Added pkt-vlan-llc-response.pcap.

Added check-decode checks for trailer and 802.1Q+LLC/SNAP ARP replies. Modified pcap filter string to capture ARP responses with both 802.1Q tag and LLC/SNAP framing. git-svn-id: svn+ssh://svn.nta-monitor.com/trunk/opensource/arp-scan@18136 062a1500-4a13-0410-a63b-ee65f32af78f
royhills · Feb 25, 2011 · 4e38973 · 4e38973
1 parent 2a97c54
commit 4e38973
Show file tree

Hide file tree

Showing 9 changed files with 82 additions and 10 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,22 @@
 $Id$
 
+2011-02-25 Roy Hills <Roy.Hills@nta-monitor.com>
+
+	* pkt-vlan-llc-response.pcap: New file containing an example of
+	  an ARP reply with 802.1Q tag and LLC/SNAP framing. From a Cisco
+	  2621 router.
+
+	* pkt-trailer-response.pcap: Renamed from pkt-trailer-reply.pcap.
+
+	* check-decode: New checks for trailer response and 802.1Q/LLC
+	  responses.
+
+	* arp-scan.c: Modified pcap filter string to capture ARP responses
+	  with both 802.1Q tag and LLC/SNAP framing.
+
+	* Makefile.am: Include pkt-trailer-response.pcap and
+	  pkt-vlan-llc-response.pcap.
+
 2011-02-21 Roy Hills <Roy.Hills@nta-monitor.com>
 
 	* arp-scan.c: Modified usage() so that it can output either brief or

diff --git a/Makefile.am b/Makefile.am
@@ -17,4 +17,4 @@ arp_scan_LDADD = $(LIBOBJS)
 dist_pkgdata_DATA = ieee-oui.txt ieee-iab.txt mac-vendor.txt
 #
 TESTS = $(dist_check_SCRIPTS)
-EXTRA_DIST = pkt-simple-request.dat pkt-custom-request.dat pkt-custom-request-padding.dat pkt-custom-request-llc.dat pkt-custom-request-vlan.dat pkt-simple-response.pcap pkt-padding-response.pcap pkt-vlan-response.pcap pkt-llc-response.pcap pkt-net1921681-response.pcap
+EXTRA_DIST = pkt-simple-request.dat pkt-custom-request.dat pkt-custom-request-padding.dat pkt-custom-request-llc.dat pkt-custom-request-vlan.dat pkt-simple-response.pcap pkt-padding-response.pcap pkt-vlan-response.pcap pkt-llc-response.pcap pkt-net1921681-response.pcap pkt-trailer-response.pcap pkt-vlan-llc-response.pcap
diff --git a/TODO b/TODO
@@ -31,10 +31,6 @@ the IP address.
 Investigate response packets >60 bytes long, e.g. Windows 2003 Server and
 some Cisco.
 
-Support LLC/SNAP encapsulation with 802.1Q VLAN tagging (--llc --vlan=n) and
-generate the correct packet format.  Currently the VLAN tag is added first,
-which is incorrect.
-
 Add XML output format.
 
 Dave's Mac gives these errors:

diff --git a/arp-scan.c b/arp-scan.c
@@ -272,14 +272,17 @@ main(int argc, char *argv[]) {
          }
       }
 /*
- *	The filter string selects packets addresses to our interface address
- *	that are either Ethernet-II ARP packets, 802.3 LLC/SNAP ARP packets
- *	or 802.1Q tagged ARP packets.
+ *	The filter string selects packets addressed to our interface address
+ *	that are Ethernet-II ARP packets, 802.3 LLC/SNAP ARP packets,
+ *	802.1Q tagged ARP packets or 802.1Q tagged 802.3 LLC/SNAP ARP packets.
  */
       filter_string=make_message("ether dst %.2x:%.2x:%.2x:%.2x:%.2x:%.2x and "
                                  "(arp or (ether[14:4]=0xaaaa0300 and "
                                  "ether[20:2]=0x0806) or (ether[12:2]=0x8100 "
-                                 "and ether[16:2]=0x0806))",
+                                 "and ether[16:2]=0x0806) or "
+                                 "(ether[12:2]=0x8100 and "
+                                 "ether[18:4]=0xaaaa0300 and "
+                                 "ether[24:2]=0x0806))",
                                  interface_mac[0], interface_mac[1],
                                  interface_mac[2], interface_mac[3],
                                  interface_mac[4], interface_mac[5]);

diff --git a/arp-scan.h b/arp-scan.h
@@ -111,11 +111,14 @@
 #endif
 
 #ifdef HAVE_PCAP_H
-/* The pcap.h header file on Apple Mac OS Xcode 2.5 and later includes pcap's
+/*
+ * The pcap.h header file on Apple Mac OS Xcode 2.5 and later includes pcap's
  * cut-down version of bpf.h, which defines macros that conflict with those in
  * the full bpf.h. To avoid the conflict, we include net/bpf.h before pcap.h
  * if compiling under Xcode 2.5 or later. This defines all the required macros
  * and prevents pcap's cut-down version from defining its own ones.
+ *
+ * 5370 is the value of __APPLE_CC__ for Xcode 2.5 on Tiger with GCC 4.0.1
  */
 #if defined(__APPLE_CC__) && (__APPLE_CC__ >= 5370)
 #include <net/bpf.h>

diff --git a/check-decode b/check-decode
@@ -37,6 +37,8 @@ SAMPLE02="$srcdir/pkt-padding-response.pcap"
 SAMPLE03="$srcdir/pkt-vlan-response.pcap"
 SAMPLE04="$srcdir/pkt-llc-response.pcap"
 SAMPLE05="$srcdir/pkt-net1921681-response.pcap"
+SAMPLE06="$srcdir/pkt-trailer-response.pcap"
+SAMPLE07="$srcdir/pkt-vlan-llc-response.pcap"
 
 # Simple ARP response packet
 echo "Checking simple ARP response packet decode using $SAMPLE01 ..."
@@ -269,3 +271,54 @@ fi
 echo "ok"
 rm -f $ARPSCANOUTPUT
 rm -f $EXAMPLEOUTPUT
+
+# Simple ARP response packet with trailer ARP reply.
+echo "Checking trailer ARP response packet decode using $SAMPLE06 ..."
+cat >$EXAMPLEOUTPUT <<_EOF_
+127.0.0.1	08:00:2b:12:34:56	DIGITAL EQUIPMENT CORPORATION
+127.0.0.1	08:00:2b:12:34:56	DIGITAL EQUIPMENT CORPORATION (ARP Proto=0x1000) (DUP: 2)
+
+_EOF_
+ARPARGS="--retry=1 --ouifile=$srcdir/ieee-oui.txt --iabfile=$srcdir/ieee-iab.txt --macfile=$srcdir/mac-vendor.txt"
+$srcdir/arp-scan $ARPARGS --readpktfromfile=$SAMPLE06 127.0.0.1 | grep -v '^Starting arp-scan ' | grep -v '^Interface: ' | grep -v '^Ending arp-scan ' | grep -v '^[0-9]* packets received ' > $ARPSCANOUTPUT 2>&1
+if test $? -ne 0; then
+   rm -f $ARPSCANOUTPUT
+   rm -f $EXAMPLEOUTPUT
+   echo "FAILED"
+   exit 1
+fi
+cmp -s $ARPSCANOUTPUT $EXAMPLEOUTPUT
+if test $? -ne 0; then
+   rm -f $ARPSCANOUTPUT
+   rm -f $EXAMPLEOUTPUT
+   echo "FAILED"
+   exit 1
+fi
+echo "ok"
+rm -f $ARPSCANOUTPUT
+rm -f $EXAMPLEOUTPUT
+
+# 802.1Q LLC ARP response packet
+echo "Checking 802.1Q LLC ARP response packet decode using $SAMPLE07 ..."
+cat >$EXAMPLEOUTPUT <<_EOF_
+127.0.0.1	08:00:2b:06:07:08	DIGITAL EQUIPMENT CORPORATION (802.2 LLC/SNAP) (802.1Q VLAN=100)
+
+_EOF_
+ARPARGS="--retry=1 --ouifile=$srcdir/ieee-oui.txt --iabfile=$srcdir/ieee-iab.txt --macfile=$srcdir/mac-vendor.txt"
+$srcdir/arp-scan $ARPARGS --readpktfromfile=$SAMPLE07 127.0.0.1 | grep -v '^Starting arp-scan ' | grep -v '^Interface: ' | grep -v '^Ending arp-scan ' | grep -v '^[0-9]* packets received ' > $ARPSCANOUTPUT 2>&1
+if test $? -ne 0; then
+   rm -f $ARPSCANOUTPUT
+   rm -f $EXAMPLEOUTPUT
+   echo "FAILED"
+   exit 1
+fi
+cmp -s $ARPSCANOUTPUT $EXAMPLEOUTPUT
+if test $? -ne 0; then
+   rm -f $ARPSCANOUTPUT
+   rm -f $EXAMPLEOUTPUT
+   echo "FAILED"
+   exit 1
+fi
+echo "ok"
+rm -f $ARPSCANOUTPUT
+rm -f $EXAMPLEOUTPUT
diff --git a/pkt-trailer-reply.pcap b/pkt-trailer-reply.pcap
diff --git a/pkt-trailer-response.pcap b/pkt-trailer-response.pcap
diff --git a/pkt-vlan-llc-response.pcap b/pkt-vlan-llc-response.pcap