From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Description of problem: This is an except from the email discussion of the problem on the TCPDUMP workers mailing list. The upshot is that the problem should be fixed in the next verion of tcpdump (TCPDUMP 3.9.5) which should be available around Sept 18. I am having problems filtering 802.11 packets. When I look at the code generated for a wifi card that has the Atheros chip set and supports DLT_PRISM_HEADER, the offset to the IP header looks off. [root@dhcp43 ~]# tcpdump -L -i athm0 Data link types (use option -y to set): PRISM_HEADER (802.11 plus Prism header) [root@dhcp43 ~]# tcpdump -i athm0 -s0 -d ip tcpdump: WARNING: athm0: no IPv4 address assigned (000) ldh [318] (001) jeq #0x800 jt 2 jf 3 (002) ret #65535 (003) ret #0 [root@dhcp43 ~]# If I read this code correctly, it is loading a 2 byte half word at offset 318 (0x13e) then doing a compare against the value 0x800 for a match. The offset is wrong because the PRISM header is 144 bytes long, 24 bytes for a 801.11 data frame and 8 bytes for the LLC frame for which the last 2 bytes indicate IP (offset should be 174). If I try something like trying to find the TCP header, the generated code also seems suspect: [root@dhcp43 ~]# tcpdump -i athm0 -s0 -d tcp tcpdump: WARNING: athm0: no IPv4 address assigned (000) ldh [318] (001) jeq #0x86dd jt 2 jf 4 (002) ldb [182] (003) jeq #0x6 jt 7 jf 8 (004) jeq #0x800 jt 5 jf 8 (005) ldb [185] (006) jeq #0x6 jt 7 jf 8 (007) ret #65535 (008) ret #0 [root@dhcp43 ~]# The magic number 318 is 174+144 or "the offset to find the LLC protocol" plus "the PRISM header length". Version-Release number of selected component (if applicable): tcpdump-3.9.4.-8.1 How reproducible: Always Steps to Reproduce: 1.tcpdump -i athm0 -s0 -d ip 2. 3. Actual Results: tcpdump: WARNING: athm0: no IPv4 address assigned (000) ldh [318] (001) jeq #0x800 jt 2 jf 3 (002) ret #65535 (003) ret #0 Expected Results: (000) ldh [174] (001) jeq #0x800 jt 2 jf 3 (002) ret #65535 (003) ret #0 Additional info: athm0 happens to be point to a card that supports DLT_PRISM_HEADER. The web site above is a pointer to the discussion on the tcpdump workers mailing list. Look for the topic: TCPDUMP 3.9.4 under Fedora Core 5 seems to generate the wrong BPF for DLT_PRISM_HEADER. Since the BPF is wrong, do data makes it past the filter, so no data is captured. I assume this is what is meant by severity.
okay, thanks for the report.
TCPDUMP 3.9.5 is now officially release www.tcpdump.org.
tcpdump-3.9.4-9.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.