hannes [Fri, 21 Sep 2007 07:07:52 +0000 (07:07 +0000)]
in tcpdump a length field has the semantics of a 'total length field'
i.e. including the header - the IP6 payload length field differs
from that ...
highlight the difference by printing 'payload length' rather than 'length'
guy [Fri, 14 Sep 2007 00:39:22 +0000 (00:39 +0000)]
From pfhunt on SourceForge:
When a packet contains an IPv6 options header followed by an unknown IPv6
protocol payload, tcpdump displays the proto ID for the known option
header, not for the unknown payload.
For example, this is the output for an IPv6 packet containing a destination
options header, followed by a payload of (unknown) protocol 138:
# tcpdump -s 128 -i eth1
tcpdump: WARNING: addresses not searched
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 128 bytes
11:44:40.862572 I IP6 2007::10:5:2:163 > 2007::10:5:2:164: DSTOPT ip-proto-60 16
The ip-proto-60 refers to the destination option header (DSTOPT), rather
than displaying the unknown option 138, which I think would be more
informative.
The attached patch fixes this problem. With the patch applied, the output
for the packet is:
# tcpdump -s 128 -i eth1
tcpdump: WARNING: addresses not searched
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 128 bytes
11:48:26.160462 I IP6 2007::10:5:2:163 > 2007::10:5:2:164: DSTOPT ip-proto-138 16
guy [Fri, 14 Sep 2007 00:26:18 +0000 (00:26 +0000)]
Propagate
revision 1.118
date: 2006-05-11 19:14:55 -0700; author: guy; state: Exp; lines: +2 -2
"ether.h" defines more than we need, and, on some platforms, redefines
ether_header (which is one of the things we don't need). Just define
ETHER_ADDR_LEN to 6 if it's not defined - it can't be anything but 6.
to the x.9 branch, to fix build problems on Solaris.
guy [Wed, 12 Sep 2007 19:48:50 +0000 (19:48 +0000)]
From Max Laier: check whether the system has <net/pfvar.h> and:
if it does, use that for the pf definitions;
if it doesn't, don't compile in pf support;
as both OpenBSD and FreeBSD have changed the pf definitions and header
format without changing the DLT value, so you can't reliably read
pflog-format libpcap files on a machine running an OS version other than
the one on which the file was generated.
guy [Tue, 21 Aug 2007 22:02:08 +0000 (22:02 +0000)]
From Francois-Xavier Le Bail: decode DCHP option 249 (Microsoft's
Classless Static Route option) the same way as option 121 (RFC 3442's
Classless Static Route option).
guy [Tue, 24 Jul 2007 17:29:43 +0000 (17:29 +0000)]
From Francois-Xavier Le Bail: suport for the DHCP Classless Static Route
option (RFC 3442).
Just modify the "len" variable as we parse an option - no need for a
separate variable representing the amount of data left (I suspect that's
why the wrong variable appears to have been used in the "trailing data
length" message; I'd expect that message to indicate how much *extra*
data there was in the option, not how much *total* data there was in the
option).
Add checks for too-short options in some cases where they were missing.
In the check for the Client FQDN option, skip past what data there is in
the option if it's too short, so it doesn't show up as extra data in the
option.
For the Agent Circuit option, for each suboption:
check to make sure the suboption length doesn't go past what's
left in the option;
don't reject options with an option type or length of 0 (neither
are forbidden by RFC 3046, and, in fact, RFC 3046 says "a
sub-option length may be zero");
use fn_printn() to print the Agent Circuit ID suboption, rather
than doing the equivalent ourselves with a safeputchar() loop.
guy [Sat, 14 Jul 2007 22:26:35 +0000 (22:26 +0000)]
Fix problem found by the folks at www.digit-labs.org. Process all the
TLVs in decode_labeled_vpn_l2(), but don't format them unless there's
buffer space left. If snprintf() returns a negative value, assume we've
filled up the buffer - I think some platforms used to work that way. If
it returns a value greater than the amount of space left, also assume
we've filled up the buffer.
guy [Fri, 15 Jun 2007 20:10:17 +0000 (20:10 +0000)]
Many UN*Xes come with libpcap, so you might not have to install
tcpdump.org's libpcap in order to build tcpdump.org's tcpdump (the
configure script doesn't assume the latest version of libpcap, so it
should be possible to build tcpdump with older versions of libpcap).
By default, tcpdump is installed with universal execute permissions, and
no special privileges; that way, anybody can use it to read a capture.
Remove the comments about capture permissions, as it applies only to
systems using BPF. The tcpdump man page gives the gory details of
capture permissions; refer users there.
Remove the comment about libpcap; it's in the libpcap INSTALL.txt, where
it belongs.
revision 1.7
date: 2006/03/25 11:43:53; author: rpaulo; state: Exp; lines: +23 -3
PR 13604: detect and print correct information for 4.4BSD/NetBSD NFS
filehandles.
The heuristic may or may not be wrong, but no one replied in the
tcpdump-workers mailing list.
Extraction of the fsid information contributed by Chuck Silvers.
Discussed with Chuck Silvers.
----------------------------
revision 1.6
date: 2006/03/22 04:30:28; author: christos; state: Exp; lines: +4 -2
Coverity CID 563: Kill SUNOS3 case; it is dead code.
----------------------------
guy [Sun, 14 Jan 2007 21:29:53 +0000 (21:29 +0000)]
From Kevin Steves:
0) use TTEST/TCHECK macros vs. snapend comparisons
1) when -vvv display PAD and END options
(multiple PAD options are summarized)
2) change a trunc string from bootp to rfc1048 because I think that is
what is intended (matches trunc label)
hannes [Tue, 12 Dec 2006 14:33:20 +0000 (14:33 +0000)]
apply some heuristics to detect MPLS ICMP extension headers because
not all implementations correctly set the length field in the
ICMP header as per draft-bonica-internet-icmp-08.
if the length field is not set then simply check the checksum.
hannes [Tue, 12 Dec 2006 10:51:35 +0000 (10:51 +0000)]
rework on the ICMP MPLS extension code:
- preserve the snapend pointer as it may get overwritten by calling the IP printer
- protect against infinite loops inside the MPLS extension printer.
- detect present of an MPLS extension header by introducing a length field to the ICMP header
as per draft-bonica-internet-icmp-08.
guy [Sun, 12 Nov 2006 22:23:17 +0000 (22:23 +0000)]
For OPT resource records, the class field is used as a length, so, if one
happens to be in an mDNS packet, we don't split it into a class and a
"cache flush" flag.
guy [Fri, 10 Nov 2006 03:15:35 +0000 (03:15 +0000)]
The topmost bit in the class field isn't a "cache flush" flag in mDNS
queries. Display that bit correctly (as per Marc Krochmal's request).
In mDNS, the topmost bit of the class field should be handled the same
way regardless of the value of the lower 15 bits, and *vice versa* -
they're independent fields.
guy [Wed, 25 Oct 2006 22:04:36 +0000 (22:04 +0000)]
From Shinsuke Suzuki:
Some of the options in print-dhcp6.c are declared as
"unassigned ones". but it is no longer true due to an
IETF standardization activities.
Here's the patch to catch up with the latest IANA
assignment, including an removal of the old Prefix-
Delegation option used in the NTT-communications.
(AFAIK they no longer uses this old option).
guy [Fri, 12 May 2006 01:46:17 +0000 (01:46 +0000)]
From Don Ebright: some compilers, such as the AIX compiler, reject a
comma at the end of the last member of an enum (the C language spec
doesn't say it's valid to have one there).
guy [Fri, 7 Apr 2006 08:40:20 +0000 (08:40 +0000)]
Extract "firstPacket" into a variable with EXTRACT_32BITS(), and use
that whenever we print its value, so that we always get it in the right
byte order.
hannes [Mon, 13 Feb 2006 19:02:05 +0000 (19:02 +0000)]
clean up the bootp printer:
-print option/tag numbers and len
-change the tokenstring such that the most common options are human-readable
-add support for option 82 (Agent-ID) suboptions
-make more use ok tok2str() rather thane private lookalives
projects / tcpdump / log
