ether: clean up MACsec processing.

Print the length early if we're printing the link-layer header.

If the payload is encrypted or otherwise modified, print it out as raw
data.

If the payload is not encrypted or otherwise modified, and we didn't
have a problem printing the header, fetch the type/length field
following the MACsec header, skip past it, and continue, rather than
looping back - there shouldn't be multiple MACsec headers, as far as I
know.  (If that's not the case, go back to looping.)
diff --git a/print-ether.c b/print-ether.c
index 0d8dbba..f8399b4 100644
--- a/print-ether.c
+++ b/print-ether.c
@@ -204,16 +204,28 @@
 	p += 2;
 	hdrlen += 2;
 
+	/*
+	 * Process 802.1AE MACsec headers.
+	 */
+	printed_length = 0;
 	if (length_type == ETHERTYPE_MACSEC) {
 		/*
 		 * MACsec, aka IEEE 802.1AE-2006
 		 * Print the header, and try to print the payload if it's not encrypted
 		 */
+		if (ndo->ndo_eflag) {
+			ether_type_print(ndo, length_type);
+			ND_PRINT(", length %u: ", orig_length);
+			printed_length = 1;
+		}
+
 		int ret = macsec_print(ndo, &p, &length, &caplen, &hdrlen);
 
 		if (ret == 0) {
-			/* Payload is encrypted; just quit. */
-			return (hdrlen + caplen);
+			/* Payload is encrypted; print it as raw data. */
+			if (!ndo->ndo_suppress_default_print)
+				ND_DEFAULTPRINT(p, caplen);
+			return (hdrlen);
 		} else if (ret > 0) {
 			/* Problem printing the header; just quit. */
 			return (ret);
@@ -221,14 +233,18 @@
 			/*
 			 * Keep processing type/length fields.
 			 */
-			goto recurse;
+			length_type = GET_BE_U_2(p);
+
+			length -= 2;
+			caplen -= 2;
+			p += 2;
+			hdrlen += 2;
 		}
 	}
 
 	/*
 	 * Process VLAN tag types.
 	 */
-	printed_length = 0;
 	while (length_type == ETHERTYPE_8021Q  ||
 		length_type == ETHERTYPE_8021Q9100 ||
 		length_type == ETHERTYPE_8021Q9200 ||