ether: clean up MACsec processing.
Print the length early if we're printing the link-layer header.
If the payload is encrypted or otherwise modified, print it out as raw
data.
If the payload is not encrypted or otherwise modified, and we didn't
have a problem printing the header, fetch the type/length field
following the MACsec header, skip past it, and continue, rather than
looping back - there shouldn't be multiple MACsec headers, as far as I
know. (If that's not the case, go back to looping.)
diff --git a/print-ether.c b/print-ether.c
index 0d8dbba..f8399b4 100644
--- a/print-ether.c
+++ b/print-ether.c
@@ -204,16 +204,28 @@
p += 2;
hdrlen += 2;
+ /*
+ * Process 802.1AE MACsec headers.
+ */
+ printed_length = 0;
if (length_type == ETHERTYPE_MACSEC) {
/*
* MACsec, aka IEEE 802.1AE-2006
* Print the header, and try to print the payload if it's not encrypted
*/
+ if (ndo->ndo_eflag) {
+ ether_type_print(ndo, length_type);
+ ND_PRINT(", length %u: ", orig_length);
+ printed_length = 1;
+ }
+
int ret = macsec_print(ndo, &p, &length, &caplen, &hdrlen);
if (ret == 0) {
- /* Payload is encrypted; just quit. */
- return (hdrlen + caplen);
+ /* Payload is encrypted; print it as raw data. */
+ if (!ndo->ndo_suppress_default_print)
+ ND_DEFAULTPRINT(p, caplen);
+ return (hdrlen);
} else if (ret > 0) {
/* Problem printing the header; just quit. */
return (ret);
@@ -221,14 +233,18 @@
/*
* Keep processing type/length fields.
*/
- goto recurse;
+ length_type = GET_BE_U_2(p);
+
+ length -= 2;
+ caplen -= 2;
+ p += 2;
+ hdrlen += 2;
}
}
/*
* Process VLAN tag types.
*/
- printed_length = 0;
while (length_type == ETHERTYPE_8021Q ||
length_type == ETHERTYPE_8021Q9100 ||
length_type == ETHERTYPE_8021Q9200 ||
