Leave it up to the caller to process the data after the MACsec header.

Don't do it ourselves - it's not part of the MACsec header.

diff --git a/print-macsec.c b/print-macsec.c
index 757d6ed486a547174811ebb586006ebbd6caef92..917c1c7e318dd1151fb7230280ca1a243478b14f 100644 (file)
--- a/print-macsec.c
+++ b/print-macsec.c
@@ -163,25 +163,29 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
        }
 
        len = ieee8021ae_sectag_len(ndo, sectag);
-       *length_type = GET_BE_U_2(*bp + len);
-       if (ndo->ndo_eflag && *length_type > ETHERMTU && !(GET_U_1(sectag->tci_an) & MACSEC_TCI_E))
-               ND_PRINT("ethertype %s, ", tok2str(ethertype_values,"0x%04x", *length_type));
 
-       if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
-               *bp += len;
-               *hdrlenp += len;
+       /* Skip the MACsec header. */
+       *bp += len;
+       *hdrlenp += len;
+
+       /* Remove it from the lengths, as it's been processed. */
+       *lengthp -= len;
+       *caplenp -= len;
 
-               *lengthp -= len;
-               *caplenp -= len;
+       if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
+               /*
+                * The payload is encrypted.  Tell our
+                * caller it can't be dissected.
+                */
                return 0;
        } else {
-               len += 2;
-               *bp += len;
-               *hdrlenp += len;
-
-               len += MACSEC_DEFAULT_ICV_LEN;
-               *lengthp -= len;
-               *caplenp -= len;
+               /*
+                * The payload isn't encrypted; remove the
+                * ICV length from the lengths, so our caller
+                * doesn't treat it as payload.
+                */
+               *lengthp -= MACSEC_DEFAULT_ICV_LEN;
+               *caplenp -= MACSEC_DEFAULT_ICV_LEN;
                return -1;
        }
 }