Handle DLT_NULL correctly - the AF_ value is in host byte order, which

[tcpdump] / print-null.c

diff --git a/print-null.c b/print-null.c
index a4b4085e0b31c7589bd2832ba379be8eb95c8037..a602bc3a511cfde4886733ed1ccc050100bb7447 100644 (file)
--- a/print-null.c
+++ b/print-null.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-null.c,v 1.39 2000-12-04 06:47:17 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-null.c,v 1.40 2000-12-16 22:00:50 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -56,20 +56,22 @@ struct rtentry;
 #endif
 
 /*
- * The DLT_NULL packet header is 4 bytes long. It contains a network
- * order 32 bit integer that specifies the family, e.g. AF_INET
+ * The DLT_NULL packet header is 4 bytes long. It contains a host-byte-order
+ * 32-bit integer that specifies the family, e.g. AF_INET.
+ *
+ * Note here that "host" refers to the host on which the packets were
+ * captured; that isn't necessarily *this* host.
+ *
+ * The OpenBSD DLT_LOOP packet header is the same, except that the integer
+ * is in network byte order.
  */
 #define        NULL_HDRLEN 4
 
 static void
-null_print(const u_char *p, const struct ip *ip, u_int length)
+null_print(u_int family, u_int length)
 {
-       u_int family;
-
-       memcpy((char *)&family, (char *)p, sizeof(family));
-
        if (nflag)
-               printf("AF %d ", family);
+               printf("AF %u ", family);
        else {
                switch (family) {
 
@@ -88,22 +90,44 @@ null_print(const u_char *p, const struct ip *ip, u_int length)
                        break;
 
                default:
-                       printf("AF %d ", family);
+                       printf("AF %u ", family);
                        break;
                }
        }
        printf("%d: ", length);
 }
 
+/*
+ * Byte-swap a 32-bit number.
+ * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
+ * big-endian platforms.)
+ */
+#define        SWAPLONG(y) \
+((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
+
 void
 null_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
 {
        u_int length = h->len;
        u_int caplen = h->caplen;
        const struct ip *ip;
+       u_int family;
 
        ts_print(&h->ts);
 
+       memcpy((char *)&family, (char *)p, sizeof(family));
+
+       /*
+        * This isn't necessarily in our host byte order; if this is
+        * a DLT_LOOP capture, it's in network byte order, and if
+        * this is a DLT_NULL capture from a machine with the opposite
+        * byte-order, it's in the opposite byte order from ours.
+        *
+        * If the upper 16 bits aren't all zero, assume it's byte-swapped.
+        */
+       if ((family & 0xFFFF0000) != 0)
+               family = SWAPLONG(family);
+
        /*
         * Some printers want to get back at the link level addresses,
         * and/or check that they're not walking off the end of the packet.
@@ -117,7 +141,7 @@ null_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
        ip = (struct ip *)(p + NULL_HDRLEN);
 
        if (eflag)
-               null_print(p, ip, length);
+               null_print(family, length);
 
        switch (IP_V(ip)) {
        case 4: