Guy Harris [Sun, 14 May 2017 10:02:29 +0000 (03:02 -0700)]
Don't check for libcrypto if we don't have openssl/crypto.h.
Thanks, Apple, for making us do this (and for making tcpdump unable to
do some decryption without either installing OpenSSL or working on
trying to do the decryption with Apple's frameworks).
Francois-Xavier Le Bail [Sat, 17 Oct 2015 20:25:23 +0000 (22:25 +0200)]
ISOCLNS: Fix two segmentation faults
Moreover:
Add/fix a lot of bounds and length checks.
Add and use tstr[] string.
Fix some typos.
Update the output of a test according to these changes.
The warnings were:
./print-isoclns.c: In function 'osi_print_cksum':
./print-isoclns.c:3107:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
|| length > ndo->ndo_snaplen
^
./print-isoclns.c:3108:32: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
|| checksum_offset > ndo->ndo_snaplen
^
Adjust the TLV infinite loop check to require the right amount of bytes
for T and L; do it after printing the TLV header so it is easier to
understand what was wrong. Check if the TLV V is within the capture. Use
the new "invalid" exit label to indicate a packet anomaly and add more
checks for the length value into the type-specific case blocks. Print
the domain string with fn_printzp().
Add IS_NOT_NEGATIVE macro.
Avoid these warnings:
- comparison of unsigned expression >= 0 is always true [-Wtype-limits],
- comparison is always true due to limited range of data type [-Wtype-limits].
Guy Harris [Wed, 29 Jul 2015 16:17:30 +0000 (09:17 -0700)]
Give more details about packet time stamps.
Don't speak of "Ethernet" and "wire", as you might not be sniffing an
Ethernet or, indeed, any form of wired network.
Note that not only could there be a delay between the point at which the
interface is finished receiving the packet and when an interrupt is
delivered (whether due to bus delays, polling rather than immediate
interrupts being used, or delays in the CPU responding to the interrupt,
or more than one of those) but also a delay between the point at which
the kernel responds to the interrupt and the point at which it actually
applies a time stamp to the packet.
Francois-Xavier Le Bail [Tue, 30 Jun 2015 18:44:14 +0000 (20:44 +0200)]
Fix a non-reentrant code in a function
Delete the 'static char buf' array in ts_format().
buf is now a parameter of ts_format().
Moreover:
Decrease a too long string.
Fix a space in a comment.
Guy Harris [Mon, 27 Apr 2015 00:09:16 +0000 (17:09 -0700)]
Fix heuristic not to be byte-order-dependent.
I'm *guessing* that the item being fetched is big-endian; the "vt"
protocol might be old enough that they developed it on (non-Sun386i) Sun
workstations, assuming they didn't just say "this is an Internet
protocol, hence fields are big-endian").
That also prevents problems on platforms that don't support unaligned
accesses.
Guy Harris [Mon, 27 Apr 2015 00:03:32 +0000 (17:03 -0700)]
Fetch a 32-bit big-endian quantity with EXTRACT_32BITS().
*Don't* fetch it with a pointer cast and dereference! That will fail on
little-endian machines and may fail on machines that don't handle
unaligned references.
Guy Harris [Sat, 2 May 2015 17:15:42 +0000 (10:15 -0700)]
Fix checksumming of PIMv2 Register messages.
The checksum only covers the header, not the encapsulated packet, so
only checksum that. However, if that checksum fails, try checksumming
the entire packet, as, according to RFC 4601, packets with the entire
packet checksummed should also be accepted, for interoperability.
Guy Harris [Sun, 19 Apr 2015 02:58:16 +0000 (19:58 -0700)]
Use unsigned values in tok2str and bittok2str routines.
This prevents the compiler issue mentioned in GitHub issue #451, and
also cleans up some other signed vs. unsigned stuff.
While we're at it, clean up bittok2str_internal() (just pass it the
separator string, not a Boolean value that's tested to choose the
separator string), and print unknown arguments to the bittok2str
routines in hex, not decimal.
Guy Harris [Mon, 9 Mar 2015 22:34:03 +0000 (15:34 -0700)]
Clean up Capsicum rights setting a bit.
Rename set_dump_fd_capsicum_rights() to set_dumper_capsicum_rights() and
have it take a pcap_dumper_t * as an argument and extract the file
descriptor itself, rather than having the caller do so.
Guy Harris [Sun, 8 Mar 2015 22:55:47 +0000 (15:55 -0700)]
Add a #define for the short options and put it above the long options.
That puts all the option lists together; hopefully this encourages
developers who want to add a new flag to read the big "don't use these
options, other tcpdumps use them for their own purposes" command and
thus *dis*courages them from using one of those options.
Guy Harris [Thu, 5 Mar 2015 23:32:01 +0000 (15:32 -0800)]
Do the dump file Capsicum stuff in a common routine.
We were doing the same stuff in two places and *almost* the same stuff
in a third place, which should have been doing the same stuff. Put that
stuff into a common routine and just use that.
(What a mess. If you pour a bottle of Capsicum on your OS, it seeps all
throughout the system; might as well admit it and, at least, extend the
standard I/O library to handle it a bit better.)
Francois-Xavier Le Bail [Sat, 21 Feb 2015 13:25:35 +0000 (14:25 +0100)]
gitattributes: Update the attributes for tests/*.out
The actual status for good conditions of tests in Windows are:
Sources from autocrlf *.out ending sed stuff
git true CRLF no
git input LF yes
git false LF yes
archive N/A LF yes
We need to have the sed stuff for sources archives.
Thus we need that the endings of tests/*.out files be always LF only.
We don't want to depend on user config.
Thus this changes.
Advantage: This config is under version control, it applies to all users.
Denis Ovsienko [Sun, 1 Feb 2015 21:34:38 +0000 (21:34 +0000)]
OpenFlow 1.0: improve BSN extensions support
Improve decoding of BSN vendor commands: update printing of commands
that set/get mirror port reporting flag, add decoding of shell exec
commands. Introduce decoding of vendor-specific actions with BSN as the
first such vendor and "mirror" as the first such BSN action.
Add a new test case based on a packet capture produced using Trema
controller and an Arista 7050SX-64 switch in Arista Networks' test lab.
Besides the structures above the capture contains the following items:
* OFPT_QUEUE_GET_CONFIG_REPLY with 0 queues (a valid edge case)
* OFPT_FEATURES_REPLY with ports 21 and 23 having bogus "config" field
(a violation of the protocol, which required temporary patching of the
controller to avoid the session shutdown)
* a set of IP mask manipulation BSN-specific commands
Tommy Beadle [Wed, 18 Feb 2015 16:38:56 +0000 (11:38 -0500)]
Fix issues with the setting of libcap-ng capabilities.
- Only set the SETUID/SETGID capabilities if required (i.e. we'll be changing
the effective UID).
- Only set the CAP_DAC_OVERRIDE capability if writing out to a file (i.e. the -w
flag was provided).
- Fix the calls to capng_clear to pass CAPNG_SELECT_BOTH so that the traditional
and bounding capabilities are set.
- Only remove CAP_DAC_OVERRIDE from the permitted set after opening the write
file if neither -G nor -C flag was provided. We always drop it from the
effective set immediately after opening the write file. During file rotation,
we reacquire it immediately before and drop it immediately after opening the
file.
Guy Harris [Tue, 10 Feb 2015 22:55:43 +0000 (14:55 -0800)]
Use immediate mode if available.
If libpcap has pcap_set_immediate_mode(), then default to immediate mode
if we're printing packets to a terminal, and use immediate mode if
--immediate-mode is specified.
Guy Harris [Tue, 10 Feb 2015 21:52:51 +0000 (13:52 -0800)]
Move pcap function checks to configure.in.
It was doing some of the function checks; move the remaining ones out of
AC_LBL_LIBPCAP(), which is now solely responsible for finding libpcap,
making sure it'll work, and setting compiler and linker flags
appropriately. Checks for functions that were introduced in later
versions of libpcap, which we use if available, are all done in
configure.in.
mkirkhart [Wed, 4 Feb 2015 23:55:58 +0000 (18:55 -0500)]
Fixed bug in arp_print() in handling of inverse arp responses - the target's hardware and protocol address were being printed instead of the sender's hardware and protocol address
Guy Harris [Tue, 27 Jan 2015 19:38:31 +0000 (11:38 -0800)]
Merge pull request #422 from tbeadle/capng_changes
Make sure to init capng before dropping root.
capng_clear needs to be called before capng_change_id can be called within
droproot. Otherwise, an (unusable) error message is output: "error : ret -1" and it fails to drop root privileges.
This also fixes the dropping of the CAP_SETGID capability. Previously,
CAP_SETUID was being dropped twice.
Tommy Beadle [Tue, 27 Jan 2015 18:32:14 +0000 (13:32 -0500)]
Make sure to init capng before dropping root.
capng_clear needs to be called before capng_change_id can be called within
droproot. Otherwise, an (unusable) error message is output: "error : ret -1".
This also fixes the dropping of the CAP_SETGID capability. Previously,
CAP_SETUID was being dropped twice.
Guy Harris [Thu, 8 Jan 2015 21:22:13 +0000 (13:22 -0800)]
No OPER-TLV are "empty TLVs".
As section 7 of RFC 5810 says, an OPER-TLV is 1*PATH-DATA-TLV, so it
always has at least one PATH-DATA-TLV. Remove the ZERO_TTLV check - the
old one was bogus ((!ops->flags & ZERO_TTLV) means ((!ops->flags) &
ZERO_TTLV), and if ops->flags is non-zero, !ops->flags is zero, and the
test fails), and the new one causes tests to fail, revealing that the
whole "empty TLVs like COMMIT and TRCOMMIT are empty, we stop here"
think is wrong, so we remove it.
projects / tcpdump / log
