hello,
When my cisco aironet pcm342 card works in normal mode, it just looks like a normal
ethernet card. And I use "tcpdump ip proto \\icmp ", it works well. However When my cisco
card works in "rfmon" mode, namely looking like a 802.11 card, "tcpdump ip proto \\icmp"
never returns a single packet!
My libpcap version is 0.7.1, tcpdump version is 3.7.1. The filter readable format is:
(000) ldh [30]
(001) jeq #0x800 jt 2 jf 5
(002) ldb [39]
(003) jeq #0x1 jt 4 jf 5
(004) ret #68
(005) ret #0
Corresponding hex format is:
{0x28, 0, 0, 0x0000001e},
{0x15, 0, 3, 0x00000800},
{0x30, 0, 0, 0x00000027},
{0x15, 0, 1, 0x00000001},
{0x6, 0, 0, 0x00000044},
{0x6, 0, 0, 0x00000000},
Tcpdump's output is :
tcpdump: listening on eth0
0 packets received by filter
0 packets dropped by kernel
What the matter? When I read the icmp frame data, I think (002) should be "ldb [41]". Is
That right?
In addition, I want the filter to return the entire frame, not just the frame header.
I may replace 0x00000044 with 0x0000ffff. But the struct bpf_program pcap_compile returned
has just a field indicating the block length, and a field containing just a block. Where
are the other blocks? How to find the 0x0000ffff?
Forgive me for my silly question:)
Regards
--Hans
