Description
print-udp.c has preference to detect AppleTalk instead of SNMP v2:
if (ND_TTEST(((const struct LAP *)cp)->type) &&
((const struct LAP *)cp)->type == lapDDP &&
(atalk_port(sport) || atalk_port(dport))) {
if (ndo->ndo_vflag)
ND_PRINT((ndo, "kip "));
llap_print(ndo, cp, length);
return;
}
...
else if (IS_SRC_OR_DST_PORT(SNMP_PORT) || IS_SRC_OR_DST_PORT(SNMPTRAP_PORT))
snmp_print(ndo, (const u_char *)(up + 1), length);
However, specific SNMP v2 packages has a exactly same conditions that match the appletalk detection. For example, following SNMP v2-packet:
17:31:25.371329 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto UDP (17), length 581)
1.1.1.1.16604 > 2.2.2.2.162: { SNMPv2c { V2Trap(486) R=1095233084 .... .... }
And if the SNMPv2 ASN.1 part begins with:
<C O="0" T="[UNIVERSAL 16]" TL="4" V="549" A="SEQUENCE">
Thus,
a) appletalk.h has atalk() which checks that source-port 16604-16512 < 128 = true
b) Because SNMPv2 ASN.1 part is bigger than 512 bytes, it starts with following bytes:
00000000 30 82 02 25 02 01 01 04 06 70 75 62 6c 69 63 a7 |0..%.....public.|
The problem is with third byte, which is 02, it matches the comparisation of == lapDDP (shown above).
My suggestion is, that AppleTalk detection might be after SNMP-detection, since it is more wider with port ranges compared to SNMP, which detection is based on port number 162. So SNMP would be better match, before AppleTalk?