Does not handle 802.1Q tagged frames correctly

Bug #1213173 reported by tpsailer
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpcap (Ubuntu)
New
Undecided
Unassigned

Bug Description

using tcpdump to monitor traffic, adding 'vlan' to the bpf causes all collection to stop. Traffic is known to have vlan tagged frames. Frames start off as 'XXXX 0800 4500', (XXXX) varies with the vlan.

In 10.04, tcpdump shows the vlan tag and vlan id.

Switching to ngrep (linked against libpcap), with options ' -i -t -q -l -d ethX', watching a text based protocol like SMTP or HTTP,
it fails to parse the packet correctly, because of the 4 byte offset on vlan tagged packets. Even patching ngrep to support vlans, it fails.

Ubuntu 12.04
ii libpcap0.8 1.1.1-10 system interface for user-level packet capture

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libpcap0.8 1.1.1-10
ProcVersionSignature: Ubuntu 3.2.0-51.77-generic 3.2.48
Uname: Linux 3.2.0-51-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
Date: Fri Aug 16 09:18:06 2013
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
MarkForUpload: True
SourcePackage: libpcap
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
tpsailer (tps-mail) wrote :
Revision history for this message
tpsailer (tps-mail) wrote :

The system I'm using to report the bug was an upgrade, but I've also tested on a virgin install of 12.04, and the same issues are still present.

summary: - Does not handle 802.1Q taggged frames correctly
+ Does not handle 802.1Q tagged frames correctly
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

can you please try again with 14.04? 12.04 has a slightly outdated pcap version... thanks!

Revision history for this message
tpsailer (tps-mail) wrote :

Still there. Seems to be an issue with the 3.x kernels. Bug does not exhibit in 2.6.x kernels

Revision history for this message
tpsailer (tps-mail) wrote :

Using tcpdump, you can clearly see the differences

Revision history for this message
Karl-Heinz Pape (karl-heinz-pape) wrote :

I've got the same bug.
Additional information:
If I use the "vlan" tag in the capture filter I only see frames with stacked vlans.
If I use "vlan 1" I will only see frames with vöan 1 as the inner tag.
More:
The vlan information in the frame I capture is at location ether[14,2].
If I filter on that location the frames are filtered at [18,2] although I did not
have any "vlan" in the capture filter string.
It seems that there is in implicit vlan tag in the capture filter. that produces an offset
within the frame if a (n outer) vlan is present!

Revision history for this message
Guy Harris (guyharris) wrote :

What happens if you build a shiny new version of libpcap from the GitHub repository:

    https://github.com/the-tcpdump-group/libpcap/

and then build a shiny new version of tcpdump:

    https://github.com/the-tcpdump-group/tcpdump

with it?

Revision history for this message
Karl-Heinz Pape (karl-heinz-pape) wrote :

Hello!
I've installed kernel 2.6.38-16-generic and still have the same error.
So is it really an issue with the kernel?

If it IS an issue with the kernel building a new version of libpcap and tcpdump will not help.

So I might have to set up a System with 10.04 to verify...

Revision history for this message
Guy Harris (guyharris) wrote :

> If it IS an issue with the kernel building a new version of libpcap and tcpdump will not help.

If it's an issue with the kernel changing the way it handles VLAN tags - i.e., whether it leaves them in the packet data, so that the filter code in the kernel sees them as part of the packet data, or whether it removes them and puts them into metadata that has to be tested specially by a BPF program - then a new version of libpcap *could* help, as libpcap was recently changed to deal with that problem.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.