Ethereal-dev: Re: [Ethereal-dev] 'ip6' filter on Solaris does not work?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 13 Nov 2002 13:25:55 -0800
On Wed, Nov 13, 2002 at 12:11:26PM -0800, Guy Harris wrote:
> On Wed, Nov 13, 2002 at 10:25:23AM -0600, Gilbert Ramirez wrote:
> > It is libpcap that is crashing. From looking at libpcap's gencode.c
> > file, where gen_proto_abbrev() is defined, gen_proto_abbrev() will
> > abort() if the protocol is not known.
> 
> But it shouldn't abort if you supply "ip6" as a filter - it should
> complain that IPv6 isn't supported.

Yes, it should - the current CVS version's "scanner.l" does

	ip6             {  
	#ifdef INET6
	                return IPV6;
	#else
	                bpf_error("%s not supported", yytext);
	#endif
	                }

as does the 0.7 version, but the 0.6.2 version always returns "IPV6" and
would thus cause a crash.

So this is a bug, and is fixed in libpcap 0.7.  Unfortunately,
tcpdump.org's machines are down right now; I don't know when they'll be
back up - probably not until the machines have been thorougly checked
and scrubbed clean of any infections found.  The SourceForge versions
should be OK (unless

	1) Bill Fenner's account on SourceForge has been compromised:

		http://sourceforge.net/forum/forum.php?forum_id=227827

		http://sourceforge.net/forum/forum.php?forum_id=227829

and

	2) his account on Slashdot has been compromised or it's not his
	   account:

		http://slashdot.org/comments.pl?sid=44933&cid=4659286

).

Do not use any version of libpcap that has code like

	char *str, *tmp, *new = "not port 1963";

in gencode.c:

	http://151.164.128.17/def-con/

	http://hlug.fscker.com/

as it (at minimum) tweaks capture filters to ignore traffic to or from
TCP or UDP port 1963 (which is what the trojan run by the configure
script uses).