Romain Francoise [Sat, 30 Jun 2012 19:42:41 +0000 (12:42 -0700)]
LLDP: print packet protocol at all verbosity levels
The LLDP printer doesn't show the packet protocol unless -v is used,
which results in pretty useless output lines where only the timestamp is
present. Make sure we include the default protocol+length output even in
default mode.
Denis Ovsienko [Fri, 29 Jun 2012 18:27:16 +0000 (22:27 +0400)]
update Babel decoder for DLen in HD TLV
This change reflects a new Digest Length field added to Hash Digest TLV
in the current draft of Babel authentication spec. babel_print_v2() is
updated to fetch and validate the new field. Test files too.
Denis Ovsienko [Thu, 21 Jun 2012 13:14:55 +0000 (17:14 +0400)]
fix printing of infinite lifetime in ICMPv6
icmp6_opt_print() in the case of ND_OPT_PREFIX_INFORMATION always
appended "s" (seconds) to the returned string result of get_lifetime(),
which could be either a printed number or the "infinite" word. This
change leaves it up to get_lifetime() to decide if "s" is necessary.
This also improves the ND_OPT_ROUTE_INFO case, where route information
lifetime has the same type and semantics.
Denis Ovsienko [Mon, 11 Jun 2012 17:06:00 +0000 (21:06 +0400)]
decode RIPv2 authentication up to RFC4822
This change addresses a few issues in rip_entry_print_v2() and
rip_print():
1. In the case of Simple Password (RFC2453) authentication the last
(16th) character of a password was never printed. Other password
characters were printed regardless of existing isprint() test.
2. In the case of Cryptographic (RFC4822) authentication there were no
details available for fixed-size auth header and variable-size auth
trailer.
3. Depending on particular hash function used, a normal authentication
trailer "RTE" may be 20 or more bytes long. Iteration over packet RTEs
should stop once a trailer is decoded. Exact number of RTEs in a message
cannot be told from message size any more.
Test cases are added for Request and Response messages with Simple
Password, Keyed-MD5, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and
HMAC-SHA-512 authentication modes. Earlier test case is updated to match
new "number of routes" output format.
Denis Ovsienko [Mon, 11 Jun 2012 17:01:34 +0000 (21:01 +0400)]
fix RIP Request/full table decoding issues
RIP Request and Response messages have the same structure. Update a
switch block in rip_print() to proceed with decoding of both.
A Request message may contain an AFI 0 RTE standing for a full table
request, normally sent on a router start. Update rip_entry_print_v1()
and rip_entry_print_v2() to treat IPv4 and AFI 0 as two valid,
distinguishable cases.
Guy Harris [Sat, 9 Jun 2012 02:07:20 +0000 (19:07 -0700)]
Add some attribute/TLV length checks.
Make sure we don't run past the end of a BGP attribute or LDP TLV when
dissecting the attribute/TLV.
Make some of the code do a bit more of a "step the pointer through the
data"-style dissection; that was done while debugging the changes in
question. It also fixes up some code to not check for more data than
should actually be there.
Update references to RFC 4906 from the draft, and note that RFC 4447
replaces it.
Guy Harris [Fri, 8 Jun 2012 05:24:04 +0000 (22:24 -0700)]
Fix an error and a warning.
Use a separate variable to index through the hash digest, not the
variable used to index through the packet.
Make some variables holding one-byte quantities u_int rather than u_char
while we're at it - not much use in *requiring* them to fit into 8 bits
(the code might be better if we don't, and that eliminates a warning).
Guy Harris [Fri, 8 Jun 2012 05:12:28 +0000 (22:12 -0700)]
Fix printing of 64-bit quantities.
Do *NOT* assume that "%l[doxu]x" - or "%ll[doxu]" - is the way to print
a 64-bit quantity; on UN*X, it might be a "long" or a "long long",
depending on whether you're on a 32-bit or 64-bit platform and, on
Windows with MSVC++, it's not a long (even in 64-bit mode) and doesn't
use "%ll[doxu]", either. Instead, use PRI[doxu]64; that's what C99
defines, and what we define ourselves if the C environment doesn't
define it.
Denis Ovsienko [Wed, 6 Jun 2012 13:57:20 +0000 (17:57 +0400)]
add decoding of Babel authentication TLVs
This change extends existing Babel protocol decoder to recognise
experimental authentication TLVs (types 11 and 12) and includes
a respective test case for the new code.
The most notable difference between RFC5006 and RFC6106 is the addition
of DNSSL RA option. This commit adds DNSSL handling code to make tcpdump
fully RFC6106-aware. This code has been tested against RA packets
generated by Quagga and radvd.
Guy Harris [Sat, 10 Mar 2012 23:23:50 +0000 (15:23 -0800)]
Give more information on -l, and note that -U works without -w.
Note that -l, on Windows (i.e., in WinDump), is unbuffered, not
line-buffered, and describe -U as an alternative (that doesn't have that
problem on Windows).
Note that -U does packet-buffering without -w.
Fix up the formatting of the example command lines with -l.
Guy Harris [Sat, 10 Mar 2012 22:57:00 +0000 (14:57 -0800)]
Discuss buffering when describing the -w flag.
Mention that the output of tcpdump -w is buffered, and note that this
means packets won't necessarily show up in the output as soon as they're
received, so programs reading that output won't see them immediately,
and note that the -U flag forces "packet buffering" so that a reader
will see the packets as soon as they're received.
Guy Harris [Sun, 4 Mar 2012 00:10:42 +0000 (16:10 -0800)]
Ask for the libpcap Makefile while we're at it.
...so that we can see what's being used to turn grammar.y into
grammar.c.
While we're at it, say "config.log file from the libpcap source
directory", in the hopes of making it more likely that we'll get it in
addition to the tcpdump config.log.
Guy Harris [Sat, 3 Mar 2012 21:32:11 +0000 (13:32 -0800)]
Ask for more information if we don't find pcap_loop.
I give up.
People keep reporting that the configure process for tcpdump fails to
find pcap_loop, and the config.log file they send us says there's no
pcap_parse in libpcap, which suggests that something went wrong in the
build process for libpcap; perhaps they don't have Bison and the
configure script got confused and failed to cause the parser to be named
"pcap_parse", or something such as that, or perhaps Bison was recently
"improved" in a fashion that breaks that, but I've never been able to
reproduce this on any of the Linux distribution installations to which
*I* have access.
I therefore ask them to send the config.log output and make output for
libpcap; *not one of the reporters of this problem* has bothered to send
that information, so we're stuck. Perhaps they don't care enough (in
which case, why did they bother asking us about it?), or perhaps they're
annoyed that we asked them a further question rather than Just Fixing
The Problem(TM) (in which case, all I have to say is "welcome to the
Wonderful World Of Computer Software(TM) - get used to it").
So let's just ask for all that information. (I would not be surprised
if this doesn't suffice and that they *still* just send us the tcpdump
config.log output, but at least I'll be able to tell them that they
should have Read The Fine Error Message(TM).)
Guy Harris [Thu, 1 Mar 2012 05:14:50 +0000 (21:14 -0800)]
Back out DLT_PFSYNC support.
Unfortunately, the DLT_PFSYNC support depends on header files included
from the pfctl command's source tree, and trying to arrange to find that
would be too much trouble.
Guy Harris [Wed, 29 Feb 2012 09:51:27 +0000 (01:51 -0800)]
Add DLT_PFSYNC support.
From FreeBSD PR bin/124825: tcpdump(8) does not support pfsync(4) data,
which in turn was ported over from OpenBSD. We already have CARP
support, so we did not port that part over.
Bill Fenner [Mon, 13 Feb 2012 16:27:08 +0000 (08:27 -0800)]
IGMPv3's Max Response Time is in units of 0.1 second.
If it's less than 60 seconds, print it as %.1fs, to be able to
accurately represent small values including the tenths-of-a-second.
Only use relts_print() when it is 60 seconds or more.
Denis Ovsienko [Thu, 29 Dec 2011 16:46:02 +0000 (20:46 +0400)]
ND_OPT_ADVINTERVAL is in milliseconds, not seconds
RFC 6275 7.3. New Advertisement Interval Option Format
Advertisement Interval
32-bit unsigned integer. The maximum time, in milliseconds,
between successive unsolicited Router Advertisement messages sent
by this router on this network interface.
Guy Harris [Fri, 14 Oct 2011 04:59:57 +0000 (21:59 -0700)]
Redo length checks in ospf6_print_lsa().
Check to make sure we haven't run past the end of the LSA by doing
length checks - and be a bit fussier about length checks. Do more
end-of-packet checks as well.
projects / tcpdump / log
