]> The Tcpdump Group git mirrors - tcpdump/blob - print-ntp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
PPP: Fix the output
[tcpdump] / print-ntp.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * By Jeffrey Mogul/DECWRL
22 * loosely based on print-bootp.c
23 */
24
25 /* \summary: Network Time Protocol (NTP) printer */
26
27 /*
28 * specification:
29 *
30 * RFC 1119 - NTPv2
31 * RFC 1305 - NTPv3
32 * RFC 5905 - NTPv4
33 */
34
35 #include <config.h>
36
37 #include "netdissect-stdinc.h"
38
39 #define ND_LONGJMP_FROM_TCHECK
40 #include "netdissect.h"
41 #include "addrtoname.h"
42 #include "extract.h"
43
44 #include "ntp.h"
45
46 /*
47 * Based on ntp.h from the U of MD implementation
48 * This file is based on Version 2 of the NTP spec (RFC1119).
49 */
50
51 /* RFC 5905 updated by RFC 7822
52 * 1 2 3
53 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
54 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
55 * |LI | VN |Mode | Stratum | Poll | Precision |
56 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57 * | Root Delay |
58 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 * | Root Dispersion |
60 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61 * | Reference Identifier |
62 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63 * | |
64 * | Reference Timestamp (64) |
65 * | |
66 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 * | |
68 * | Originate Timestamp (64) |
69 * | |
70 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 * | |
72 * | Receive Timestamp (64) |
73 * | |
74 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 * | |
76 * | Transmit Timestamp (64) |
77 * | |
78 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
79 * | |
80 * . .
81 * . Optional Extensions (variable) .
82 * . .
83 * | |
84 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
85 */
86
87 /* Length of the NTP data message with the mandatory fields ("the header")
88 * and without any optional fields (extension, Key Identifier,
89 * Message Digest).
90 */
91 #define NTP_TIMEMSG_MINLEN 48U
92
93 struct ntp_time_data {
94 nd_uint8_t status; /* status of local clock and leap info */
95 nd_uint8_t stratum; /* Stratum level */
96 nd_int8_t ppoll; /* poll value */
97 nd_int8_t precision;
98 struct s_fixedpt root_delay;
99 struct s_fixedpt root_dispersion;
100 nd_uint32_t refid;
101 struct l_fixedpt ref_timestamp;
102 struct l_fixedpt org_timestamp;
103 struct l_fixedpt rec_timestamp;
104 struct l_fixedpt xmt_timestamp;
105 /* extension fields and/or MAC follow */
106 };
107
108 struct ntp_extension_field {
109 nd_uint16_t type;
110 nd_uint16_t length;
111 /* body follows */
112 };
113
114 /*
115 * Leap Second Codes (high order two bits)
116 */
117 #define NO_WARNING 0x00 /* no warning */
118 #define PLUS_SEC 0x40 /* add a second (61 seconds) */
119 #define MINUS_SEC 0x80 /* minus a second (59 seconds) */
120 #define ALARM 0xc0 /* alarm condition (clock unsynchronized) */
121
122 /*
123 * Clock Status Bits that Encode Version
124 */
125 #define NTPVERSION_1 0x08
126 #define VERSIONMASK 0x38
127 #define VERSIONSHIFT 3
128 #define LEAPMASK 0xc0
129 #define LEAPSHIFT 6
130 #ifdef MODEMASK
131 #undef MODEMASK /* Solaris sucks */
132 #endif
133 #define MODEMASK 0x07
134 #define MODESHIFT 0
135
136 /*
137 * Code values
138 */
139 #define MODE_UNSPEC 0 /* unspecified */
140 #define MODE_SYM_ACT 1 /* symmetric active */
141 #define MODE_SYM_PAS 2 /* symmetric passive */
142 #define MODE_CLIENT 3 /* client */
143 #define MODE_SERVER 4 /* server */
144 #define MODE_BROADCAST 5 /* broadcast */
145 #define MODE_CONTROL 6 /* control message */
146 #define MODE_RES2 7 /* reserved */
147
148 /*
149 * Stratum Definitions
150 */
151 #define UNSPECIFIED 0
152 #define PRIM_REF 1 /* radio clock */
153 #define INFO_QUERY 62 /* **** THIS implementation dependent **** */
154 #define INFO_REPLY 63 /* **** THIS implementation dependent **** */
155
156 static void p_sfix(netdissect_options *ndo, const struct s_fixedpt *);
157 static void p_ntp_delta(netdissect_options *, const struct l_fixedpt *, const struct l_fixedpt *);
158 static void p_poll(netdissect_options *, const int);
159 static u_int p_ext_fields(netdissect_options *, const u_char *, u_int length);
160
161 static const struct tok ntp_mode_values[] = {
162 { MODE_UNSPEC, "unspecified" },
163 { MODE_SYM_ACT, "symmetric active" },
164 { MODE_SYM_PAS, "symmetric passive" },
165 { MODE_CLIENT, "Client" },
166 { MODE_SERVER, "Server" },
167 { MODE_BROADCAST, "Broadcast" },
168 { MODE_CONTROL, "Control Message" },
169 { MODE_RES2, "Reserved" },
170 { 0, NULL }
171 };
172
173 static const struct tok ntp_leapind_values[] = {
174 { NO_WARNING, "" },
175 { PLUS_SEC, "+1s" },
176 { MINUS_SEC, "-1s" },
177 { ALARM, "clock unsynchronized" },
178 { 0, NULL }
179 };
180
181 static const struct tok ntp_stratum_values[] = {
182 { UNSPECIFIED, "unspecified" },
183 { PRIM_REF, "primary reference" },
184 { 0, NULL }
185 };
186
187 static const struct tok ntp_ef_types[] = {
188 { 0x0104, "Unique Identifier" },
189 { 0x0204, "NTS Cookie" },
190 { 0x0304, "NTS Cookie Placeholder" },
191 { 0x0404, "NTS Authenticator and Encrypted Extension Fields" },
192 { 0x2005, "Checksum Complement" },
193 { 0, NULL }
194 };
195
196 /* draft-ietf-ntp-mode-6-cmds-02
197 * 0 1 2 3
198 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
199 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
200 * |LI | VN |Mode |R|E|M| OpCode | Sequence Number |
201 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
202 * | Status | Association ID |
203 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
204 * | Offset | Count |
205 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
206 * | |
207 * / Data (up to 468 bytes) /
208 * | |
209 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
210 * | Padding (optional) |
211 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
212 * | |
213 * / Authenticator (optional, 96 bytes) /
214 * | |
215 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
216 *
217 * Figure 1: NTP Control Message Header
218 */
219
220 /* Length of the NTP control message with the mandatory fields ("the header")
221 * and without any optional fields (Data, Padding, Authenticator).
222 */
223 #define NTP_CTRLMSG_MINLEN 12U
224
225 struct ntp_control_data {
226 nd_uint8_t magic; /* LI, VN, Mode */
227 nd_uint8_t control; /* R, E, M, OpCode */
228 nd_uint16_t sequence; /* Sequence Number */
229 nd_uint16_t status; /* Status */
230 nd_uint16_t assoc; /* Association ID */
231 nd_uint16_t offset; /* Offset */
232 nd_uint16_t count; /* Count */
233 nd_uint8_t data[564]; /* Data, [Padding, [Authenticator]] */
234 };
235
236 /*
237 * Print NTP time requests and responses
238 */
239 static void
240 ntp_time_print(netdissect_options *ndo,
241 const struct ntp_time_data *bp, u_int length, u_int version)
242 {
243 const u_char *mac;
244 uint8_t stratum;
245 u_int efs_len;
246
247 if (length < NTP_TIMEMSG_MINLEN)
248 goto invalid;
249
250 stratum = GET_U_1(bp->stratum);
251 ND_PRINT(", Stratum %u (%s)",
252 stratum,
253 tok2str(ntp_stratum_values, (stratum >=2 && stratum<=15) ? "secondary reference" : "reserved", stratum));
254
255 ND_PRINT(", poll %d", GET_S_1(bp->ppoll));
256 p_poll(ndo, GET_S_1(bp->ppoll));
257
258 ND_PRINT(", precision %d", GET_S_1(bp->precision));
259
260 ND_PRINT("\n\tRoot Delay: ");
261 p_sfix(ndo, &bp->root_delay);
262
263 ND_PRINT(", Root dispersion: ");
264 p_sfix(ndo, &bp->root_dispersion);
265
266 ND_PRINT(", Reference-ID: ");
267 /* Interpretation depends on stratum */
268 switch (stratum) {
269
270 case UNSPECIFIED:
271 ND_PRINT("(unspec)");
272 ND_TCHECK_4(bp->refid);
273 break;
274
275 case PRIM_REF:
276 nd_printjn(ndo, (const u_char *)&(bp->refid), 4);
277 break;
278
279 case INFO_QUERY:
280 ND_PRINT("%s INFO_QUERY", GET_IPADDR_STRING(bp->refid));
281 /* this doesn't have more content */
282 return;
283
284 case INFO_REPLY:
285 ND_PRINT("%s INFO_REPLY", GET_IPADDR_STRING(bp->refid));
286 /* this is too complex to be worth printing */
287 return;
288
289 default:
290 /* In NTPv4 (RFC 5905) refid is an IPv4 address or first 32 bits of
291 MD5 sum of IPv6 address */
292 ND_PRINT("0x%08x", GET_BE_U_4(bp->refid));
293 break;
294 }
295
296 ND_PRINT("\n\t Reference Timestamp: ");
297 p_ntp_time(ndo, &(bp->ref_timestamp));
298
299 ND_PRINT("\n\t Originator Timestamp: ");
300 p_ntp_time(ndo, &(bp->org_timestamp));
301
302 ND_PRINT("\n\t Receive Timestamp: ");
303 p_ntp_time(ndo, &(bp->rec_timestamp));
304
305 ND_PRINT("\n\t Transmit Timestamp: ");
306 p_ntp_time(ndo, &(bp->xmt_timestamp));
307
308 ND_PRINT("\n\t Originator - Receive Timestamp: ");
309 p_ntp_delta(ndo, &(bp->org_timestamp), &(bp->rec_timestamp));
310
311 ND_PRINT("\n\t Originator - Transmit Timestamp: ");
312 p_ntp_delta(ndo, &(bp->org_timestamp), &(bp->xmt_timestamp));
313
314 if (version == 4)
315 efs_len = p_ext_fields(ndo, (const u_char *)bp + NTP_TIMEMSG_MINLEN, length - NTP_TIMEMSG_MINLEN);
316 else
317 efs_len = 0;
318
319 mac = (const u_char *)bp + NTP_TIMEMSG_MINLEN + efs_len;
320
321 if (length == NTP_TIMEMSG_MINLEN + efs_len + 4) { /* Optional: key-id (crypto-NAK) */
322 ND_PRINT("\n\tKey id: %u", GET_BE_U_4(mac));
323 } else if (length == NTP_TIMEMSG_MINLEN + efs_len + 4 + 16) { /* Optional: key-id + 128-bit digest */
324 ND_PRINT("\n\tKey id: %u", GET_BE_U_4(mac));
325 ND_PRINT("\n\tAuthentication: %08x%08x%08x%08x",
326 GET_BE_U_4(mac + 4),
327 GET_BE_U_4(mac + 8),
328 GET_BE_U_4(mac + 12),
329 GET_BE_U_4(mac + 16));
330 } else if (length == NTP_TIMEMSG_MINLEN + efs_len + 4 + 20) { /* Optional: key-id + 160-bit digest */
331 ND_PRINT("\n\tKey id: %u", GET_BE_U_4(mac));
332 ND_PRINT("\n\tAuthentication: %08x%08x%08x%08x%08x",
333 GET_BE_U_4(mac + 4),
334 GET_BE_U_4(mac + 8),
335 GET_BE_U_4(mac + 12),
336 GET_BE_U_4(mac + 16),
337 GET_BE_U_4(mac + 20));
338 } else if (length > NTP_TIMEMSG_MINLEN + efs_len) {
339 ND_PRINT("\n\t(%u more bytes after the header and extension fields)",
340 length - NTP_TIMEMSG_MINLEN - efs_len);
341 }
342 return;
343
344 invalid:
345 nd_print_invalid(ndo);
346 ND_TCHECK_LEN(bp, length);
347 }
348
349 /*
350 * Print NTP control message requests and responses
351 */
352 static void
353 ntp_control_print(netdissect_options *ndo,
354 const struct ntp_control_data *cd, u_int length)
355 {
356 uint8_t control, R, E, M, opcode;
357 uint16_t sequence, status, assoc, offset, count;
358
359 if (length < NTP_CTRLMSG_MINLEN)
360 goto invalid;
361
362 control = GET_U_1(cd->control);
363 R = (control & 0x80) != 0;
364 E = (control & 0x40) != 0;
365 M = (control & 0x20) != 0;
366 opcode = control & 0x1f;
367 ND_PRINT(", %s, %s, %s, OpCode=%u\n",
368 R ? "Response" : "Request", E ? "Error" : "OK",
369 M ? "More" : "Last", opcode);
370
371 sequence = GET_BE_U_2(cd->sequence);
372 ND_PRINT("\tSequence=%hu", sequence);
373
374 status = GET_BE_U_2(cd->status);
375 ND_PRINT(", Status=%#hx", status);
376
377 assoc = GET_BE_U_2(cd->assoc);
378 ND_PRINT(", Assoc.=%hu", assoc);
379
380 offset = GET_BE_U_2(cd->offset);
381 ND_PRINT(", Offset=%hu", offset);
382
383 count = GET_BE_U_2(cd->count);
384 ND_PRINT(", Count=%hu", count);
385
386 if (NTP_CTRLMSG_MINLEN + count > length)
387 goto invalid;
388 if (count != 0) {
389 ND_TCHECK_LEN(cd->data, count);
390 ND_PRINT("\n\tTO-BE-DONE: data not interpreted");
391 }
392 return;
393
394 invalid:
395 nd_print_invalid(ndo);
396 ND_TCHECK_LEN(cd, length);
397 }
398
399 union ntpdata {
400 struct ntp_time_data td;
401 struct ntp_control_data cd;
402 };
403
404 /*
405 * Print NTP requests, handling the common VN, LI, and Mode
406 */
407 void
408 ntp_print(netdissect_options *ndo,
409 const u_char *cp, u_int length)
410 {
411 const union ntpdata *bp = (const union ntpdata *)cp;
412 u_int mode, version, leapind;
413 uint8_t status;
414
415 ndo->ndo_protocol = "ntp";
416 status = GET_U_1(bp->td.status);
417
418 version = (status & VERSIONMASK) >> VERSIONSHIFT;
419 ND_PRINT("NTPv%u", version);
420
421 mode = (status & MODEMASK) >> MODESHIFT;
422 if (!ndo->ndo_vflag) {
423 ND_PRINT(", %s, length %u",
424 tok2str(ntp_mode_values, "Unknown mode", mode),
425 length);
426 return;
427 }
428
429 ND_PRINT(", %s, length %u\n",
430 tok2str(ntp_mode_values, "Unknown mode", mode), length);
431
432 /* leapind = (status & LEAPMASK) >> LEAPSHIFT; */
433 leapind = (status & LEAPMASK);
434 ND_PRINT("\tLeap indicator: %s (%u)",
435 tok2str(ntp_leapind_values, "Unknown", leapind),
436 leapind);
437
438 switch (mode) {
439
440 case MODE_UNSPEC:
441 case MODE_SYM_ACT:
442 case MODE_SYM_PAS:
443 case MODE_CLIENT:
444 case MODE_SERVER:
445 case MODE_BROADCAST:
446 ntp_time_print(ndo, &bp->td, length, version);
447 break;
448
449 case MODE_CONTROL:
450 ntp_control_print(ndo, &bp->cd, length);
451 break;
452
453 default:
454 break; /* XXX: not implemented! */
455 }
456 }
457
458 static void
459 p_sfix(netdissect_options *ndo,
460 const struct s_fixedpt *sfp)
461 {
462 int i;
463 int f;
464 double ff;
465
466 i = GET_BE_U_2(sfp->int_part);
467 f = GET_BE_U_2(sfp->fraction);
468 ff = f / 65536.0; /* shift radix point by 16 bits */
469 f = (int)(ff * 1000000.0); /* Treat fraction as parts per million */
470 ND_PRINT("%d.%06d", i, f);
471 }
472
473 /* Prints time difference between *lfp and *olfp */
474 static void
475 p_ntp_delta(netdissect_options *ndo,
476 const struct l_fixedpt *olfp,
477 const struct l_fixedpt *lfp)
478 {
479 uint32_t u, uf;
480 uint32_t ou, ouf;
481 uint32_t i;
482 uint32_t f;
483 double ff;
484 int signbit;
485
486 u = GET_BE_U_4(lfp->int_part);
487 ou = GET_BE_U_4(olfp->int_part);
488 uf = GET_BE_U_4(lfp->fraction);
489 ouf = GET_BE_U_4(olfp->fraction);
490 if (ou == 0 && ouf == 0) {
491 p_ntp_time(ndo, lfp);
492 return;
493 }
494
495 if (u > ou) { /* new is definitely greater than old */
496 signbit = 0;
497 i = u - ou;
498 f = uf - ouf;
499 if (ouf > uf) /* must borrow from high-order bits */
500 i -= 1;
501 } else if (u < ou) { /* new is definitely less than old */
502 signbit = 1;
503 i = ou - u;
504 f = ouf - uf;
505 if (uf > ouf) /* must borrow from the high-order bits */
506 i -= 1;
507 } else { /* int_part is zero */
508 i = 0;
509 if (uf > ouf) {
510 signbit = 0;
511 f = uf - ouf;
512 } else {
513 signbit = 1;
514 f = ouf - uf;
515 }
516 }
517
518 ff = f;
519 if (ff < 0.0) /* some compilers are buggy */
520 ff += FMAXINT;
521 ff = ff / FMAXINT; /* shift radix point by 32 bits */
522 f = (uint32_t)(ff * 1000000000.0); /* treat fraction as parts per billion */
523 ND_PRINT("%s%u.%09u", signbit ? "-" : "+", i, f);
524 }
525
526 /* Prints polling interval in log2 as seconds or fraction of second */
527 static void
528 p_poll(netdissect_options *ndo,
529 const int poll_interval)
530 {
531 if (poll_interval <= -32 || poll_interval >= 32)
532 return;
533
534 if (poll_interval >= 0)
535 ND_PRINT(" (%us)", 1U << poll_interval);
536 else
537 ND_PRINT(" (1/%us)", 1U << -poll_interval);
538 }
539
540 /* Prints an NTPv4 extension field */
541 static void
542 p_ntp_ef(netdissect_options *ndo, u_int type, u_int length, const u_char *ef_body)
543 {
544 ND_PRINT("\n\t %s", tok2str(ntp_ef_types, "Unknown type", type));
545 ND_PRINT(" (0x%04x), length %u", type, length);
546
547 if (ndo->ndo_vflag > 2)
548 hex_print(ndo, "\n\t ", ef_body, length - 4);
549 else {
550 /*
551 * If we're not going to print it, at least make sure
552 * it's present in the packet, so if ef_len is too long,
553 * we stop.
554 */
555 ND_TCHECK_LEN(ef_body, length - 4);
556 }
557 }
558
559 /* Prints list of extension fields per RFC 7822 */
560 static u_int
561 p_ext_fields(netdissect_options *ndo, const u_char *cp, u_int length)
562 {
563 const struct ntp_extension_field *ef;
564 u_int ef_type, ef_len, efs_len;
565 int first_ef;
566
567 first_ef = 1;
568 efs_len = 0;
569
570 /* RFC 7822 requires the last EF in the packet to have at least
571 28 octets to avoid ambiguity with MACs */
572 while (length - efs_len >= 28) {
573 ef = (const struct ntp_extension_field *)(cp + efs_len);
574 ef_type = GET_BE_U_2(ef->type);
575 ef_len = GET_BE_U_2(ef->length);
576
577 if (efs_len + ef_len > length || ef_len < 4 || ef_len % 4 != 0) {
578 nd_print_invalid(ndo);
579 break;
580 }
581
582 if (first_ef) {
583 ND_PRINT("\n\tExtension fields:");
584 first_ef = 0;
585 }
586
587 p_ntp_ef(ndo, ef_type, ef_len, (const u_char *)(ef + 1));
588
589 /*
590 * The entire extension field is guaranteed to be in the
591 * captured data, as p_ntp_ef() will longjmp out if it
592 * isn't.
593 *
594 * As the total length of the captured data fits in a
595 * u_int, this means that the total length of all the
596 * extension fields will fit in a u_int, so this will
597 * never overflow.
598 */
599 efs_len += ef_len;
600 }
601
602 return efs_len;
603 }
[mirror] the TCPdump network dissector