VLAN tag or not - it's 0 if it doesn't and 1 if it does.

I.e., that's testing whether the packet has a VLAN tag.  If it does, the
program jumps to the instruction at 2, otherwise it jumps to the instruction at
5.

> (002) ldb      [-4052]
> (003) jeq      #0x221           jt 4  jf 5

-4052 is -4096 + 44, or SKF_AD_OFF + SKF_AD_VLAN_TAG, meaning "fetch the
Special Magical Field containing the VLAN tag".

So that's comparing the VLAN tag against 0x221, or 545, jumping to the
instruction at 4 if the VLAN tag is 545 and to the instruction at 5 if it
isn't.

> (004) ret      #262144

Because the program is returning a non-zero value, that says "this packet
matches, so return 262144 bytes of the packet (which is the way we say "all the
data in the packet").

> (005) ret      #0

Because the program is returning a zero value, that says "this packet *doesn't*
match".

So if the packet has a VLAN tag and it's 545, the packet matches, otherwise it
doesn't.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to