From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Description of problem:
This is an except from the email discussion of the problem on the TCPDUMP workers mailing list.  The upshot is that the problem should be fixed in the next verion of tcpdump (TCPDUMP 3.9.5) which should be available around Sept 18.

I am having problems filtering 802.11 packets.  When I look at the code generated for a wifi card that has the Atheros chip set and supports DLT_PRISM_HEADER, the offset to the IP header looks off. 

[root@dhcp43 ~]# tcpdump -L -i athm0
Data link types (use option -y to set):
  PRISM_HEADER (802.11 plus Prism header)


[root@dhcp43 ~]# tcpdump -i athm0 -s0 -d ip
tcpdump: WARNING: athm0: no IPv4 address assigned 
(000) ldh      [318]
(001) jeq      #0x800           jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[root@dhcp43 ~]# 
 
 
If I read this code correctly, it is loading a 2 byte half word at offset 318 (0x13e) then doing a compare against the value 0x800 for a match.  The offset is wrong because the PRISM header is 144 bytes long, 24 bytes for a 801.11 data frame and 8 bytes for the LLC frame for which the last 2 bytes indicate IP (offset should be 174).

If I try something like trying to find the TCP header, the generated code also seems suspect:

[root@dhcp43 ~]# tcpdump -i athm0 -s0 -d tcp
tcpdump: WARNING: athm0: no IPv4 address assigned
(000) ldh      [318]
(001) jeq      #0x86dd          jt 2    jf 4
(002) ldb      [182]
(003) jeq      #0x6             jt 7    jf 8 
(004) jeq      #0x800           jt 5    jf 8
(005) ldb      [185]
(006) jeq      #0x6             jt 7    jf 8
(007) ret      #65535
(008) ret      #0
[root@dhcp43 ~]#

The magic number 318 is 174+144 or "the offset to find the LLC protocol" plus "the PRISM header length".


Version-Release number of selected component (if applicable):
tcpdump-3.9.4.-8.1

How reproducible:
Always


Steps to Reproduce:
1.tcpdump -i athm0 -s0 -d ip
2.
3.

Actual Results:
tcpdump: WARNING: athm0: no IPv4 address assigned 
(000) ldh      [318]
(001) jeq      #0x800           jt 2    jf 3
(002) ret      #65535
(003) ret      #0


Expected Results:
(000) ldh      [174]
(001) jeq      #0x800           jt 2    jf 3
(002) ret      #65535
(003) ret      #0

Additional info:
athm0 happens to be point to a card that supports DLT_PRISM_HEADER.

The web site above is a pointer to the discussion on the tcpdump workers mailing list.  Look for the topic: TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER.

Since the BPF is wrong, do data makes it past the filter, so no data is captured.  I assume this is what is meant by severity.