-
Notifications
You must be signed in to change notification settings - Fork 853
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Linux cooked header version 2 always outputs link level data #1077
Comments
I tried to subscribe to the tcpdump-workers mailing list, but I get the error:
|
So the specific piece of link-level data you're referring to here is the direction, not the interface name or link-layer address? |
I mean both are printed; the interface name and direction. While in version 1 nothing is printed unless option So referring to in I believe lines 422-430 should be moved to the With option
Which is fine with me. |
The interface name isn't printed with version 1 even if The direction is only printed with version 1 if Given that there is no guarantee that, in the future, only Linux cooked captures will ever show the direction or that Linux cooked captures v2 will show the interface, and that there may be cases where somebody doesn't want any link-layer addresses but does want the interface or direction, the right solution might be to adopt macOS's
so that the user can specify which packet metadata (as opposed to packet data, such as link-layer headers) they want. |
I am in favor of this. But that is a major change. That reminds me that libpcap support for Linux cooked can be enhanced as well. For example the filter "broadcast" results in the error "tcpdump: not a broadcast link". Now you have to use "link[0:2]=1" for version 1 or "link[10:1]=1" for version 2 instead. (Maybe add "sll broadcast"?)
Maybe I misunderstood, I thought you meant by 'direction' that what is printed on line 430 ( Please advise how to go forward. |
By "direction" I meant "that which is printed on line 164 ( The direction is printed only with I don't consider the interface to be part of the link-layer header. Currently, with version 2 Linux cooked captures, the interface ID is part of the header constructed by libpcap, but it's not part of any link-layer header on the wire, or even a characteristic of either OSI layer 1 or 2 such as the data from the radiotap layer on 802.11 - it's not different for different packets on the same network segment. And I can imagine somebody who is not interested in any link-layer information, and may not want MAC addresses cluttering up their tcpdump output, wanting to know, for a capture on more than one interface, on which interface a packet is sent or received. (That's why version 2 was introduced.) So I am not in favor of tying the interface name to The direction, however, could be considered part of the link layer. However, some people might want to see it even if they don't want to see the link-layer header, so I think that one's debatable; perhaps using |
We could: Leave the sll2 version as is. For sll1, print the packet type |
That makes sense as it contains data that is not send over the wire. However it does replace the Ethernet header that is send over the wire (for both NIC and localhost) and it contains the source MAC address.
IMO it should be consistent.
That would make it less consistent: No output with Ethernet, only direction with sll1 and name and direction with sll2. Looking at the man page the option I propose to change it as follows:
|
Yes, it was. The "cooked" header is used in three cases:
Yes, this means that you lose whatever link-layer headers the packets have (which cannot be guaranteed to be Ethernet headers - even if all current interface drivers provide Ethernet headers, a new device might get attached during the capture process, and it might not provide Ethernet headers). This is an unfortunate consequence of
In order not to use cooked captures for those: For 1), that'll take some checking to see whether kernel changes have fixes that issue. For 2), there's not much we can do about that, other than, again, looking at the kernel source to assign LINKTYPE_/DLT_ values to current ARPHRD_ values that don't already have them, but there may always be new ones. For 3), pcapng, libpcap API changes to fully support pcapng, and some hackery in the filter compiler to use, for example, "offset to the payload" values to try to generate a single filter program that could handle multiple link layer types would be necessary.
You can't get name or direction with Ethernet and other non-cooked link-layer headers, because they don't provide that information. That requires some place to provide metadata such as that, which means using pcapng and libpcap API changes to fully support pcapng. You can't get the interface name with SLL1 as the SLL1 header doesn't provide an indication of the interface on which packets arrived. Again, that requires some place to provide metadata such as that, which means, again, using pcapng and libpcap API changes to fully support pcapng, which would allow the interface information to be stored in capture files, allowing the right interface names to be reported if you do a multi-interface capture on one machine and read it on a different machine, and would also allow, as noted in the previous paragraph, direction information to be reported for all devices. That's what macOS's libpcap and tcpdump support, and what their
That's not going to happen with cooked captures, as cooked captures discard the device-specific link-layer header in favor of a standard link-layer header. Perhaps with an SLL3 header, which prepends a metadata header before the device-specific link-layer header, that could be done, but that would involve changes to libpcap, tcpdump, Wireshark, and other programs that read capture files.
I.e., don't print the interface, even for SLL2 (the only link-layer type where the interface can be printed without the pcapng supportrt changes to libpcap mentioned above), and don't print the direction.
I.e., don't print the direction for SLL1 and SLL2, and don't print the interface for SLL2.
To the extent that's possible, so you can - without the pcapng changes, only get the direction when reading an SLL1 or SLL2 file and only get the interface when reading an SLL2 file - choose which of those to print. Note that, BTW, the output for the
for compatibility with the macOS tcpdump. |
I mean with or without |
I don't agree with this change. |
In version 4.99.0 (December 30, 2020), SLL2 was make the default for Linux "any" pseudo-device. |
Here's the difference between tcpdump 4.99's print-sll.c and macOS's tip-of-the-main-branch tcpdump's print-sll.c:
so it prints SLL1 and SLL2 the same way tcpdump 4.99 does. (Of course, if you do an SLL2 capture, it's almost certainly on a Linux box, meaning that if you read the capture on a Mac, the two machines will be different - even if they're the same machine dual-booting - so the warning about the interface names being wrong will come true; the capture I did on a Linux VM, capturing on the "any" device and pinging over both ens33 and lo, reported traffic on gif0 and lo0 when I read it on the Mac on which the VM was running.) My inclination is:
The first of those matches what any box running a 4.99-based tcpdump (including a macOS box running Apple's tcpdump) would print. The second of those wouldn't match what the current macOS tcpdump would print, as, if you have a pcapng packet on an interface with LINUX_SLL2 as its link-layer type, it would print metadata from both the pcapng packet block and the SLL2 header. I'm not sure the current macOS tcpdump behavior is useful, so I hope Apple would just pick that up from us. The third of those also wouldn't match what the current macOS tcpdump would print, for the same reason, and, again, I'm not sure the current macOS behavior is useful in that case. |
Agreed.
Like ?
Not sure having 2 output strings |
Yes.
If and when we do a libpcap and tcpdump with pcapng support, copying the Apple format for that means that 1) the output is the same for Apple's tcpdump and our tcpdump when reading a pcapng file, so it's "easy to grep" in that you don't need different grep patterns for macOS and other OSes and 2) Apple wouldn't have to decide whether to change their output to match ours or to patch our code to produce their output style. For pcap files, currently we don't even support a |
Maybe I didn't understand your proposal. Would the |
One other potential space for improvement in the SLL2 decoder is to print exactly one space around the interface name when the latter is present. Currently ND_PRINT("%-5s ", ifname); Since commit 0e04b9d the "interface names might be incorrect" warning now appears only if the output includes interface names. |
Linux cooked header version 2 always outputs link level data, while version 1 only outputs extra information when the option
-e
is used (“Print the link-level header on each dump line.”).The output of version 2 should be consistent with version 1 (and EN10MB Ethernet, etc.) and only output when
-e
is used.For version 1 the function
sll_if_print
is called inprint-sll.c
andsll_print
only when option-e
is used (if (ndo->ndo_eflag)).For version 2 the function
sll2_if_print
is called and ifname and sll2_pkttype is printed unconditionally.I believe this should be moved to the
sll2_print
function.Then also the warning “interface names might be incorrect” (tcpdump.c(2080)) should only be printed if option
-e
is used.Version 4.9.3 and higher supports link-type LINUX_SLL2 (Linux cooked v2).
If you agree I will try to make a PR for this.
sll-v1-v2.zip
Attached samples produce this output:
The text was updated successfully, but these errors were encountered: