]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-isakmp.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add program_name field in the netdissect_options structure
[tcpdump] / print-isakmp.c
diff --git a/print-isakmp.c b/print-isakmp.c
index a3963f2ad345e8dad2abdea425e9f99a3f307a0a..158b25843479f3bff2377db9a9b97f892c109da7 100644 (file)
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -13,7 +13,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 3. Neither the name of the project nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -28,123 +28,710 @@
  *
  */
 
  *
  */
 
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.22 2000-10-03 02:54:59 itojun Exp $ (LBL)";
-#endif
-
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
-#include <string.h>
-#include <ctype.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
+/* The functions from print-esp.c used in this file are only defined when both
+ * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
+ */
+#ifndef HAVE_OPENSSL_EVP_H
+#undef HAVE_LIBCRYPTO
+#endif
+
+#include <tcpdump-stdinc.h>
 
 
-struct mbuf;
-struct rtentry;
+#include <string.h>
 
 
-#include <netinet/in.h>
+#include "netdissect.h"
+#include "addrtoname.h"
+#include "extract.h"
 
 
+#include "ip.h"
 #ifdef INET6
 #ifdef INET6
-#include <netinet/ip6.h>
+#include "ip6.h"
 #endif
 
 #endif
 
-#include <stdio.h>
-#include <netdb.h>
+/* refer to RFC 2408 */
+
+typedef u_char cookie_t[8];
+typedef u_char msgid_t[4];
+
+#define PORT_ISAKMP 500
+
+/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
+         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !                          Initiator                            !
+        !                            Cookie                             !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !                          Responder                            !
+        !                            Cookie                             !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !                          Message ID                           !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !                            Length                             !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+struct isakmp {
+       cookie_t i_ck;          /* Initiator Cookie */
+       cookie_t r_ck;          /* Responder Cookie */
+       uint8_t np;             /* Next Payload Type */
+       uint8_t vers;
+#define ISAKMP_VERS_MAJOR      0xf0
+#define ISAKMP_VERS_MAJOR_SHIFT        4
+#define ISAKMP_VERS_MINOR      0x0f
+#define ISAKMP_VERS_MINOR_SHIFT        0
+       uint8_t etype;          /* Exchange Type */
+       uint8_t flags;          /* Flags */
+       msgid_t msgid;
+       uint32_t len;           /* Length */
+};
 
 
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "interface.h"
-#include "addrtoname.h"
-#include "extract.h"                    /* must come after interface.h */
+/* Next Payload Type */
+#define ISAKMP_NPTYPE_NONE   0 /* NONE*/
+#define ISAKMP_NPTYPE_SA     1 /* Security Association */
+#define ISAKMP_NPTYPE_P      2 /* Proposal */
+#define ISAKMP_NPTYPE_T      3 /* Transform */
+#define ISAKMP_NPTYPE_KE     4 /* Key Exchange */
+#define ISAKMP_NPTYPE_ID     5 /* Identification */
+#define ISAKMP_NPTYPE_CERT   6 /* Certificate */
+#define ISAKMP_NPTYPE_CR     7 /* Certificate Request */
+#define ISAKMP_NPTYPE_HASH   8 /* Hash */
+#define ISAKMP_NPTYPE_SIG    9 /* Signature */
+#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
+#define ISAKMP_NPTYPE_N     11 /* Notification */
+#define ISAKMP_NPTYPE_D     12 /* Delete */
+#define ISAKMP_NPTYPE_VID   13 /* Vendor ID */
+#define ISAKMP_NPTYPE_v2E   46 /* v2 Encrypted payload */
+
+#define IKEv1_MAJOR_VERSION  1
+#define IKEv1_MINOR_VERSION  0
+
+#define IKEv2_MAJOR_VERSION  2
+#define IKEv2_MINOR_VERSION  0
+
+/* Flags */
+#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
+#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
+#define ISAKMP_FLAG_extra 0x04
+
+/* IKEv2 */
+#define ISAKMP_FLAG_I (1 << 3)  /* (I)nitiator */
+#define ISAKMP_FLAG_V (1 << 4)  /* (V)ersion   */
+#define ISAKMP_FLAG_R (1 << 5)  /* (R)esponse  */
+
+
+/* 3.2 Payload Generic Header
+         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        ! Next Payload  !   RESERVED    !         Payload Length        !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+struct isakmp_gen {
+       uint8_t  np;       /* Next Payload */
+       uint8_t  critical; /* bit 7 - critical, rest is RESERVED */
+       uint16_t len;      /* Payload Length */
+};
 
 
-#include "ip.h"
+/* 3.3 Data Attributes
+         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        !A!       Attribute Type        !    AF=0  Attribute Length     !
+        !F!                             !    AF=1  Attribute Value      !
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        .                   AF=0  Attribute Value                       .
+        .                   AF=1  Not Transmitted                       .
+        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+struct isakmp_data {
+       uint16_t type;     /* defined by DOI-spec, and Attribute Format */
+       uint16_t lorv;     /* if f equal 1, Attribute Length */
+                         /* if f equal 0, Attribute Value */
+       /* if f equal 1, Attribute Value */
+};
+
+/* 3.4 Security Association Payload */
+       /* MAY NOT be used, because of being defined in ipsec-doi. */
+       /*
+       If the current payload is the last in the message,
+       then the value of the next payload field will be 0.
+       This field MUST NOT contain the
+       values for the Proposal or Transform payloads as they are considered
+       part of the security association negotiation.  For example, this
+       field would contain the value "10" (Nonce payload) in the first
+       message of a Base Exchange (see Section 4.4) and the value "0" in the
+       first message of an Identity Protect Exchange (see Section 4.5).
+       */
+struct ikev1_pl_sa {
+       struct isakmp_gen h;
+       uint32_t doi; /* Domain of Interpretation */
+       uint32_t sit; /* Situation */
+};
+
+/* 3.5 Proposal Payload */
+       /*
+       The value of the next payload field MUST only contain the value "2"
+       or "0".  If there are additional Proposal payloads in the message,
+       then this field will be 2.  If the current Proposal payload is the
+       last within the security association proposal, then this field will
+       be 0.
+       */
+struct ikev1_pl_p {
+       struct isakmp_gen h;
+       uint8_t p_no;      /* Proposal # */
+       uint8_t prot_id;   /* Protocol */
+       uint8_t spi_size;  /* SPI Size */
+       uint8_t num_t;     /* Number of Transforms */
+       /* SPI */
+};
+
+/* 3.6 Transform Payload */
+       /*
+       The value of the next payload field MUST only contain the value "3"
+       or "0".  If there are additional Transform payloads in the proposal,
+       then this field will be 3.  If the current Transform payload is the
+       last within the proposal, then this field will be 0.
+       */
+struct ikev1_pl_t {
+       struct isakmp_gen h;
+       uint8_t  t_no;     /* Transform # */
+       uint8_t  t_id;     /* Transform-Id */
+       uint16_t reserved; /* RESERVED2 */
+       /* SA Attributes */
+};
+
+/* 3.7 Key Exchange Payload */
+struct ikev1_pl_ke {
+       struct isakmp_gen h;
+       /* Key Exchange Data */
+};
+
+/* 3.8 Identification Payload */
+       /* MUST NOT to be used, because of being defined in ipsec-doi. */
+struct ikev1_pl_id {
+       struct isakmp_gen h;
+       union {
+               uint8_t  id_type;   /* ID Type */
+               uint32_t doi_data;  /* DOI Specific ID Data */
+       } d;
+       /* Identification Data */
+};
+
+/* 3.9 Certificate Payload */
+struct ikev1_pl_cert {
+       struct isakmp_gen h;
+       uint8_t encode; /* Cert Encoding */
+       char   cert;   /* Certificate Data */
+               /*
+               This field indicates the type of
+               certificate or certificate-related information contained in the
+               Certificate Data field.
+               */
+};
+
+/* 3.10 Certificate Request Payload */
+struct ikev1_pl_cr {
+       struct isakmp_gen h;
+       uint8_t num_cert; /* # Cert. Types */
+       /*
+       Certificate Types (variable length)
+         -- Contains a list of the types of certificates requested,
+         sorted in order of preference.  Each individual certificate
+         type is 1 octet.  This field is NOT requiredo
+       */
+       /* # Certificate Authorities (1 octet) */
+       /* Certificate Authorities (variable length) */
+};
+
+/* 3.11 Hash Payload */
+       /* may not be used, because of having only data. */
+struct ikev1_pl_hash {
+       struct isakmp_gen h;
+       /* Hash Data */
+};
+
+/* 3.12 Signature Payload */
+       /* may not be used, because of having only data. */
+struct ikev1_pl_sig {
+       struct isakmp_gen h;
+       /* Signature Data */
+};
+
+/* 3.13 Nonce Payload */
+       /* may not be used, because of having only data. */
+struct ikev1_pl_nonce {
+       struct isakmp_gen h;
+       /* Nonce Data */
+};
+
+/* 3.14 Notification Payload */
+struct ikev1_pl_n {
+       struct isakmp_gen h;
+       uint32_t doi;      /* Domain of Interpretation */
+       uint8_t  prot_id;  /* Protocol-ID */
+       uint8_t  spi_size; /* SPI Size */
+       uint16_t type;     /* Notify Message Type */
+       /* SPI */
+       /* Notification Data */
+};
+
+/* 3.14.1 Notify Message Types */
+/* NOTIFY MESSAGES - ERROR TYPES */
+#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE           1
+#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED              2
+#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED        3
+#define ISAKMP_NTYPE_INVALID_COOKIE                 4
+#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION          5
+#define ISAKMP_NTYPE_INVALID_MINOR_VERSION          6
+#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE          7
+#define ISAKMP_NTYPE_INVALID_FLAGS                  8
+#define ISAKMP_NTYPE_INVALID_MESSAGE_ID             9
+#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID            10
+#define ISAKMP_NTYPE_INVALID_SPI                    11
+#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID           12
+#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED       13
+#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN             14
+#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX            15
+#define ISAKMP_NTYPE_PAYLOAD_MALFORMED              16
+#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION        17
+#define ISAKMP_NTYPE_INVALID_ID_INFORMATION         18
+#define ISAKMP_NTYPE_INVALID_CERT_ENCODING          19
+#define ISAKMP_NTYPE_INVALID_CERTIFICATE            20
+#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX        21
+#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY         22
+#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION       23
+#define ISAKMP_NTYPE_AUTHENTICATION_FAILED          24
+#define ISAKMP_NTYPE_INVALID_SIGNATURE              25
+#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION           26
+
+/* 3.15 Delete Payload */
+struct ikev1_pl_d {
+       struct isakmp_gen h;
+       uint32_t doi;      /* Domain of Interpretation */
+       uint8_t  prot_id;  /* Protocol-Id */
+       uint8_t  spi_size; /* SPI Size */
+       uint16_t num_spi;  /* # of SPIs */
+       /* SPI(es) */
+};
+
+struct ikev1_ph1tab {
+       struct ikev1_ph1 *head;
+       struct ikev1_ph1 *tail;
+       int len;
+};
+
+struct isakmp_ph2tab {
+       struct ikev1_ph2 *head;
+       struct ikev1_ph2 *tail;
+       int len;
+};
+
+/* IKEv2 (RFC4306) */
+
+/* 3.3  Security Association Payload -- generic header */
+/* 3.3.1.  Proposal Substructure */
+struct ikev2_p {
+       struct isakmp_gen h;
+       uint8_t p_no;      /* Proposal # */
+       uint8_t prot_id;   /* Protocol */
+       uint8_t spi_size;  /* SPI Size */
+       uint8_t num_t;     /* Number of Transforms */
+};
+
+/* 3.3.2.  Transform Substructure */
+struct ikev2_t {
+       struct isakmp_gen h;
+       uint8_t t_type;    /* Transform Type (ENCR,PRF,INTEG,etc.*/
+       uint8_t res2;      /* reserved byte */
+       uint16_t t_id;     /* Transform ID */
+};
+
+enum ikev2_t_type {
+       IV2_T_ENCR = 1,
+       IV2_T_PRF  = 2,
+       IV2_T_INTEG= 3,
+       IV2_T_DH   = 4,
+       IV2_T_ESN  = 5
+};
+
+/* 3.4.  Key Exchange Payload */
+struct ikev2_ke {
+       struct isakmp_gen h;
+       uint16_t  ke_group;
+       uint16_t  ke_res1;
+       /* KE data */
+};
+
+
+/* 3.5.  Identification Payloads */
+enum ikev2_id_type {
+       ID_IPV4_ADDR=1,
+       ID_FQDN=2,
+       ID_RFC822_ADDR=3,
+       ID_IPV6_ADDR=5,
+       ID_DER_ASN1_DN=9,
+       ID_DER_ASN1_GN=10,
+       ID_KEY_ID=11
+};
+struct ikev2_id {
+       struct isakmp_gen h;
+       uint8_t  type;        /* ID type */
+       uint8_t  res1;
+       uint16_t res2;
+       /* SPI */
+       /* Notification Data */
+};
+
+/* 3.10 Notification Payload */
+struct ikev2_n {
+       struct isakmp_gen h;
+       uint8_t  prot_id;  /* Protocol-ID */
+       uint8_t  spi_size; /* SPI Size */
+       uint16_t type;     /* Notify Message Type */
+};
+
+enum ikev2_n_type {
+       IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD            = 1,
+       IV2_NOTIFY_INVALID_IKE_SPI                         = 4,
+       IV2_NOTIFY_INVALID_MAJOR_VERSION                   = 5,
+       IV2_NOTIFY_INVALID_SYNTAX                          = 7,
+       IV2_NOTIFY_INVALID_MESSAGE_ID                      = 9,
+       IV2_NOTIFY_INVALID_SPI                             =11,
+       IV2_NOTIFY_NO_PROPOSAL_CHOSEN                      =14,
+       IV2_NOTIFY_INVALID_KE_PAYLOAD                      =17,
+       IV2_NOTIFY_AUTHENTICATION_FAILED                   =24,
+       IV2_NOTIFY_SINGLE_PAIR_REQUIRED                    =34,
+       IV2_NOTIFY_NO_ADDITIONAL_SAS                       =35,
+       IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE                =36,
+       IV2_NOTIFY_FAILED_CP_REQUIRED                      =37,
+       IV2_NOTIFY_INVALID_SELECTORS                       =39,
+       IV2_NOTIFY_INITIAL_CONTACT                         =16384,
+       IV2_NOTIFY_SET_WINDOW_SIZE                         =16385,
+       IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE                  =16386,
+       IV2_NOTIFY_IPCOMP_SUPPORTED                        =16387,
+       IV2_NOTIFY_NAT_DETECTION_SOURCE_IP                 =16388,
+       IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP            =16389,
+       IV2_NOTIFY_COOKIE                                  =16390,
+       IV2_NOTIFY_USE_TRANSPORT_MODE                      =16391,
+       IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED              =16392,
+       IV2_NOTIFY_REKEY_SA                                =16393,
+       IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED           =16394,
+       IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO                =16395
+};
 
 
-#ifndef HAVE_SOCKADDR_STORAGE
-#define sockaddr_storage sockaddr
+struct notify_messages {
+       uint16_t type;
+       char     *msg;
+};
+
+/* 3.8 Notification Payload */
+struct ikev2_auth {
+       struct isakmp_gen h;
+       uint8_t  auth_method;  /* Protocol-ID */
+       uint8_t  reserved[3];
+       /* authentication data */
+};
+
+enum ikev2_auth_type {
+       IV2_RSA_SIG = 1,
+       IV2_SHARED  = 2,
+       IV2_DSS_SIG = 3
+};
+
+/* refer to RFC 2409 */
+
+#if 0
+/* isakmp sa structure */
+struct oakley_sa {
+       uint8_t  proto_id;            /* OAKLEY */
+       vchar_t   *spi;                /* spi */
+       uint8_t  dhgrp;               /* DH; group */
+       uint8_t  auth_t;              /* method of authentication */
+       uint8_t  prf_t;               /* type of prf */
+       uint8_t  hash_t;              /* type of hash */
+       uint8_t  enc_t;               /* type of cipher */
+       uint8_t  life_t;              /* type of duration of lifetime */
+       uint32_t ldur;                /* life duration */
+};
 #endif
 
 #endif
 
-static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_p_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_t_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_ke_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_id_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_cert_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_cr_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_sig_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *,
-       u_int32_t, u_int32_t, u_int32_t);
-static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *,
-       u_int32_t, u_int32_t, u_int32_t);
-static u_char *isakmp_n_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_d_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_vid_print(struct isakmp_gen *, u_char *, u_int32_t,
-       u_int32_t, u_int32_t);
-static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *,
-       u_int32_t, u_int32_t, u_int32_t);
-static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *,
-       u_int32_t, u_int32_t, u_int32_t);
+/* refer to RFC 2407 */
+
+#define IPSEC_DOI 1
+
+/* 4.2 IPSEC Situation Definition */
+#define IPSECDOI_SIT_IDENTITY_ONLY           0x00000001
+#define IPSECDOI_SIT_SECRECY                 0x00000002
+#define IPSECDOI_SIT_INTEGRITY               0x00000004
+
+/* 4.4.1 IPSEC Security Protocol Identifiers */
+  /* 4.4.2 IPSEC ISAKMP Transform Values */
+#define IPSECDOI_PROTO_ISAKMP                        1
+#define   IPSECDOI_KEY_IKE                             1
+
+/* 4.4.1 IPSEC Security Protocol Identifiers */
+#define IPSECDOI_PROTO_IPSEC_AH                      2
+  /* 4.4.3 IPSEC AH Transform Values */
+#define   IPSECDOI_AH_MD5                              2
+#define   IPSECDOI_AH_SHA                              3
+#define   IPSECDOI_AH_DES                              4
+#define   IPSECDOI_AH_SHA2_256                         5
+#define   IPSECDOI_AH_SHA2_384                         6
+#define   IPSECDOI_AH_SHA2_512                         7
+
+/* 4.4.1 IPSEC Security Protocol Identifiers */
+#define IPSECDOI_PROTO_IPSEC_ESP                     3
+  /* 4.4.4 IPSEC ESP Transform Identifiers */
+#define   IPSECDOI_ESP_DES_IV64                        1
+#define   IPSECDOI_ESP_DES                             2
+#define   IPSECDOI_ESP_3DES                            3
+#define   IPSECDOI_ESP_RC5                             4
+#define   IPSECDOI_ESP_IDEA                            5
+#define   IPSECDOI_ESP_CAST                            6
+#define   IPSECDOI_ESP_BLOWFISH                        7
+#define   IPSECDOI_ESP_3IDEA                           8
+#define   IPSECDOI_ESP_DES_IV32                        9
+#define   IPSECDOI_ESP_RC4                            10
+#define   IPSECDOI_ESP_NULL                           11
+#define   IPSECDOI_ESP_RIJNDAEL                                12
+#define   IPSECDOI_ESP_AES                             12
+
+/* 4.4.1 IPSEC Security Protocol Identifiers */
+#define IPSECDOI_PROTO_IPCOMP                        4
+  /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
+#define   IPSECDOI_IPCOMP_OUI                          1
+#define   IPSECDOI_IPCOMP_DEFLATE                      2
+#define   IPSECDOI_IPCOMP_LZS                          3
+
+/* 4.5 IPSEC Security Association Attributes */
+#define IPSECDOI_ATTR_SA_LTYPE                1 /* B */
+#define   IPSECDOI_ATTR_SA_LTYPE_DEFAULT        1
+#define   IPSECDOI_ATTR_SA_LTYPE_SEC            1
+#define   IPSECDOI_ATTR_SA_LTYPE_KB             2
+#define IPSECDOI_ATTR_SA_LDUR                 2 /* V */
+#define   IPSECDOI_ATTR_SA_LDUR_DEFAULT         28800 /* 8 hours */
+#define IPSECDOI_ATTR_GRP_DESC                3 /* B */
+#define IPSECDOI_ATTR_ENC_MODE                4 /* B */
+       /* default value: host dependent */
+#define   IPSECDOI_ATTR_ENC_MODE_TUNNEL         1
+#define   IPSECDOI_ATTR_ENC_MODE_TRNS           2
+#define IPSECDOI_ATTR_AUTH                    5 /* B */
+       /* 0 means not to use authentication. */
+#define   IPSECDOI_ATTR_AUTH_HMAC_MD5           1
+#define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
+#define   IPSECDOI_ATTR_AUTH_DES_MAC            3
+#define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
+       /*
+        * When negotiating ESP without authentication, the Auth
+        * Algorithm attribute MUST NOT be included in the proposal.
+        * When negotiating ESP without confidentiality, the Auth
+        * Algorithm attribute MUST be included in the proposal and
+        * the ESP transform ID must be ESP_NULL.
+       */
+#define IPSECDOI_ATTR_KEY_LENGTH              6 /* B */
+#define IPSECDOI_ATTR_KEY_ROUNDS              7 /* B */
+#define IPSECDOI_ATTR_COMP_DICT_SIZE          8 /* B */
+#define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */
+
+/* 4.6.1 Security Association Payload */
+struct ipsecdoi_sa {
+       struct isakmp_gen h;
+       uint32_t doi; /* Domain of Interpretation */
+       uint32_t sit; /* Situation */
+};
+
+struct ipsecdoi_secrecy_h {
+       uint16_t len;
+       uint16_t reserved;
+};
+
+/* 4.6.2.1 Identification Type Values */
+struct ipsecdoi_id {
+       struct isakmp_gen h;
+       uint8_t  type;          /* ID Type */
+       uint8_t  proto_id;      /* Protocol ID */
+       uint16_t port;          /* Port */
+       /* Identification Data */
+};
+
+#define IPSECDOI_ID_IPV4_ADDR                        1
+#define IPSECDOI_ID_FQDN                             2
+#define IPSECDOI_ID_USER_FQDN                        3
+#define IPSECDOI_ID_IPV4_ADDR_SUBNET                 4
+#define IPSECDOI_ID_IPV6_ADDR                        5
+#define IPSECDOI_ID_IPV6_ADDR_SUBNET                 6
+#define IPSECDOI_ID_IPV4_ADDR_RANGE                  7
+#define IPSECDOI_ID_IPV6_ADDR_RANGE                  8
+#define IPSECDOI_ID_DER_ASN1_DN                      9
+#define IPSECDOI_ID_DER_ASN1_GN                      10
+#define IPSECDOI_ID_KEY_ID                           11
+
+/* 4.6.3 IPSEC DOI Notify Message Types */
+/* Notify Messages - Status Types */
+#define IPSECDOI_NTYPE_RESPONDER_LIFETIME                  24576
+#define IPSECDOI_NTYPE_REPLAY_STATUS                       24577
+#define IPSECDOI_NTYPE_INITIAL_CONTACT                     24578
+
+#define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
+               netdissect_options *ndo, u_char tpay,                 \
+               const struct isakmp_gen *ext,                         \
+               u_int item_len, \
+               const u_char *end_pointer, \
+               uint32_t phase,\
+               uint32_t doi0, \
+               uint32_t proto0, int depth)
+
+DECLARE_PRINTER(v1_sa);
+DECLARE_PRINTER(v1_p);
+DECLARE_PRINTER(v1_t);
+DECLARE_PRINTER(v1_ke);
+DECLARE_PRINTER(v1_id);
+DECLARE_PRINTER(v1_cert);
+DECLARE_PRINTER(v1_cr);
+DECLARE_PRINTER(v1_sig);
+DECLARE_PRINTER(v1_hash);
+DECLARE_PRINTER(v1_nonce);
+DECLARE_PRINTER(v1_n);
+DECLARE_PRINTER(v1_d);
+DECLARE_PRINTER(v1_vid);
+
+DECLARE_PRINTER(v2_sa);
+DECLARE_PRINTER(v2_ke);
+DECLARE_PRINTER(v2_ID);
+DECLARE_PRINTER(v2_cert);
+DECLARE_PRINTER(v2_cr);
+DECLARE_PRINTER(v2_auth);
+DECLARE_PRINTER(v2_nonce);
+DECLARE_PRINTER(v2_n);
+DECLARE_PRINTER(v2_d);
+DECLARE_PRINTER(v2_vid);
+DECLARE_PRINTER(v2_TS);
+DECLARE_PRINTER(v2_cp);
+DECLARE_PRINTER(v2_eap);
+
+static const u_char *ikev2_e_print(netdissect_options *ndo,
+                                  struct isakmp *base,
+                                  u_char tpay,
+                                  const struct isakmp_gen *ext,
+                                  u_int item_len,
+                                  const u_char *end_pointer,
+                                  uint32_t phase,
+                                  uint32_t doi0,
+                                  uint32_t proto0, int depth);
+
+
+static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
+       const u_char *, uint32_t, uint32_t, uint32_t, int);
+static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
+       const u_char *, uint32_t, uint32_t, uint32_t, int);
+
+static const u_char *ikev2_sub_print(netdissect_options *ndo,
+                                    struct isakmp *base,
+                                    u_char np, const struct isakmp_gen *ext,
+                                    const u_char *ep, uint32_t phase,
+                                    uint32_t doi, uint32_t proto,
+                                    int depth);
+
+
 static char *numstr(int);
 
 static char *numstr(int);
 
+static void
+ikev1_print(netdissect_options *ndo,
+           const u_char *bp,  u_int length,
+           const u_char *bp2, struct isakmp *base);
+
 #define MAXINITIATORS  20
 int ninitiator = 0;
 #define MAXINITIATORS  20
 int ninitiator = 0;
+union inaddr_u {
+       struct in_addr in4;
+#ifdef INET6
+       struct in6_addr in6;
+#endif
+};
 struct {
        cookie_t initiator;
 struct {
        cookie_t initiator;
-       struct sockaddr_storage iaddr;
-       struct sockaddr_storage raddr;
+       u_int version;
+       union inaddr_u iaddr;
+       union inaddr_u raddr;
 } cookiecache[MAXINITIATORS];
 
 /* protocol id */
 } cookiecache[MAXINITIATORS];
 
 /* protocol id */
-static char *protoidstr[] = {
+static const char *protoidstr[] = {
        NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
 };
 
 /* isakmp->np */
        NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
 };
 
 /* isakmp->np */
-static char *npstr[] = {
-       "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash",
-       "sig", "nonce", "n", "d", "vid"
+static const char *npstr[] = {
+       "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
+       "sig", "nonce", "n", "d", "vid",      /* 9 - 13 */
+       "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
+       "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
+       "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
+       "pay29", "pay30", "pay31", "pay32",          /* 29- 32 */
+       "v2sa",  "v2ke",  "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
+       "v2cr",  "v2auth","v2nonce", "v2n",   "v2d",   /* 38- 42 */
+       "v2vid", "v2TSi", "v2TSr", "v2e",   "v2cp",  /* 43- 47 */
+       "v2eap",                                     /* 48 */
+
 };
 
 /* isakmp->np */
 };
 
 /* isakmp->np */
-static u_char *(*npfunc[])(struct isakmp_gen *, u_char *, u_int32_t,
-               u_int32_t, u_int32_t) = {
+static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
+                                const struct isakmp_gen *ext,
+                                u_int item_len,
+                                const u_char *end_pointer,
+                                uint32_t phase,
+                                uint32_t doi0,
+                                uint32_t proto0, int depth) = {
        NULL,
        NULL,
-       isakmp_sa_print,
-       isakmp_p_print,
-       isakmp_t_print,
-       isakmp_ke_print,
-       isakmp_id_print,
-       isakmp_cert_print,
-       isakmp_cr_print,
-       isakmp_hash_print,
-       isakmp_sig_print,
-       isakmp_nonce_print,
-       isakmp_n_print,
-       isakmp_d_print,
-       isakmp_vid_print,
+       ikev1_sa_print,
+       ikev1_p_print,
+       ikev1_t_print,
+       ikev1_ke_print,
+       ikev1_id_print,
+       ikev1_cert_print,
+       ikev1_cr_print,
+       ikev1_hash_print,
+       ikev1_sig_print,
+       ikev1_nonce_print,
+       ikev1_n_print,
+       ikev1_d_print,
+       ikev1_vid_print,                  /* 13 */
+       NULL, NULL, NULL, NULL, NULL,     /* 14- 18 */
+       NULL, NULL, NULL, NULL, NULL,     /* 19- 23 */
+       NULL, NULL, NULL, NULL, NULL,     /* 24- 28 */
+       NULL, NULL, NULL, NULL,           /* 29- 32 */
+       ikev2_sa_print,                 /* 33 */
+       ikev2_ke_print,                 /* 34 */
+       ikev2_ID_print,                 /* 35 */
+       ikev2_ID_print,                 /* 36 */
+       ikev2_cert_print,               /* 37 */
+       ikev2_cr_print,                 /* 38 */
+       ikev2_auth_print,               /* 39 */
+       ikev2_nonce_print,              /* 40 */
+       ikev2_n_print,                  /* 41 */
+       ikev2_d_print,                  /* 42 */
+       ikev2_vid_print,                /* 43 */
+       ikev2_TS_print,                 /* 44 */
+       ikev2_TS_print,                 /* 45 */
+       NULL, /* ikev2_e_print,*/       /* 46 - special */
+       ikev2_cp_print,                 /* 47 */
+       ikev2_eap_print,                /* 48 */
 };
 
 /* isakmp->etype */
 };
 
 /* isakmp->etype */
-static char *etypestr[] = {
-       "none", "base", "ident", "auth", "agg", "inf", NULL, NULL,
-       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-       "oakley-quick", "oakley-newgroup",
+static const char *etypestr[] = {
+/* IKEv1 exchange types */
+       "none", "base", "ident", "auth", "agg", "inf", NULL, NULL,  /* 0-7 */
+       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /*  8-15 */
+       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 16-23 */
+       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 24-31 */
+       "oakley-quick", "oakley-newgroup",               /* 32-33 */
+/* IKEv2 exchange types */
+       "ikev2_init", "ikev2_auth", "child_sa", "inf2"   /* 34-37 */
 };
 
 #define STR_OR_ID(x, tab) \
 };
 
 #define STR_OR_ID(x, tab) \
@@ -153,12 +740,19 @@ static char *etypestr[] = {
 #define NPSTR(x)       STR_OR_ID(x, npstr)
 #define ETYPESTR(x)    STR_OR_ID(x, etypestr)
 
 #define NPSTR(x)       STR_OR_ID(x, npstr)
 #define ETYPESTR(x)    STR_OR_ID(x, etypestr)
 
+#define CHECKLEN(p, np)                                                        \
+               if (ep < (const u_char *)(p)) {                         \
+                       ND_PRINT((ndo," [|%s]", NPSTR(np)));            \
+                       goto done;                                      \
+               }
+
+
 #define NPFUNC(x) \
        (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
                ? npfunc[(x)] : NULL)
 
 static int
 #define NPFUNC(x) \
        (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
                ? npfunc[(x)] : NULL)
 
 static int
-iszero(u_char *p, size_t l)
+iszero(const u_char *p, size_t l)
 {
        while (l--) {
                if (*p++)
 {
        while (l--) {
                if (*p++)
@@ -186,11 +780,9 @@ static void
 cookie_record(cookie_t *in, const u_char *bp2)
 {
        int i;
 cookie_record(cookie_t *in, const u_char *bp2)
 {
        int i;
-       struct ip *ip;
-       struct sockaddr_in *sin;
+       const struct ip *ip;
 #ifdef INET6
 #ifdef INET6
-       struct ip6_hdr *ip6;
-       struct sockaddr_in6 *sin6;
+       const struct ip6_hdr *ip6;
 #endif
 
        i = cookie_find(in);
 #endif
 
        i = cookie_find(in);
@@ -199,53 +791,25 @@ cookie_record(cookie_t *in, const u_char *bp2)
                return;
        }
 
                return;
        }
 
-       ip = (struct ip *)bp2;
+       ip = (const struct ip *)bp2;
        switch (IP_V(ip)) {
        case 4:
        switch (IP_V(ip)) {
        case 4:
-               memset(&cookiecache[ninitiator].iaddr, 0,
-                       sizeof(cookiecache[ninitiator].iaddr));
-               memset(&cookiecache[ninitiator].raddr, 0,
-                       sizeof(cookiecache[ninitiator].raddr));
-
-               sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin->sin_len = sizeof(struct sockaddr_in);
-#endif
-               sin->sin_family = AF_INET;
-               memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
-               sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin->sin_len = sizeof(struct sockaddr_in);
-#endif
-               sin->sin_family = AF_INET;
-               memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
+               cookiecache[ninitiator].version = 4;
+               UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
+               UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
                break;
 #ifdef INET6
        case 6:
                break;
 #ifdef INET6
        case 6:
-               memset(&cookiecache[ninitiator].iaddr, 0,
-                       sizeof(cookiecache[ninitiator].iaddr));
-               memset(&cookiecache[ninitiator].raddr, 0,
-                       sizeof(cookiecache[ninitiator].raddr));
-
-               ip6 = (struct ip6_hdr *)bp2;
-               sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin6->sin6_len = sizeof(struct sockaddr_in6);
-#endif
-               sin6->sin6_family = AF_INET6;
-               memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
-               sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin6->sin6_len = sizeof(struct sockaddr_in6);
-#endif
-               sin6->sin6_family = AF_INET6;
-               memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
+               ip6 = (const struct ip6_hdr *)bp2;
+               cookiecache[ninitiator].version = 6;
+               UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
+               UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
                break;
 #endif
        default:
                return;
        }
                break;
 #endif
        default:
                return;
        }
-       memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
+       UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
        ninitiator = (ninitiator + 1) % MAXINITIATORS;
 }
 
        ninitiator = (ninitiator + 1) % MAXINITIATORS;
 }
 
@@ -254,327 +818,436 @@ cookie_record(cookie_t *in, const u_char *bp2)
 static int
 cookie_sidecheck(int i, const u_char *bp2, int initiator)
 {
 static int
 cookie_sidecheck(int i, const u_char *bp2, int initiator)
 {
-       struct sockaddr_storage ss;
-       struct sockaddr *sa;
-       struct ip *ip;
-       struct sockaddr_in *sin;
+       const struct ip *ip;
 #ifdef INET6
 #ifdef INET6
-       struct ip6_hdr *ip6;
-       struct sockaddr_in6 *sin6;
+       const struct ip6_hdr *ip6;
 #endif
 #endif
-       int salen;
 
 
-       memset(&ss, 0, sizeof(ss));
-       ip = (struct ip *)bp2;
+       ip = (const struct ip *)bp2;
        switch (IP_V(ip)) {
        case 4:
        switch (IP_V(ip)) {
        case 4:
-               sin = (struct sockaddr_in *)&ss;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin->sin_len = sizeof(struct sockaddr_in);
-#endif
-               sin->sin_family = AF_INET;
-               memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
+               if (cookiecache[i].version != 4)
+                       return 0;
+               if (initiator) {
+                       if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
+                               return 1;
+               } else {
+                       if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
+                               return 1;
+               }
                break;
 #ifdef INET6
        case 6:
                break;
 #ifdef INET6
        case 6:
-               ip6 = (struct ip6_hdr *)bp2;
-               sin6 = (struct sockaddr_in6 *)&ss;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               sin6->sin6_len = sizeof(struct sockaddr_in6);
-#endif
-               sin6->sin6_family = AF_INET6;
-               memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
+               if (cookiecache[i].version != 6)
+                       return 0;
+               ip6 = (const struct ip6_hdr *)bp2;
+               if (initiator) {
+                       if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
+                               return 1;
+               } else {
+                       if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
+                               return 1;
+               }
                break;
                break;
-#endif
+#endif /* INET6 */
        default:
        default:
-               return 0;
+               break;
        }
 
        }
 
-       sa = (struct sockaddr *)&ss;
-       if (initiator) {
-               if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
-                       return 0;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               salen = sa->sa_len;
-#else
-#ifdef INET6
-               if (sa->sa_family == AF_INET6)
-                       salen = sizeof(struct sockaddr_in6);
-               else
-                       salen = sizeof(struct sockaddr);
-#else
-               salen = sizeof(struct sockaddr);
-#endif
-#endif
-               if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
-                       return 1;
-       } else {
-               if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
-                       return 0;
-#ifdef HAVE_SOCKADDR_SA_LEN
-               salen = sa->sa_len;
-#else
-#ifdef INET6
-               if (sa->sa_family == AF_INET6)
-                       salen = sizeof(struct sockaddr_in6);
-               else
-                       salen = sizeof(struct sockaddr);
-#else
-               salen = sizeof(struct sockaddr);
-#endif
-#endif
-               if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
-                       return 1;
-       }
        return 0;
 }
 
 static void
        return 0;
 }
 
 static void
-rawprint(caddr_t loc, size_t len)
+hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
 {
 {
-       static u_char *p;
-       int i;
+       const uint8_t *p;
+       size_t i;
 
 
-       p = (u_char *)loc;
+       p = loc;
        for (i = 0; i < len; i++)
        for (i = 0; i < len; i++)
-               printf("%02x", p[i] & 0xff);
+               ND_PRINT((ndo,"%02x", p[i] & 0xff));
+}
+
+static int
+rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
+{
+       ND_TCHECK2(*loc, len);
+
+       hexprint(ndo, loc, len);
+       return 1;
+trunc:
+       return 0;
+}
+
+
+/*
+ * returns false if we run out of data buffer
+ */
+static int ike_show_somedata(netdissect_options *ndo,
+                            const u_char *cp, const u_char *ep)
+{
+       /* there is too much data, just show some of it */
+       const u_char *end = ep - 20;
+       int  elen = 20;
+       int   len = ep - cp;
+       if(len > 10) {
+               len = 10;
+       }
+
+       /* really shouldn't happen because of above */
+       if(end < cp + len) {
+               end = cp+len;
+               elen = ep - end;
+       }
+
+       ND_PRINT((ndo," data=("));
+       if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
+       ND_PRINT((ndo, "..."));
+       if(elen) {
+               if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
+       }
+       ND_PRINT((ndo,")"));
+       return 1;
+
+trunc:
+       return 0;
 }
 
 struct attrmap {
 }
 
 struct attrmap {
-       char *type;
-       int nvalue;
-       char *value[30];        /*XXX*/
+       const char *type;
+       u_int nvalue;
+       const char *value[30];  /*XXX*/
 };
 
 };
 
-static u_char *
-isakmp_attrmap_print(u_char *p, u_char *ep, struct attrmap *map, size_t nmap)
+static const u_char *
+ikev1_attrmap_print(netdissect_options *ndo,
+                   const u_char *p, const u_char *ep,
+                   const struct attrmap *map, size_t nmap)
 {
 {
-       u_int16_t *q;
        int totlen;
        int totlen;
-       u_int32_t t, v;
+       uint32_t t, v;
 
 
-       q = (u_int16_t *)p;
        if (p[0] & 0x80)
                totlen = 4;
        else
        if (p[0] & 0x80)
                totlen = 4;
        else
-               totlen = 4 + ntohs(q[1]);
+               totlen = 4 + EXTRACT_16BITS(&p[2]);
        if (ep < p + totlen) {
        if (ep < p + totlen) {
-               printf("[|attr]");
+               ND_PRINT((ndo,"[|attr]"));
                return ep + 1;
        }
 
                return ep + 1;
        }
 
-       printf("(");
-       t = ntohs(q[0]) & 0x7fff;
+       ND_PRINT((ndo,"("));
+       t = EXTRACT_16BITS(&p[0]) & 0x7fff;
        if (map && t < nmap && map[t].type)
        if (map && t < nmap && map[t].type)
-               printf("type=%s ", map[t].type);
+               ND_PRINT((ndo,"type=%s ", map[t].type));
        else
        else
-               printf("type=#%d ", t);
+               ND_PRINT((ndo,"type=#%d ", t));
        if (p[0] & 0x80) {
        if (p[0] & 0x80) {
-               printf("value=");
-               v = ntohs(q[1]);
+               ND_PRINT((ndo,"value="));
+               v = EXTRACT_16BITS(&p[2]);
                if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
                if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
-                       printf("%s", map[t].value[v]);
+                       ND_PRINT((ndo,"%s", map[t].value[v]));
                else
                else
-                       rawprint((caddr_t)&q[1], 2);
+                       rawprint(ndo, (const uint8_t *)&p[2], 2);
        } else {
        } else {
-               printf("len=%d value=", ntohs(q[1]));
-               rawprint((caddr_t)&p[4], ntohs(q[1]));
+               ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
+               rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
        }
        }
-       printf(")");
+       ND_PRINT((ndo,")"));
        return p + totlen;
 }
 
        return p + totlen;
 }
 
-static u_char *
-isakmp_attr_print(u_char *p, u_char *ep)
+static const u_char *
+ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
 {
 {
-       u_int16_t *q;
        int totlen;
        int totlen;
-       u_int32_t t;
+       uint32_t t;
 
 
-       q = (u_int16_t *)p;
        if (p[0] & 0x80)
                totlen = 4;
        else
        if (p[0] & 0x80)
                totlen = 4;
        else
-               totlen = 4 + ntohs(q[1]);
+               totlen = 4 + EXTRACT_16BITS(&p[2]);
        if (ep < p + totlen) {
        if (ep < p + totlen) {
-               printf("[|attr]");
+               ND_PRINT((ndo,"[|attr]"));
                return ep + 1;
        }
 
                return ep + 1;
        }
 
-       printf("(");
-       t = ntohs(q[0]) & 0x7fff;
-       printf("type=#%d ", t);
+       ND_PRINT((ndo,"("));
+       t = EXTRACT_16BITS(&p[0]) & 0x7fff;
+       ND_PRINT((ndo,"type=#%d ", t));
        if (p[0] & 0x80) {
        if (p[0] & 0x80) {
-               printf("value=");
-               t = q[1];
-               rawprint((caddr_t)&q[1], 2);
+               ND_PRINT((ndo,"value="));
+               t = p[2];
+               rawprint(ndo, (const uint8_t *)&p[2], 2);
        } else {
        } else {
-               printf("len=%d value=", ntohs(q[1]));
-               rawprint((caddr_t)&p[2], ntohs(q[1]));
+               ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
+               rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
        }
        }
-       printf(")");
+       ND_PRINT((ndo,")"));
        return p + totlen;
 }
 
        return p + totlen;
 }
 
-static u_char *
-isakmp_sa_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
+              const struct isakmp_gen *ext,
+               u_int item_len _U_,
+               const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
+               uint32_t proto0, int depth)
 {
 {
-       struct isakmp_pl_sa *p;
-       u_int32_t *q;
-       u_int32_t doi;
-       u_int32_t sit;
-       u_char *cp;
+       const struct ikev1_pl_sa *p;
+       struct ikev1_pl_sa sa;
+       uint32_t doi, sit, ident;
+       const u_char *cp, *np;
        int t;
 
        int t;
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_SA));
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
 
 
-       p = (struct isakmp_pl_sa *)ext;
-       doi = ntohl(p->doi);
+       p = (const struct ikev1_pl_sa *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
+       doi = ntohl(sa.doi);
+       sit = ntohl(sa.sit);
        if (doi != 1) {
        if (doi != 1) {
-               printf(" doi=%d", doi);
-               printf(" situation=%u", (u_int32_t)ntohl(p->sit));
-               return (u_char *)(p + 1);
+               ND_PRINT((ndo," doi=%d", doi));
+               ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
+               return (const u_char *)(p + 1);
        }
 
        }
 
-       printf(" doi=ipsec");
-       q = (u_int32_t *)&p->sit;
-       printf(" situation=");
+       ND_PRINT((ndo," doi=ipsec"));
+       ND_PRINT((ndo," situation="));
        t = 0;
        t = 0;
-       if (ntohl(*q) & 0x01) {
-               printf("identity");
+       if (sit & 0x01) {
+               ND_PRINT((ndo,"identity"));
                t++;
        }
                t++;
        }
-       if (ntohl(*q) & 0x02) {
-               printf("%ssecrecy", t ? "+" : "");
+       if (sit & 0x02) {
+               ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
                t++;
        }
                t++;
        }
-       if (ntohl(*q) & 0x04)
-               printf("%sintegrity", t ? "+" : "");
-       sit = htonl(*q++);
-
-       if (sit != 0x01)
-               printf(" ident=%u", (u_int32_t)ntohl(*q++));
+       if (sit & 0x04)
+               ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
+
+       np = (const u_char *)ext + sizeof(sa);
+       if (sit != 0x01) {
+               ND_TCHECK2(*(ext + 1), sizeof(ident));
+               UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
+               ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
+               np += sizeof(ident);
+       }
 
 
-       ext = (struct isakmp_gen *)q;
+       ext = (const struct isakmp_gen *)np;
+       ND_TCHECK(*ext);
 
 
-       cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0);
+       cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
+               depth);
 
        return cp;
 
        return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_p_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
+             const struct isakmp_gen *ext, u_int item_len _U_,
+              const u_char *ep, uint32_t phase, uint32_t doi0,
+              uint32_t proto0 _U_, int depth)
 {
 {
-       struct isakmp_pl_p *p;
-       u_char *cp;
-
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_P));
-
-       p = (struct isakmp_pl_p *)ext;
-       printf(" #%d protoid=%s transform=%d",
-               p->p_no, PROTOIDSTR(p->prot_id), p->num_t);
-       if (p->spi_size) {
-               printf(" spi=");
-               rawprint((caddr_t)(p + 1), p->spi_size);
+       const struct ikev1_pl_p *p;
+       struct ikev1_pl_p prop;
+       const u_char *cp;
+
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
+
+       p = (const struct ikev1_pl_p *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
+       ND_PRINT((ndo," #%d protoid=%s transform=%d",
+                 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
+       if (prop.spi_size) {
+               ND_PRINT((ndo," spi="));
+               if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
+                       goto trunc;
        }
 
        }
 
-       ext = (struct isakmp_gen *)((u_char *)(p + 1) + p->spi_size);
+       ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
+       ND_TCHECK(*ext);
 
 
-       cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
-               p->prot_id);
+       cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+                            prop.prot_id, depth);
 
        return cp;
 
        return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
+       return NULL;
 }
 
 }
 
-static char *isakmp_p_map[] = {
+static const char *ikev1_p_map[] = {
        NULL, "ike",
 };
 
        NULL, "ike",
 };
 
-static char *ah_p_map[] = {
+static const char *ikev2_t_type_map[]={
+       NULL, "encr", "prf", "integ", "dh", "esn"
+};
+
+static const char *ah_p_map[] = {
        NULL, "(reserved)", "md5", "sha", "1des",
        NULL, "(reserved)", "md5", "sha", "1des",
+       "sha2-256", "sha2-384", "sha2-512",
+};
+
+static const char *prf_p_map[] = {
+       NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
+       "aes128_xcbc"
 };
 
 };
 
-static char *esp_p_map[] = {
+static const char *integ_p_map[] = {
+       NULL, "hmac-md5", "hmac-sha", "dec-mac",
+       "kpdk-md5", "aes-xcbc"
+};
+
+static const char *esn_p_map[] = {
+       "no-esn", "esn"
+};
+
+static const char *dh_p_map[] = {
+       NULL, "modp768",
+       "modp1024",    /* group 2 */
+       "EC2N 2^155",  /* group 3 */
+       "EC2N 2^185",  /* group 4 */
+       "modp1536",    /* group 5 */
+       "iana-grp06", "iana-grp07", /* reserved */
+       "iana-grp08", "iana-grp09",
+       "iana-grp10", "iana-grp11",
+       "iana-grp12", "iana-grp13",
+       "modp2048",    /* group 14 */
+       "modp3072",    /* group 15 */
+       "modp4096",    /* group 16 */
+       "modp6144",    /* group 17 */
+       "modp8192",    /* group 18 */
+};
+
+static const char *esp_p_map[] = {
        NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
        NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
-       "blowfish", "3idea", "1des-iv32", "rc4", "null"
+       "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
 };
 
 };
 
-static char *ipcomp_p_map[] = {
+static const char *ipcomp_p_map[] = {
        NULL, "oui", "deflate", "lzs",
 };
 
        NULL, "oui", "deflate", "lzs",
 };
 
-struct attrmap ipsec_t_map[] = {
-       { NULL, 0, },
+static const struct attrmap ipsec_t_map[] = {
+       { NULL, 0, { NULL } },
        { "lifetype", 3, { NULL, "sec", "kb", }, },
        { "lifetype", 3, { NULL, "sec", "kb", }, },
-       { "life", 0, },
-       { "group desc", 5,      { NULL, "modp768", "modp1024", "EC2N 2^155",
-                                 "EC2N 2^185", }, },
+       { "life", 0, { NULL } },
+       { "group desc", 18,     { NULL, "modp768",
+                                 "modp1024",    /* group 2 */
+                                 "EC2N 2^155",  /* group 3 */
+                                 "EC2N 2^185",  /* group 4 */
+                                 "modp1536",    /* group 5 */
+                                 "iana-grp06", "iana-grp07", /* reserved */
+                                 "iana-grp08", "iana-grp09",
+                                 "iana-grp10", "iana-grp11",
+                                 "iana-grp12", "iana-grp13",
+                                 "modp2048",    /* group 14 */
+                                 "modp3072",    /* group 15 */
+                                 "modp4096",    /* group 16 */
+                                 "modp6144",    /* group 17 */
+                                 "modp8192",    /* group 18 */
+               }, },
        { "enc mode", 3, { NULL, "tunnel", "transport", }, },
        { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
        { "enc mode", 3, { NULL, "tunnel", "transport", }, },
        { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
-       { "keylen", 0, },
-       { "rounds", 0, },
-       { "dictsize", 0, },
-       { "privalg", 0, },
+       { "keylen", 0, { NULL } },
+       { "rounds", 0, { NULL } },
+       { "dictsize", 0, { NULL } },
+       { "privalg", 0, { NULL } },
+};
+
+static const struct attrmap encr_t_map[] = {
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 0, 1 */
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 2, 3 */
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 4, 5 */
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 6, 7 */
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 8, 9 */
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 10,11*/
+       { NULL, 0, { NULL } },  { NULL, 0, { NULL } },  /* 12,13*/
+       { "keylen", 14, { NULL }},
 };
 
 };
 
-struct attrmap oakley_t_map[] = {
-       { NULL, 0 },
-       { "enc", 7,     { NULL, "1des", "idea", "blowfish", "rc5",
-                         "3des", "cast"}, },
-       { "hash", 4,    { NULL, "md5", "sha1", "tiger", }, },
+static const struct attrmap oakley_t_map[] = {
+       { NULL, 0, { NULL } },
+       { "enc", 8,     { NULL, "1des", "idea", "blowfish", "rc5",
+                         "3des", "cast", "aes", }, },
+       { "hash", 7,    { NULL, "md5", "sha1", "tiger",
+                         "sha2-256", "sha2-384", "sha2-512", }, },
        { "auth", 6,    { NULL, "preshared", "dss", "rsa sig", "rsa enc",
                          "rsa enc revised", }, },
        { "auth", 6,    { NULL, "preshared", "dss", "rsa sig", "rsa enc",
                          "rsa enc revised", }, },
-       { "group desc", 5,      { NULL, "modp768", "modp1024", "EC2N 2^155",
-                                 "EC2N 2^185", }, },
+       { "group desc", 18,     { NULL, "modp768",
+                                 "modp1024",    /* group 2 */
+                                 "EC2N 2^155",  /* group 3 */
+                                 "EC2N 2^185",  /* group 4 */
+                                 "modp1536",    /* group 5 */
+                                 "iana-grp06", "iana-grp07", /* reserved */
+                                 "iana-grp08", "iana-grp09",
+                                 "iana-grp10", "iana-grp11",
+                                 "iana-grp12", "iana-grp13",
+                                 "modp2048",    /* group 14 */
+                                 "modp3072",    /* group 15 */
+                                 "modp4096",    /* group 16 */
+                                 "modp6144",    /* group 17 */
+                                 "modp8192",    /* group 18 */
+               }, },
        { "group type", 4,      { NULL, "MODP", "ECP", "EC2N", }, },
        { "group type", 4,      { NULL, "MODP", "ECP", "EC2N", }, },
-       { "group prime", 0, },
-       { "group gen1", 0, },
-       { "group gen2", 0, },
-       { "group curve A", 0, },
-       { "group curve B", 0, },
+       { "group prime", 0, { NULL } },
+       { "group gen1", 0, { NULL } },
+       { "group gen2", 0, { NULL } },
+       { "group curve A", 0, { NULL } },
+       { "group curve B", 0, { NULL } },
        { "lifetype", 3,        { NULL, "sec", "kb", }, },
        { "lifetype", 3,        { NULL, "sec", "kb", }, },
-       { "lifeduration", 0, },
-       { "prf", 0, },
-       { "keylen", 0, },
-       { "field", 0, },
-       { "order", 0, },
+       { "lifeduration", 0, { NULL } },
+       { "prf", 0, { NULL } },
+       { "keylen", 0, { NULL } },
+       { "field", 0, { NULL } },
+       { "order", 0, { NULL } },
 };
 
 };
 
-static u_char *
-isakmp_t_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
+             const struct isakmp_gen *ext, u_int item_len,
+             const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
+             uint32_t proto, int depth _U_)
 {
 {
-       struct isakmp_pl_t *p;
-       u_char *cp;
-       char *idstr;
-       struct attrmap *map;
+       const struct ikev1_pl_t *p;
+       struct ikev1_pl_t t;
+       const u_char *cp;
+       const char *idstr;
+       const struct attrmap *map;
        size_t nmap;
        size_t nmap;
-       u_char *ep2;
+       const u_char *ep2;
 
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_T));
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
 
 
-       p = (struct isakmp_pl_t *)ext;
+       p = (const struct ikev1_pl_t *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&t, ext, sizeof(t));
 
        switch (proto) {
        case 1:
 
        switch (proto) {
        case 1:
-               idstr = STR_OR_ID(p->t_id, isakmp_p_map);
+               idstr = STR_OR_ID(t.t_id, ikev1_p_map);
                map = oakley_t_map;
                nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
                break;
        case 2:
                map = oakley_t_map;
                nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
                break;
        case 2:
-               idstr = STR_OR_ID(p->t_id, ah_p_map);
+               idstr = STR_OR_ID(t.t_id, ah_p_map);
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
        case 3:
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
        case 3:
-               idstr = STR_OR_ID(p->t_id, esp_p_map);
+               idstr = STR_OR_ID(t.t_id, esp_p_map);
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
        case 4:
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
        case 4:
-               idstr = STR_OR_ID(p->t_id, ipcomp_p_map);
+               idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
                map = ipsec_t_map;
                nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
                break;
@@ -586,74 +1259,94 @@ isakmp_t_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
        }
 
        if (idstr)
        }
 
        if (idstr)
-               printf(" #%d id=%s ", p->t_no, idstr);
+               ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
        else
        else
-               printf(" #%d id=%d ", p->t_no, p->t_id);
-       cp = (u_char *)(p + 1);
-       ep2 = (u_char *)p + ntohs(ext->len);
+               ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
+       cp = (const u_char *)(p + 1);
+       ep2 = (const u_char *)p + item_len;
        while (cp < ep && cp < ep2) {
                if (map && nmap) {
        while (cp < ep && cp < ep2) {
                if (map && nmap) {
-                       cp = isakmp_attrmap_print(cp, (ep < ep2) ? ep : ep2,
+                       cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
                                map, nmap);
                } else
                                map, nmap);
                } else
-                       cp = isakmp_attr_print(cp, (ep < ep2) ? ep : ep2);
+                       cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
        }
        if (ep < ep2)
        }
        if (ep < ep2)
-               printf("...");
+               ND_PRINT((ndo,"..."));
        return cp;
        return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_ke_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
+              const struct isakmp_gen *ext, u_int item_len _U_,
+              const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
+              uint32_t proto _U_, int depth _U_)
 {
 {
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_KE));
+       struct isakmp_gen e;
 
 
-       printf(" key len=%d", ntohs(ext->len) - 4);
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
+              const struct isakmp_gen *ext, u_int item_len,
+              const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
+              uint32_t proto _U_, int depth _U_)
 {
 #define USE_IPSECDOI_IN_PHASE1 1
 {
 #define USE_IPSECDOI_IN_PHASE1 1
-       struct isakmp_pl_id *p;
-       static char *idtypestr[] = {
+       const struct ikev1_pl_id *p;
+       struct ikev1_pl_id id;
+       static const char *idtypestr[] = {
                "IPv4", "IPv4net", "IPv6", "IPv6net",
        };
                "IPv4", "IPv4net", "IPv6", "IPv6net",
        };
-       static char *ipsecidtypestr[] = {
+       static const char *ipsecidtypestr[] = {
                NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
                "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
                "keyid",
        };
        int len;
                NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
                "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
                "keyid",
        };
        int len;
-       u_char *data;
+       const u_char *data;
 
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_ID));
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
 
 
-       p = (struct isakmp_pl_id *)ext;
-       if (sizeof(*p) < ext->len)
-               data = (u_char *)(p + 1);
-       else
+       p = (const struct ikev1_pl_id *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&id, ext, sizeof(id));
+       if (sizeof(*p) < item_len) {
+               data = (const u_char *)(p + 1);
+               len = item_len - sizeof(*p);
+       } else {
                data = NULL;
                data = NULL;
-       len = ntohs(ext->len) - sizeof(*p);
+               len = 0;
+       }
 
 #if 0 /*debug*/
 
 #if 0 /*debug*/
-       printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto);
+       ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
 #endif
        switch (phase) {
 #ifndef USE_IPSECDOI_IN_PHASE1
        case 1:
 #endif
        default:
 #endif
        switch (phase) {
 #ifndef USE_IPSECDOI_IN_PHASE1
        case 1:
 #endif
        default:
-               printf(" idtype=%s", STR_OR_ID(p->d.id_type, idtypestr));
-               printf(" doi_data=%u",
-                       (u_int32_t)(ntohl(p->d.doi_data) & 0xffffff));
+               ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
+               ND_PRINT((ndo," doi_data=%u",
+                         (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
                break;
 
 #ifdef USE_IPSECDOI_IN_PHASE1
                break;
 
 #ifdef USE_IPSECDOI_IN_PHASE1
@@ -661,79 +1354,104 @@ isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
 #endif
        case 2:
            {
 #endif
        case 2:
            {
-               struct ipsecdoi_id *p;
+               const struct ipsecdoi_id *doi_p;
+               struct ipsecdoi_id doi_id;
                struct protoent *pe;
 
                struct protoent *pe;
 
-               p = (struct ipsecdoi_id *)ext;
-               printf(" idtype=%s", STR_OR_ID(p->type, ipsecidtypestr));
-               if (p->proto_id) {
-                       setprotoent(1);
-                       pe = getprotobynumber(p->proto_id);
-                       if (pe)
-                               printf(" protoid=%s", pe->p_name);
-                       endprotoent();
-               } else {
-                       /* it DOES NOT mean IPPROTO_IP! */
-                       printf(" protoid=%s", "0");
-               }
-               printf(" port=%d", ntohs(p->port));
+               doi_p = (const struct ipsecdoi_id *)ext;
+               ND_TCHECK(*doi_p);
+               UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
+               ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
+               /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
+               pe = doi_id.proto_id ? getprotobynumber(doi_id.proto_id) : NULL;
+               if (pe)
+                       ND_PRINT((ndo," protoid=%s", pe->p_name));
+               else
+                       ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
+               ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
                if (!len)
                        break;
                if (!len)
                        break;
-               switch (p->type) {
+               if (data == NULL)
+                       goto trunc;
+               ND_TCHECK2(*data, len);
+               switch (doi_id.type) {
                case IPSECDOI_ID_IPV4_ADDR:
                case IPSECDOI_ID_IPV4_ADDR:
-                       printf(" len=%d %s", len, ipaddr_string(data));
+                       if (len < 4)
+                               ND_PRINT((ndo," len=%d [bad: < 4]", len));
+                       else
+                               ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
                        len = 0;
                        break;
                case IPSECDOI_ID_FQDN:
                case IPSECDOI_ID_USER_FQDN:
                    {
                        int i;
                        len = 0;
                        break;
                case IPSECDOI_ID_FQDN:
                case IPSECDOI_ID_USER_FQDN:
                    {
                        int i;
-                       printf(" len=%d ", len);
-                       for (i = 0; i < len; i++) {
-                               if (isprint(data[i]))
-                                       printf("%c", data[i]);
-                               else
-                                       printf("\\%03o", data[i]);
-                       }
+                       ND_PRINT((ndo," len=%d ", len));
+                       for (i = 0; i < len; i++)
+                               safeputchar(ndo, data[i]);
                        len = 0;
                        break;
                    }
                case IPSECDOI_ID_IPV4_ADDR_SUBNET:
                    {
                        len = 0;
                        break;
                    }
                case IPSECDOI_ID_IPV4_ADDR_SUBNET:
                    {
-                       u_char *mask;
-                       mask = data + sizeof(struct in_addr);
-                       printf(" len=%d %s/%u.%u.%u.%u", len,
-                               ipaddr_string(data),
-                               mask[0], mask[1], mask[2], mask[3]);
+                       const u_char *mask;
+                       if (len < 8)
+                               ND_PRINT((ndo," len=%d [bad: < 8]", len));
+                       else {
+                               mask = data + sizeof(struct in_addr);
+                               ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
+                                         ipaddr_string(ndo, data),
+                                         mask[0], mask[1], mask[2], mask[3]));
+                       }
                        len = 0;
                        break;
                    }
 #ifdef INET6
                case IPSECDOI_ID_IPV6_ADDR:
                        len = 0;
                        break;
                    }
 #ifdef INET6
                case IPSECDOI_ID_IPV6_ADDR:
-                       printf(" len=%d %s", len, ip6addr_string(data));
+                       if (len < 16)
+                               ND_PRINT((ndo," len=%d [bad: < 16]", len));
+                       else
+                               ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
                        len = 0;
                        break;
                case IPSECDOI_ID_IPV6_ADDR_SUBNET:
                    {
                        len = 0;
                        break;
                case IPSECDOI_ID_IPV6_ADDR_SUBNET:
                    {
-                       u_int32_t *mask;
-                       mask = (u_int32_t *)(data + sizeof(struct in6_addr));
-                       /*XXX*/
-                       printf(" len=%d %s/0x%08x%08x%08x%08x", len,
-                               ip6addr_string(data),
-                               mask[0], mask[1], mask[2], mask[3]);
+                       const u_char *mask;
+                       if (len < 20)
+                               ND_PRINT((ndo," len=%d [bad: < 20]", len));
+                       else {
+                               mask = (const u_char *)(data + sizeof(struct in6_addr));
+                               /*XXX*/
+                               ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
+                                         ip6addr_string(ndo, data),
+                                         mask[0], mask[1], mask[2], mask[3],
+                                         mask[4], mask[5], mask[6], mask[7],
+                                         mask[8], mask[9], mask[10], mask[11],
+                                         mask[12], mask[13], mask[14], mask[15]));
+                       }
                        len = 0;
                        break;
                    }
 #endif /*INET6*/
                case IPSECDOI_ID_IPV4_ADDR_RANGE:
                        len = 0;
                        break;
                    }
 #endif /*INET6*/
                case IPSECDOI_ID_IPV4_ADDR_RANGE:
-                       printf(" len=%d %s-%s", len, ipaddr_string(data),
-                               ipaddr_string(data + sizeof(struct in_addr)));
+                       if (len < 8)
+                               ND_PRINT((ndo," len=%d [bad: < 8]", len));
+                       else {
+                               ND_PRINT((ndo," len=%d %s-%s", len,
+                                         ipaddr_string(ndo, data),
+                                         ipaddr_string(ndo, data + sizeof(struct in_addr))));
+                       }
                        len = 0;
                        break;
 #ifdef INET6
                case IPSECDOI_ID_IPV6_ADDR_RANGE:
                        len = 0;
                        break;
 #ifdef INET6
                case IPSECDOI_ID_IPV6_ADDR_RANGE:
-                       printf(" len=%d %s-%s", len, ip6addr_string(data),
-                               ip6addr_string(data + sizeof(struct in6_addr)));
+                       if (len < 32)
+                               ND_PRINT((ndo," len=%d [bad: < 32]", len));
+                       else {
+                               ND_PRINT((ndo," len=%d %s-%s", len,
+                                         ip6addr_string(ndo, data),
+                                         ip6addr_string(ndo, data + sizeof(struct in6_addr))));
+                       }
                        len = 0;
                        break;
 #endif /*INET6*/
                        len = 0;
                        break;
 #endif /*INET6*/
@@ -746,114 +1464,175 @@ isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
            }
        }
        if (data && len) {
            }
        }
        if (data && len) {
-               len -= sizeof(*p);
-               printf(" len=%d", len);
-               if (2 < vflag) {
-                       printf(" ");
-                       rawprint((caddr_t)data, len);
+               ND_PRINT((ndo," len=%d", len));
+               if (2 < ndo->ndo_vflag) {
+                       ND_PRINT((ndo," "));
+                       if (!rawprint(ndo, (const uint8_t *)data, len))
+                               goto trunc;
                }
        }
                }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + item_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_cert_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
+                const struct isakmp_gen *ext, u_int item_len _U_,
+                const u_char *ep _U_, uint32_t phase _U_,
+                uint32_t doi0 _U_,
+                uint32_t proto0 _U_, int depth _U_)
 {
 {
-       struct isakmp_pl_cert *p;
-       static char *certstr[] = {
+       const struct ikev1_pl_cert *p;
+       struct ikev1_pl_cert cert;
+       static const char *certstr[] = {
                "none", "pkcs7", "pgp", "dns",
                "x509sign", "x509ke", "kerberos", "crl",
                "arl", "spki", "x509attr",
        };
 
                "none", "pkcs7", "pgp", "dns",
                "x509sign", "x509ke", "kerberos", "crl",
                "arl", "spki", "x509attr",
        };
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
-
-       p = (struct isakmp_pl_cert *)ext;
-       printf(" len=%d", ntohs(ext->len) - 4);
-       printf(" type=%s", STR_OR_ID((p->encode), certstr));
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
+
+       p = (const struct ikev1_pl_cert *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
+       ND_PRINT((ndo," len=%d", item_len - 4));
+       ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
+       if (2 < ndo->ndo_vflag && 4 < item_len) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + item_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_cr_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
+              const struct isakmp_gen *ext, u_int item_len _U_,
+              const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
+              uint32_t proto0 _U_, int depth _U_)
 {
 {
-       struct isakmp_pl_cert *p;
-       static char *certstr[] = {
+       const struct ikev1_pl_cert *p;
+       struct ikev1_pl_cert cert;
+       static const char *certstr[] = {
                "none", "pkcs7", "pgp", "dns",
                "x509sign", "x509ke", "kerberos", "crl",
                "arl", "spki", "x509attr",
        };
 
                "none", "pkcs7", "pgp", "dns",
                "x509sign", "x509ke", "kerberos", "crl",
                "arl", "spki", "x509attr",
        };
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_CR));
-
-       p = (struct isakmp_pl_cert *)ext;
-       printf(" len=%d", ntohs(ext->len) - 4);
-       printf(" type=%s", STR_OR_ID((p->encode), certstr));
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
+
+       p = (const struct ikev1_pl_cert *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
+       ND_PRINT((ndo," len=%d", item_len - 4));
+       ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
+       if (2 < ndo->ndo_vflag && 4 < item_len) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + item_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_hash_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
+                const struct isakmp_gen *ext, u_int item_len _U_,
+                const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
+                uint32_t proto _U_, int depth _U_)
 {
 {
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
+       struct isakmp_gen e;
 
 
-       printf(" len=%d", ntohs(ext->len) - 4);
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_sig_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
+               const struct isakmp_gen *ext, u_int item_len _U_,
+               const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
 {
 {
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
+       struct isakmp_gen e;
+
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
 
 
-       printf(" len=%d", ntohs(ext->len) - 4);
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_nonce_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
+                 const struct isakmp_gen *ext,
+                 u_int item_len _U_,
+                 const u_char *ep _U_,
+                 uint32_t phase _U_, uint32_t doi _U_,
+                 uint32_t proto _U_, int depth _U_)
 {
 {
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
-
-       printf(" n len=%d", ntohs(ext->len) - 4);
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       struct isakmp_gen e;
+
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
+       } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
+             const struct isakmp_gen *ext, u_int item_len,
+             const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
+             uint32_t proto0 _U_, int depth)
 {
 {
-       struct isakmp_pl_n *p;
-       u_char *cp;
-       u_char *ep2;
-       u_int32_t doi;
-       u_int32_t proto;
-       static char *notifystr[] = {
+       const struct ikev1_pl_n *p;
+       struct ikev1_pl_n n;
+       const u_char *cp;
+       const u_char *ep2;
+       uint32_t doi;
+       uint32_t proto;
+       static const char *notify_error_str[] = {
                NULL,                           "INVALID-PAYLOAD-TYPE",
                "DOI-NOT-SUPPORTED",            "SITUATION-NOT-SUPPORTED",
                "INVALID-COOKIE",               "INVALID-MAJOR-VERSION",
                NULL,                           "INVALID-PAYLOAD-TYPE",
                "DOI-NOT-SUPPORTED",            "SITUATION-NOT-SUPPORTED",
                "INVALID-COOKIE",               "INVALID-MAJOR-VERSION",
@@ -871,179 +1650,993 @@ isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
                "CERTIFICATE-UNAVAILABLE",      "UNSUPPORTED-EXCHANGE-TYPE",
                "UNEQUAL-PAYLOAD-LENGTHS",
        };
                "CERTIFICATE-UNAVAILABLE",      "UNSUPPORTED-EXCHANGE-TYPE",
                "UNEQUAL-PAYLOAD-LENGTHS",
        };
-       static char *ipsecnotifystr[] = {
+       static const char *ipsec_notify_error_str[] = {
+               "RESERVED",
+       };
+       static const char *notify_status_str[] = {
+               "CONNECTED",
+       };
+       static const char *ipsec_notify_status_str[] = {
                "RESPONDER-LIFETIME",           "REPLAY-STATUS",
                "INITIAL-CONTACT",
        };
 /* NOTE: these macro must be called with x in proper range */
                "RESPONDER-LIFETIME",           "REPLAY-STATUS",
                "INITIAL-CONTACT",
        };
 /* NOTE: these macro must be called with x in proper range */
-#define NOTIFYSTR(x) \
-       (((x) == 16384) ? "CONNECTED" : STR_OR_ID((x), notifystr))
-#define IPSECNOTIFYSTR(x) \
-       (((x) == 8192) ? "RESERVED" : STR_OR_ID(((x) - 24576), ipsecnotifystr))
 
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_N));
+/* 0 - 8191 */
+#define NOTIFY_ERROR_STR(x) \
+       STR_OR_ID((x), notify_error_str)
+
+/* 8192 - 16383 */
+#define IPSEC_NOTIFY_ERROR_STR(x) \
+       STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
 
 
-       p = (struct isakmp_pl_n *)ext;
-       doi = ntohl(p->doi);
-       proto = p->prot_id;
+/* 16384 - 24575 */
+#define NOTIFY_STATUS_STR(x) \
+       STR_OR_ID((u_int)((x) - 16384), notify_status_str)
+
+/* 24576 - 32767 */
+#define IPSEC_NOTIFY_STATUS_STR(x) \
+       STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
+
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
+
+       p = (const struct ikev1_pl_n *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&n, ext, sizeof(n));
+       doi = ntohl(n.doi);
+       proto = n.prot_id;
        if (doi != 1) {
        if (doi != 1) {
-               printf(" doi=%d", doi);
-               printf(" proto=%d", proto);
-               printf(" type=%s", NOTIFYSTR(ntohs(p->type)));
-               if (p->spi_size) {
-                       printf(" spi=");
-                       rawprint((caddr_t)(p + 1), p->spi_size);
+               ND_PRINT((ndo," doi=%d", doi));
+               ND_PRINT((ndo," proto=%d", proto));
+               if (ntohs(n.type) < 8192)
+                       ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
+               else if (ntohs(n.type) < 16384)
+                       ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
+               else if (ntohs(n.type) < 24576)
+                       ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
+               else
+                       ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
+               if (n.spi_size) {
+                       ND_PRINT((ndo," spi="));
+                       if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
+                               goto trunc;
                }
                }
-               return (u_char *)(p + 1) + p->spi_size;
-       }
-
-       printf(" doi=ipsec");
-       printf(" proto=%s", PROTOIDSTR(proto));
-       if (ntohs(p->type) < 8192)
-               printf(" type=%s", NOTIFYSTR(ntohs(p->type)));
-       else if (ntohs(p->type) < 16384)
-               printf(" type=%s", IPSECNOTIFYSTR(ntohs(p->type)));
-       else if (ntohs(p->type) < 24576)
-               printf(" type=%s", NOTIFYSTR(ntohs(p->type)));
-       else if (ntohs(p->type) < 40960)
-               printf(" type=%s", IPSECNOTIFYSTR(ntohs(p->type)));
+               return (const u_char *)(p + 1) + n.spi_size;
+       }
+
+       ND_PRINT((ndo," doi=ipsec"));
+       ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
+       if (ntohs(n.type) < 8192)
+               ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
+       else if (ntohs(n.type) < 16384)
+               ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
+       else if (ntohs(n.type) < 24576)
+               ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
+       else if (ntohs(n.type) < 32768)
+               ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
        else
        else
-               printf(" type=%s", NOTIFYSTR(ntohs(p->type)));
-       if (p->spi_size) {
-               printf(" spi=");
-               rawprint((caddr_t)(p + 1), p->spi_size);
+               ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
+       if (n.spi_size) {
+               ND_PRINT((ndo," spi="));
+               if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
+                       goto trunc;
        }
 
        }
 
-       cp = (u_char *)(p + 1) + p->spi_size;
-       ep2 = (u_char *)p + ntohs(ext->len);
+       cp = (const u_char *)(p + 1) + n.spi_size;
+       ep2 = (const u_char *)p + item_len;
 
        if (cp < ep) {
 
        if (cp < ep) {
-               printf(" orig=(");
-               switch (ntohs(p->type)) {
+               ND_PRINT((ndo," orig=("));
+               switch (ntohs(n.type)) {
                case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
                    {
                case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
                    {
-                       struct attrmap *map = oakley_t_map;
+                       const struct attrmap *map = oakley_t_map;
                        size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
                        while (cp < ep && cp < ep2) {
                        size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
                        while (cp < ep && cp < ep2) {
-                               cp = isakmp_attrmap_print(cp,
+                               cp = ikev1_attrmap_print(ndo, cp,
                                        (ep < ep2) ? ep : ep2, map, nmap);
                        }
                        break;
                    }
                case IPSECDOI_NTYPE_REPLAY_STATUS:
                                        (ep < ep2) ? ep : ep2, map, nmap);
                        }
                        break;
                    }
                case IPSECDOI_NTYPE_REPLAY_STATUS:
-                       printf("replay detection %sabled",
-                               (*(u_int32_t *)cp) ? "en" : "dis");
+                       ND_PRINT((ndo,"replay detection %sabled",
+                                 EXTRACT_32BITS(cp) ? "en" : "dis"));
                        break;
                case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
                        break;
                case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
-                       isakmp_sub_print(ISAKMP_NPTYPE_SA,
-                               (struct isakmp_gen *)cp, ep, phase, doi, proto);
+                       if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
+                                           (const struct isakmp_gen *)cp, ep, phase, doi, proto,
+                                           depth) == NULL)
+                               return NULL;
                        break;
                default:
                        /* NULL is dummy */
                        break;
                default:
                        /* NULL is dummy */
-                       isakmp_print(cp,
-                               ntohs(ext->len) - sizeof(*p) - p->spi_size,
-                               NULL);
+                       isakmp_print(ndo, cp,
+                                    item_len - sizeof(*p) - n.spi_size,
+                                    NULL);
                }
                }
-               printf(")");
+               ND_PRINT((ndo,")"));
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+       return (const u_char *)ext + item_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_d_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi0, u_int32_t proto0)
+static const u_char *
+ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
+             const struct isakmp_gen *ext, u_int item_len _U_,
+             const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
+             uint32_t proto0 _U_, int depth _U_)
 {
 {
-       struct isakmp_pl_d *p;
-       u_int8_t *q;
-       u_int32_t doi;
-       u_int32_t proto;
+       const struct ikev1_pl_d *p;
+       struct ikev1_pl_d d;
+       const uint8_t *q;
+       uint32_t doi;
+       uint32_t proto;
        int i;
 
        int i;
 
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_D));
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
 
 
-       p = (struct isakmp_pl_d *)ext;
-       doi = ntohl(p->doi);
-       proto = p->prot_id;
+       p = (const struct ikev1_pl_d *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&d, ext, sizeof(d));
+       doi = ntohl(d.doi);
+       proto = d.prot_id;
        if (doi != 1) {
        if (doi != 1) {
-               printf(" doi=%u", doi);
-               printf(" proto=%u", proto);
+               ND_PRINT((ndo," doi=%u", doi));
+               ND_PRINT((ndo," proto=%u", proto));
        } else {
        } else {
-               printf(" doi=ipsec");
-               printf(" proto=%s", PROTOIDSTR(proto));
-       }
-       printf(" spilen=%u", p->spi_size);
-       printf(" nspi=%u", ntohs(p->num_spi));
-       printf(" spi=");
-       q = (u_int8_t *)(p + 1);
-       for (i = 0; i < ntohs(p->num_spi); i++) {
+               ND_PRINT((ndo," doi=ipsec"));
+               ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
+       }
+       ND_PRINT((ndo," spilen=%u", d.spi_size));
+       ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
+       ND_PRINT((ndo," spi="));
+       q = (const uint8_t *)(p + 1);
+       for (i = 0; i < ntohs(d.num_spi); i++) {
                if (i != 0)
                if (i != 0)
-                       printf(",");
-               rawprint((caddr_t)q, p->spi_size);
-               q += p->spi_size;
+                       ND_PRINT((ndo,","));
+               if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
+                       goto trunc;
+               q += d.spi_size;
        }
        return q;
        }
        return q;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
+       return NULL;
+}
+
+static const u_char *
+ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct isakmp_gen e;
+
+       ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
+       }
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
+       return NULL;
+}
+
+/************************************************************/
+/*                                                          */
+/*              IKE v2 - rfc4306 - dissector                */
+/*                                                          */
+/************************************************************/
+
+static void
+ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
+{
+       ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
+}
+
+static const u_char *
+ikev2_gen_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext)
+{
+       struct isakmp_gen e;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
+
+       ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+       if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
+       }
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
+             const struct isakmp_gen *ext, u_int item_len,
+             const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
+             uint32_t proto _U_, int depth _U_)
+{
+       const struct ikev2_t *p;
+       struct ikev2_t t;
+       uint16_t  t_id;
+       const u_char *cp;
+       const char *idstr;
+       const struct attrmap *map;
+       size_t nmap;
+       const u_char *ep2;
+
+       p = (const struct ikev2_t *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&t, ext, sizeof(t));
+       ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
+
+       t_id = ntohs(t.t_id);
+
+       map = NULL;
+       nmap = 0;
+
+       switch (t.t_type) {
+       case IV2_T_ENCR:
+               idstr = STR_OR_ID(t_id, esp_p_map);
+               map = encr_t_map;
+               nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
+               break;
+
+       case IV2_T_PRF:
+               idstr = STR_OR_ID(t_id, prf_p_map);
+               break;
+
+       case IV2_T_INTEG:
+               idstr = STR_OR_ID(t_id, integ_p_map);
+               break;
+
+       case IV2_T_DH:
+               idstr = STR_OR_ID(t_id, dh_p_map);
+               break;
+
+       case IV2_T_ESN:
+               idstr = STR_OR_ID(t_id, esn_p_map);
+               break;
+
+       default:
+               idstr = NULL;
+               break;
+       }
+
+       if (idstr)
+               ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
+                         STR_OR_ID(t.t_type, ikev2_t_type_map),
+                         idstr));
+       else
+               ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
+                         STR_OR_ID(t.t_type, ikev2_t_type_map),
+                         t.t_id));
+       cp = (const u_char *)(p + 1);
+       ep2 = (const u_char *)p + item_len;
+       while (cp < ep && cp < ep2) {
+               if (map && nmap) {
+                       cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
+                               map, nmap);
+               } else
+                       cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
+       }
+       if (ep < ep2)
+               ND_PRINT((ndo,"..."));
+       return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
+             const struct isakmp_gen *ext, u_int item_len _U_,
+              const u_char *ep, uint32_t phase, uint32_t doi0,
+              uint32_t proto0 _U_, int depth)
+{
+       const struct ikev2_p *p;
+       struct ikev2_p prop;
+       const u_char *cp;
+
+       p = (const struct ikev2_p *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
+       ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
+
+       ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
+                 prop.p_no,  PROTOIDSTR(prop.prot_id),
+                 prop.num_t, ntohs(prop.h.len)));
+       if (prop.spi_size) {
+               ND_PRINT((ndo," spi="));
+               if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
+                       goto trunc;
+       }
+
+       ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
+       ND_TCHECK(*ext);
+
+       cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+                            prop.prot_id, depth);
+
+       return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_sa_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext1,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct isakmp_gen e;
+       int    osa_length, sa_length;
+
+       ND_TCHECK(*ext1);
+       UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
+       ikev2_pay_print(ndo, "sa", e.critical);
+
+       osa_length= ntohs(e.len);
+       sa_length = osa_length - 4;
+       ND_PRINT((ndo," len=%d", sa_length));
+
+       ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
+                       ext1+1, ep,
+                       0, 0, 0, depth);
+
+       return (const u_char *)ext1 + osa_length;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_ke_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct ikev2_ke ke;
+       const struct ikev2_ke *k;
+
+       k = (const struct ikev2_ke *)ext;
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
+       ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
+
+       ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
+                 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
+
+       if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
+                       goto trunc;
+       }
+       return (const u_char *)ext + ntohs(ke.h.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_ID_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct ikev2_id id;
+       int id_len, idtype_len, i;
+       unsigned int dumpascii, dumphex;
+       const unsigned char *typedata;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&id, ext, sizeof(id));
+       ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
+
+       id_len = ntohs(id.h.len);
+
+       ND_PRINT((ndo," len=%d", id_len - 4));
+       if (2 < ndo->ndo_vflag && 4 < id_len) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
+                       goto trunc;
+       }
+
+       idtype_len =id_len - sizeof(struct ikev2_id);
+       dumpascii = 0;
+       dumphex   = 0;
+       typedata  = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
+
+       switch(id.type) {
+       case ID_IPV4_ADDR:
+               ND_PRINT((ndo, " ipv4:"));
+               dumphex=1;
+               break;
+       case ID_FQDN:
+               ND_PRINT((ndo, " fqdn:"));
+               dumpascii=1;
+               break;
+       case ID_RFC822_ADDR:
+               ND_PRINT((ndo, " rfc822:"));
+               dumpascii=1;
+               break;
+       case ID_IPV6_ADDR:
+               ND_PRINT((ndo, " ipv6:"));
+               dumphex=1;
+               break;
+       case ID_DER_ASN1_DN:
+               ND_PRINT((ndo, " dn:"));
+               dumphex=1;
+               break;
+       case ID_DER_ASN1_GN:
+               ND_PRINT((ndo, " gn:"));
+               dumphex=1;
+               break;
+       case ID_KEY_ID:
+               ND_PRINT((ndo, " keyid:"));
+               dumphex=1;
+               break;
+       }
+
+       if(dumpascii) {
+               ND_TCHECK2(*typedata, idtype_len);
+               for(i=0; i<idtype_len; i++) {
+                       if(ND_ISPRINT(typedata[i])) {
+                               ND_PRINT((ndo, "%c", typedata[i]));
+                       } else {
+                               ND_PRINT((ndo, "."));
+                       }
+               }
+       }
+       if(dumphex) {
+               if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
+                       goto trunc;
+       }
+
+       return (const u_char *)ext + id_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_cert_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_cr_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_auth_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct ikev2_auth a;
+       const char *v2_auth[]={ "invalid", "rsasig",
+                               "shared-secret", "dsssig" };
+       const u_char *authdata = (const u_char*)ext + sizeof(a);
+       unsigned int len;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&a, ext, sizeof(a));
+       ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
+       len = ntohs(a.h.len);
+
+       ND_PRINT((ndo," len=%d method=%s", len-4,
+                 STR_OR_ID(a.auth_method, v2_auth)));
+
+       if (1 < ndo->ndo_vflag && 4 < len) {
+               ND_PRINT((ndo," authdata=("));
+               if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
+                       goto trunc;
+               ND_PRINT((ndo,") "));
+       } else if(ndo->ndo_vflag && 4 < len) {
+               if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
+       }
+
+       return (const u_char *)ext + len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct isakmp_gen e;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ikev2_pay_print(ndo, "nonce", e.critical);
+
+       ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+       if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               ND_PRINT((ndo," nonce=("));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
+               ND_PRINT((ndo,") "));
+       } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
+               if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
+       }
+
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+/* notify payloads */
+static const u_char *
+ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       const struct ikev2_n *p;
+       struct ikev2_n n;
+       const u_char *cp;
+       u_char showspi, showdata, showsomedata;
+       const char *notify_name;
+       uint32_t type;
+
+       p = (const struct ikev2_n *)ext;
+       ND_TCHECK(*p);
+       UNALIGNED_MEMCPY(&n, ext, sizeof(n));
+       ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
+
+       showspi = 1;
+       showdata = 0;
+       showsomedata=0;
+       notify_name=NULL;
+
+       ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
+
+       type = ntohs(n.type);
+
+       /* notify space is annoying sparse */
+       switch(type) {
+       case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
+               notify_name = "unsupported_critical_payload";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_INVALID_IKE_SPI:
+               notify_name = "invalid_ike_spi";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_INVALID_MAJOR_VERSION:
+               notify_name = "invalid_major_version";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_INVALID_SYNTAX:
+               notify_name = "invalid_syntax";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_INVALID_MESSAGE_ID:
+               notify_name = "invalid_message_id";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_INVALID_SPI:
+               notify_name = "invalid_spi";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
+               notify_name = "no_protocol_chosen";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_INVALID_KE_PAYLOAD:
+               notify_name = "invalid_ke_payload";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_AUTHENTICATION_FAILED:
+               notify_name = "authentication_failed";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
+               notify_name = "single_pair_required";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_NO_ADDITIONAL_SAS:
+               notify_name = "no_additional_sas";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
+               notify_name = "internal_address_failure";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_FAILED_CP_REQUIRED:
+               notify_name = "failed:cp_required";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_INVALID_SELECTORS:
+               notify_name = "invalid_selectors";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_INITIAL_CONTACT:
+               notify_name = "initial_contact";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_SET_WINDOW_SIZE:
+               notify_name = "set_window_size";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
+               notify_name = "additional_ts_possible";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_IPCOMP_SUPPORTED:
+               notify_name = "ipcomp_supported";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
+               notify_name = "nat_detection_source_ip";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
+               notify_name = "nat_detection_destination_ip";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_COOKIE:
+               notify_name = "cookie";
+               showspi = 1;
+               showsomedata= 1;
+               showdata= 0;
+               break;
+
+       case IV2_NOTIFY_USE_TRANSPORT_MODE:
+               notify_name = "use_transport_mode";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
+               notify_name = "http_cert_lookup_supported";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_REKEY_SA:
+               notify_name = "rekey_sa";
+               showspi = 1;
+               break;
+
+       case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
+               notify_name = "tfc_padding_not_supported";
+               showspi = 0;
+               break;
+
+       case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
+               notify_name = "non_first_fragment_also";
+               showspi = 0;
+               break;
+
+       default:
+               if (type < 8192) {
+                       notify_name="error";
+               } else if(type < 16384) {
+                       notify_name="private-error";
+               } else if(type < 40960) {
+                       notify_name="status";
+               } else {
+                       notify_name="private-status";
+               }
+       }
+
+       if(notify_name) {
+               ND_PRINT((ndo," type=%u(%s)", type, notify_name));
+       }
+
+
+       if (showspi && n.spi_size) {
+               ND_PRINT((ndo," spi="));
+               if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
+                       goto trunc;
+       }
+
+       cp = (const u_char *)(p + 1) + n.spi_size;
+
+       if(3 < ndo->ndo_vflag) {
+               showdata = 1;
+       }
+
+       if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
+               ND_PRINT((ndo," data=("));
+               if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
+                       goto trunc;
+
+               ND_PRINT((ndo,")"));
+
+       } else if(showsomedata && cp < ep) {
+               if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
+       }
+
+       return (const u_char *)ext + item_len;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_d_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_vid_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       struct isakmp_gen e;
+       const u_char *vid;
+       int i, len;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
+       ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
+
+       vid = (const u_char *)(ext+1);
+       len = ntohs(e.len) - 4;
+       ND_TCHECK2(*vid, len);
+       for(i=0; i<len; i++) {
+               if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
+               else ND_PRINT((ndo, "."));
+       }
+       if (2 < ndo->ndo_vflag && 4 < len) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+                       goto trunc;
+       }
+       return (const u_char *)ext + ntohs(e.len);
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
+}
+
+static const u_char *
+ikev2_TS_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       return ikev2_gen_print(ndo, tpay, ext);
 }
 
 }
 
-static u_char *
-isakmp_vid_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
-       u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev2_e_print(netdissect_options *ndo,
+#ifndef HAVE_LIBCRYPTO
+             _U_
+#endif
+             struct isakmp *base,
+             u_char tpay,
+             const struct isakmp_gen *ext,
+             u_int item_len _U_, const u_char *ep _U_,
+#ifndef HAVE_LIBCRYPTO
+             _U_
+#endif
+             uint32_t phase,
+#ifndef HAVE_LIBCRYPTO
+             _U_
+#endif
+             uint32_t doi,
+#ifndef HAVE_LIBCRYPTO
+             _U_
+#endif
+             uint32_t proto,
+#ifndef HAVE_LIBCRYPTO
+             _U_
+#endif
+             int depth)
 {
 {
-       printf("%s:", NPSTR(ISAKMP_NPTYPE_VID));
+       struct isakmp_gen e;
+       const u_char *dat;
+       volatile int dlen;
+
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+       ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
+
+       dlen = ntohs(e.len)-4;
 
 
-       printf(" len=%d", ntohs(ext->len) - 4);
-       if (2 < vflag && 4 < ntohs(ext->len)) {
-               printf(" ");
-               rawprint((caddr_t)(ext + 1), ntohs(ext->len) - 4);
+       ND_PRINT((ndo," len=%d", dlen));
+       if (2 < ndo->ndo_vflag && 4 < dlen) {
+               ND_PRINT((ndo," "));
+               if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
+                       goto trunc;
        }
        }
-       return (u_char *)ext + ntohs(ext->len);
+
+       dat = (const u_char *)(ext+1);
+       ND_TCHECK2(*dat, dlen);
+
+#ifdef HAVE_LIBCRYPTO
+       /* try to decypt it! */
+       if(esp_print_decrypt_buffer_by_ikev2(ndo,
+                                            base->flags & ISAKMP_FLAG_I,
+                                            base->i_ck, base->r_ck,
+                                            dat, dat+dlen)) {
+
+               ext = (const struct isakmp_gen *)ndo->ndo_packetp;
+
+               /* got it decrypted, print stuff inside. */
+               ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
+                               phase, doi, proto, depth+1);
+       }
+#endif
+
+
+       /* always return NULL, because E must be at end, and NP refers
+        * to what was inside.
+        */
+       return NULL;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_sub0_print(u_char np, struct isakmp_gen *ext, u_char *ep,
-       u_int32_t phase, u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev2_cp_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
 {
 {
-       u_char *cp;
+       return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_eap_print(netdissect_options *ndo, u_char tpay,
+               const struct isakmp_gen *ext,
+               u_int item_len _U_, const u_char *ep _U_,
+               uint32_t phase _U_, uint32_t doi _U_,
+               uint32_t proto _U_, int depth _U_)
+{
+       return ikev2_gen_print(ndo, tpay, ext);
+}
 
 
-       cp = (u_char *)ext;
+static const u_char *
+ike_sub0_print(netdissect_options *ndo,
+                u_char np, const struct isakmp_gen *ext, const u_char *ep,
 
 
-       if (NPFUNC(np))
-               cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
-       else {
-               printf("%s", NPSTR(np));
-               cp += ntohs(ext->len);
+              uint32_t phase, uint32_t doi, uint32_t proto, int depth)
+{
+       const u_char *cp;
+       struct isakmp_gen e;
+       u_int item_len;
+
+       cp = (const u_char *)ext;
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+
+       /*
+        * Since we can't have a payload length of less than 4 bytes,
+        * we need to bail out here if the generic header is nonsensical
+        * or truncated, otherwise we could loop forever processing
+        * zero-length items or otherwise misdissect the packet.
+        */
+       item_len = ntohs(e.len);
+       if (item_len <= 4)
+               return NULL;
+
+       if (NPFUNC(np)) {
+               /*
+                * XXX - what if item_len is too short, or too long,
+                * for this payload type?
+                */
+               cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
+       } else {
+               ND_PRINT((ndo,"%s", NPSTR(np)));
+               cp += item_len;
        }
        }
+
        return cp;
        return cp;
+trunc:
+       ND_PRINT((ndo," [|isakmp]"));
+       return NULL;
 }
 
 }
 
-static u_char *
-isakmp_sub_print(u_char np, struct isakmp_gen *ext, u_char *ep,
-       u_int32_t phase, u_int32_t doi, u_int32_t proto)
+static const u_char *
+ikev1_sub_print(netdissect_options *ndo,
+               u_char np, const struct isakmp_gen *ext, const u_char *ep,
+               uint32_t phase, uint32_t doi, uint32_t proto, int depth)
 {
 {
-       u_char *cp;
-       static int depth = 0;
+       const u_char *cp;
        int i;
        int i;
+       struct isakmp_gen e;
 
 
-       cp = (u_char *)ext;
+       cp = (const u_char *)ext;
 
        while (np) {
 
        while (np) {
-               if (ep < (u_char *)ext + ntohs(ext->len)) {
-                       printf(" [|%s]", NPSTR(np));
-                       cp = ep + 1;
-                       break;
-               }
+               ND_TCHECK(*ext);
+
+               UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+
+               ND_TCHECK2(*ext, ntohs(e.len));
+
                depth++;
                depth++;
-               printf("\n");
+               ND_PRINT((ndo,"\n"));
                for (i = 0; i < depth; i++)
                for (i = 0; i < depth; i++)
-                       printf("    ");
-               printf("(");
-               cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
-               printf(")");
+                       ND_PRINT((ndo,"    "));
+               ND_PRINT((ndo,"("));
+               cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
+               ND_PRINT((ndo,")"));
                depth--;
 
                depth--;
 
-               np = ext->np;
-               ext = (struct isakmp_gen *)cp;
+               if (cp == NULL) {
+                       /* Zero-length subitem */
+                       return NULL;
+               }
+
+               np = e.np;
+               ext = (const struct isakmp_gen *)cp;
        }
        return cp;
        }
        return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(np)));
+       return NULL;
 }
 
 static char *
 }
 
 static char *
@@ -1054,110 +2647,351 @@ numstr(int x)
        return buf;
 }
 
        return buf;
 }
 
-void
-isakmp_print(const u_char *bp, u_int length, const u_char *bp2)
+static void
+ikev1_print(netdissect_options *ndo,
+           const u_char *bp,  u_int length,
+           const u_char *bp2, struct isakmp *base)
 {
 {
-       struct isakmp *base;
-       u_char *ep;
+       const struct isakmp *p;
+       const u_char *ep;
        u_char np;
        int i;
        int phase;
        u_char np;
        int i;
        int phase;
-       int major, minor;
-
-       base = (struct isakmp *)bp;
-       ep = (u_char *)snapend;
-
-       if ((struct isakmp *)ep < base + 1) {
-               printf("[|isakmp]");
-               return;
-       }
-
-       printf("isakmp");
-       if (vflag) {
-               major = (base->vers & ISAKMP_VERS_MAJOR)
-                               >> ISAKMP_VERS_MAJOR_SHIFT;
-               minor = (base->vers & ISAKMP_VERS_MINOR)
-                               >> ISAKMP_VERS_MINOR_SHIFT;
-               printf(" %d.%d", major, minor);
-       }
-
-       if (vflag) {
-               printf(" msgid ");
-               rawprint((caddr_t)&base->msgid, sizeof(base->msgid));
-       }
 
 
-       if (1 < vflag) {
-               printf(" cookie ");
-               rawprint((caddr_t)&base->i_ck, sizeof(base->i_ck));
-               printf("->");
-               rawprint((caddr_t)&base->r_ck, sizeof(base->r_ck));
-       }
-       printf(":");
+       p = (const struct isakmp *)bp;
+       ep = ndo->ndo_snapend;
 
 
-       phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
+       phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
        if (phase == 1)
        if (phase == 1)
-               printf(" phase %d", phase);
+               ND_PRINT((ndo," phase %d", phase));
        else
        else
-               printf(" phase %d/others", phase);
+               ND_PRINT((ndo," phase %d/others", phase));
 
        i = cookie_find(&base->i_ck);
        if (i < 0) {
 
        i = cookie_find(&base->i_ck);
        if (i < 0) {
-               if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
+               if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
                        /* the first packet */
                        /* the first packet */
-                       printf(" I");
+                       ND_PRINT((ndo," I"));
                        if (bp2)
                                cookie_record(&base->i_ck, bp2);
                } else
                        if (bp2)
                                cookie_record(&base->i_ck, bp2);
                } else
-                       printf(" ?");
+                       ND_PRINT((ndo," ?"));
        } else {
                if (bp2 && cookie_isinitiator(i, bp2))
        } else {
                if (bp2 && cookie_isinitiator(i, bp2))
-                       printf(" I");
+                       ND_PRINT((ndo," I"));
                else if (bp2 && cookie_isresponder(i, bp2))
                else if (bp2 && cookie_isresponder(i, bp2))
-                       printf(" R");
+                       ND_PRINT((ndo," R"));
                else
                else
-                       printf(" ?");
+                       ND_PRINT((ndo," ?"));
        }
 
        }
 
-       printf(" %s", ETYPESTR(base->etype));
+       ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
        if (base->flags) {
        if (base->flags) {
-               printf("[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
-                       base->flags & ISAKMP_FLAG_C ? "C" : "");
+               ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
+                         base->flags & ISAKMP_FLAG_C ? "C" : ""));
        }
        }
-       printf(":");
 
 
-    {
-       struct isakmp_gen *ext;
-       int nparen;
+       if (ndo->ndo_vflag) {
+               const struct isakmp_gen *ext;
+
+               ND_PRINT((ndo,":"));
+
+               /* regardless of phase... */
+               if (base->flags & ISAKMP_FLAG_E) {
+                       /*
+                        * encrypted, nothing we can do right now.
+                        * we hope to decrypt the packet in the future...
+                        */
+                       ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
+                       goto done;
+               }
+
+               CHECKLEN(p + 1, base->np);
+               np = base->np;
+               ext = (const struct isakmp_gen *)(p + 1);
+               ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
+       }
 
 
-#define CHECKLEN(p, np) \
-       if (ep < (u_char *)(p)) {                               \
-               printf(" [|%s]", NPSTR(np));                    \
-               goto done;                                      \
+done:
+       if (ndo->ndo_vflag) {
+               if (ntohl(base->len) != length) {
+                       ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
+                                 (uint32_t)ntohl(base->len), length));
+               }
        }
        }
+}
 
 
-       /* regardless of phase... */
-       if (base->flags & ISAKMP_FLAG_E) {
+static const u_char *
+ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
+                u_char np, int pcount,
+                const struct isakmp_gen *ext, const u_char *ep,
+                uint32_t phase, uint32_t doi, uint32_t proto, int depth)
+{
+       const u_char *cp;
+       struct isakmp_gen e;
+       u_int item_len;
+
+       cp = (const u_char *)ext;
+       ND_TCHECK(*ext);
+       UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+
+       /*
+        * Since we can't have a payload length of less than 4 bytes,
+        * we need to bail out here if the generic header is nonsensical
+        * or truncated, otherwise we could loop forever processing
+        * zero-length items or otherwise misdissect the packet.
+        */
+       item_len = ntohs(e.len);
+       if (item_len <= 4)
+               return NULL;
+
+       if(np == ISAKMP_NPTYPE_P) {
+               cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
+                                  ep, phase, doi, proto, depth);
+       } else if(np == ISAKMP_NPTYPE_T) {
+               cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
+                                  ep, phase, doi, proto, depth);
+       } else if(np == ISAKMP_NPTYPE_v2E) {
+               cp = ikev2_e_print(ndo, base, np, ext, item_len,
+                                  ep, phase, doi, proto, depth);
+       } else if (NPFUNC(np)) {
                /*
                /*
-                * encrypted, nothing we can do right now.
-                * we hope to decrypt the packet in the future...
+                * XXX - what if item_len is too short, or too long,
+                * for this payload type?
                 */
                 */
-               printf(" [|%s]", NPSTR(base->np));
-               goto done;
+               cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
+                                  ep, phase, doi, proto, depth);
+       } else {
+               ND_PRINT((ndo,"%s", NPSTR(np)));
+               cp += item_len;
+       }
+
+       return cp;
+trunc:
+       ND_PRINT((ndo," [|isakmp]"));
+       return NULL;
+}
+
+static const u_char *
+ikev2_sub_print(netdissect_options *ndo,
+               struct isakmp *base,
+               u_char np, const struct isakmp_gen *ext, const u_char *ep,
+               uint32_t phase, uint32_t doi, uint32_t proto, int depth)
+{
+       const u_char *cp;
+       int i;
+       int pcount;
+       struct isakmp_gen e;
+
+       cp = (const u_char *)ext;
+       pcount = 0;
+       while (np) {
+               pcount++;
+               ND_TCHECK(*ext);
+
+               UNALIGNED_MEMCPY(&e, ext, sizeof(e));
+
+               ND_TCHECK2(*ext, ntohs(e.len));
+
+               depth++;
+               ND_PRINT((ndo,"\n"));
+               for (i = 0; i < depth; i++)
+                       ND_PRINT((ndo,"    "));
+               ND_PRINT((ndo,"("));
+               cp = ikev2_sub0_print(ndo, base, np, pcount,
+                                     ext, ep, phase, doi, proto, depth);
+               ND_PRINT((ndo,")"));
+               depth--;
+
+               if (cp == NULL) {
+                       /* Zero-length subitem */
+                       return NULL;
+               }
+
+               np = e.np;
+               ext = (const struct isakmp_gen *)cp;
+       }
+       return cp;
+trunc:
+       ND_PRINT((ndo," [|%s]", NPSTR(np)));
+       return NULL;
+}
+
+static void
+ikev2_print(netdissect_options *ndo,
+           const u_char *bp,  u_int length,
+           const u_char *bp2 _U_, struct isakmp *base)
+{
+       const struct isakmp *p;
+       const u_char *ep;
+       u_char np;
+       int phase;
+
+       p = (const struct isakmp *)bp;
+       ep = ndo->ndo_snapend;
+
+       phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
+       if (phase == 1)
+               ND_PRINT((ndo, " parent_sa"));
+       else
+               ND_PRINT((ndo, " child_sa "));
+
+       ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
+       if (base->flags) {
+               ND_PRINT((ndo, "[%s%s%s]",
+                         base->flags & ISAKMP_FLAG_I ? "I" : "",
+                         base->flags & ISAKMP_FLAG_V ? "V" : "",
+                         base->flags & ISAKMP_FLAG_R ? "R" : ""));
        }
 
        }
 
-       nparen = 0;
-       CHECKLEN(base + 1, base->np)
+       if (ndo->ndo_vflag) {
+               const struct isakmp_gen *ext;
+
+               ND_PRINT((ndo, ":"));
 
 
-       np = base->np;
-       ext = (struct isakmp_gen *)(base + 1);
-       isakmp_sub_print(np, ext, ep, phase, 0, 0);
-    }
+               /* regardless of phase... */
+               if (base->flags & ISAKMP_FLAG_E) {
+                       /*
+                        * encrypted, nothing we can do right now.
+                        * we hope to decrypt the packet in the future...
+                        */
+                       ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
+                       goto done;
+               }
+
+               CHECKLEN(p + 1, base->np)
+
+               np = base->np;
+               ext = (const struct isakmp_gen *)(p + 1);
+               ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
+       }
 
 done:
 
 done:
-       if (vflag) {
+       if (ndo->ndo_vflag) {
                if (ntohl(base->len) != length) {
                if (ntohl(base->len) != length) {
-                       printf(" (len mismatch: isakmp %u/ip %d)",
-                               (u_int32_t)ntohl(base->len), length);
+                       ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
+                                 (uint32_t)ntohl(base->len), length));
                }
        }
 }
                }
        }
 }
+
+void
+isakmp_print(netdissect_options *ndo,
+            const u_char *bp, u_int length,
+            const u_char *bp2)
+{
+       const struct isakmp *p;
+       struct isakmp base;
+       const u_char *ep;
+       int major, minor;
+
+#ifdef HAVE_LIBCRYPTO
+       /* initialize SAs */
+       if (ndo->ndo_sa_list_head == NULL) {
+               if (ndo->ndo_espsecret)
+                       esp_print_decodesecret(ndo);
+       }
+#endif
+
+       p = (const struct isakmp *)bp;
+       ep = ndo->ndo_snapend;
+
+       if ((const struct isakmp *)ep < p + 1) {
+               ND_PRINT((ndo,"[|isakmp]"));
+               return;
+       }
+
+       UNALIGNED_MEMCPY(&base, p, sizeof(base));
+
+       ND_PRINT((ndo,"isakmp"));
+       major = (base.vers & ISAKMP_VERS_MAJOR)
+               >> ISAKMP_VERS_MAJOR_SHIFT;
+       minor = (base.vers & ISAKMP_VERS_MINOR)
+               >> ISAKMP_VERS_MINOR_SHIFT;
+
+       if (ndo->ndo_vflag) {
+               ND_PRINT((ndo," %d.%d", major, minor));
+       }
+
+       if (ndo->ndo_vflag) {
+               ND_PRINT((ndo," msgid "));
+               hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
+       }
+
+       if (1 < ndo->ndo_vflag) {
+               ND_PRINT((ndo," cookie "));
+               hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
+               ND_PRINT((ndo,"->"));
+               hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
+       }
+       ND_PRINT((ndo,":"));
+
+       switch(major) {
+       case IKEv1_MAJOR_VERSION:
+               ikev1_print(ndo, bp, length, bp2, &base);
+               break;
+
+       case IKEv2_MAJOR_VERSION:
+               ikev2_print(ndo, bp, length, bp2, &base);
+               break;
+       }
+}
+
+void
+isakmp_rfc3948_print(netdissect_options *ndo,
+                    const u_char *bp, u_int length,
+                    const u_char *bp2)
+{
+
+       if(length == 1 && bp[0]==0xff) {
+               ND_PRINT((ndo, "isakmp-nat-keep-alive"));
+               return;
+       }
+
+       if(length < 4) {
+               goto trunc;
+       }
+
+       /*
+        * see if this is an IKE packet
+        */
+       if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
+               ND_PRINT((ndo, "NONESP-encap: "));
+               isakmp_print(ndo, bp+4, length-4, bp2);
+               return;
+       }
+
+       /* must be an ESP packet */
+       {
+               int nh, enh, padlen;
+               int advance;
+
+               ND_PRINT((ndo, "UDP-encap: "));
+
+               advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
+               if(advance <= 0)
+                       return;
+
+               bp += advance;
+               length -= advance + padlen;
+               nh = enh & 0xff;
+
+               ip_print_inner(ndo, bp, length, nh, bp2);
+               return;
+       }
+
+trunc:
+       ND_PRINT((ndo,"[|isakmp]"));
+       return;
+}
+
+/*
+ * Local Variables:
+ * c-style: whitesmith
+ * c-basic-offset: 8
+ * End:
+ */
+
+
+
+
[mirror] the TCPdump network dissector