Baruch Siach [Wed, 29 Oct 2014 11:21:05 +0000 (13:21 +0200)]
Use system libpcap when configured with --with-system-pcap
Don't force the local libpcap build when the system provides one. When
--with-system-pcap is given to configure, don't try to locate a local libpcap
build. This help build systems like Buildroot that store build trees in the
same directory, but still prefer dynamically linking against system wide
libpcap.so to save space.
Guy Harris [Mon, 20 Oct 2014 21:44:47 +0000 (14:44 -0700)]
Fix length fields in UDP headers to be what they should be.
The value of the length field in a UDP header includes the length of the
header itself; the values in this capture didn't. The length fields in
the IP headers and the RADIUS headers were correct and consistent with
each other, and the length fields in the UDP headers are now correct and
consistent with both of them.
Pass a pointer to the struct pkt_top to wb_dops, and calculate the
address of the first struct dophdr there. Check each struct dophdr
before printing it. Hopefully this will quiet a Coverity complaint.
Guy Harris [Sun, 19 Oct 2014 20:42:00 +0000 (13:42 -0700)]
Use the length field in the UDP header.
If it's less than the length of the IP payload, use it as the size of
the UDP packet. If it's greater than the length of the IP payload,
and we're not dissecting the payload, report the length as bad.
Guy Harris [Sun, 19 Oct 2014 18:21:44 +0000 (11:21 -0700)]
Add a routine to print "text protocols", and add FTP/HTTP/SMTP/RTSP support.
"Text protocols" are protocols that have the general feel of FTP, with
command lines with a command name and space-separated arguments and
response lines beginning with a 3-digit reply code. They can also
include HTTP-style headers and an entity body.
We add support for the FTP control channel, HTTP, SMTP, and RTSP. We
also change the SIP printer to use it.
Guy Harris [Wed, 1 Oct 2014 22:32:11 +0000 (15:32 -0700)]
Leave it up to ip6_print() to handle non-IPv6-capable systems.
Always define and declare ip6_print(), always compile print-ip6.c, and
always call it if we recognize a payload as IPv6. If INET6 isn't
defined, ip6_print() will just print the length and note that printing
isn't supported.
That way, we don't do weird dissection of IPv6 packets on systems
without IPv6 support, due to, for example, ethertype_print() returning 0
("not dissected") for IPv6 packets on those systems (IPv6-over-Frame
Relay was dissected weirdly due to this).
Guy Harris [Wed, 1 Oct 2014 20:12:13 +0000 (13:12 -0700)]
Add some more parentheses, Just In Case.
I'm not sure whether
Performing a byte swapping operation on "p" implies that it came
from an external source, and is therefore tainted.
from Coverity means that it thinks we're byte-swapping the pointer
*itself*, or that we're byte-swapping what it points to, but, just in
case it's the former, let's try throwing some more parentheses in.
(If it's the latter, well, yes, it's packet data, so it comes from an
external source, but Coverity didn't seem to point out any place where
we were using the data it points to without checking its value in cases
where we have to.)
Guy Harris [Wed, 3 Sep 2014 21:03:53 +0000 (14:03 -0700)]
Clarify what abort_on_misalignment() does.
It doesn't request byte misalignment repair, it requests that byte
misalignment kill the program with SIGBUS; on platforms that don't
support aligned loads, we should be fetching possibly-misaligned data
using some safe instruction sequence, not by doing misaligned loads and
relying on them to trap to the kernel and be (slowly) emulated.
Print square brackets around the tag value in RADIUS strings
Before, VLAN attributes that had a tag 1 looked like this:
Tunnel Medium Attribute (65), length: 6, Value: Tag[1]802
Tunnel Private Group Attribute (81), length: 4, Value: Tag 14
With the Tunnel-Medium-Type attribute (65), it is clear where the tag ends and the value begins. With this patch, the value for a string type (like Tunnel-Private-Group-Id) looks similar:
Tunnel Private Group Attribute (81), length: 4, Value: Tag[1]4
Guy Harris [Sun, 31 Aug 2014 18:57:04 +0000 (11:57 -0700)]
Clean up configure check for libsmi.
First, check for smi.h. If we don't have it, don't check for anything
else.
If we do have it, check for libsmi containing smiInit. If we don't have
it, don't check for anything else.
If we do have it, check, with our test program, whether we can use it.
If that succeeds, prepend -lsmi to LIBS, and set USE_LIBSMI. Otherwise,
don't do either of those.
Check, in source, *only* for USE_LIBSMI. If it's set, use libsmi,
otherwise don't - don't even include smi.h, even if we happened to have
found it, and don't print the libsmi version string.
Guy Harris [Fri, 15 Aug 2014 01:19:00 +0000 (18:19 -0700)]
Qualify "length" when printing it.
In the "the TLV length is too short" message, we're printing the length
of the entire TLV; report it as "TLV length". If we pass that test,
we've subtracted out the lengths of the T and the L, leaving only the
length of the V, so report it as "value length".
Guy Harris [Fri, 15 Aug 2014 00:14:32 +0000 (17:14 -0700)]
Check for TLV length too small.
The TLV length includes the T and the L, so it must be at least 4.
This means we don't need the "avoid infinite loop" check later; that
check was wrong, as per GitHub issue #401 and #402; this fixes #402,
which has a different patch for that bug.
Guy Harris [Tue, 8 Jul 2014 10:23:09 +0000 (03:23 -0700)]
Squelch a Coverity warning.
If you pass in a value of oidlen and oidsize such that we can't store
*anything* into OID, this would be a problem; that *shouldn't* ever
happen, but this makes the code a bit more obviously correct.
Guy Harris [Mon, 7 Jul 2014 20:44:12 +0000 (13:44 -0700)]
Shorten a status text description.
Instead of just copying-and-pasting from 802.11, edit the description a
bit; this squelches a Coverity warning (it thought we might have
forgotten a comma in the list), and also means we don't quite print out
as much.
(If Table 8-37 "Status codes" in 802.11-2012 had names for *all* the
status codes, we could use the names instead of the explanatory text,
but, for some unknown reason, it doesn't.)
Guy Harris [Wed, 25 Jun 2014 20:18:18 +0000 (13:18 -0700)]
Don't treat 65535 as the maximum snapshot length.
Make it 131072, instead; the MTU on the Linux loopback interface, in at
least some versions of the kernel, is 65536, and that doesn't count the
fake Ethernet header, so we need a value bigger than 65536. We don't
want a value that's *too* large, so that it causes attempts to allocate
huge amounts of memory, however.
This (plus the corresponding change to libpcap) should fix GitHub issue
Guy Harris [Wed, 25 Jun 2014 19:06:35 +0000 (12:06 -0700)]
Allow builds if libpcap doesn't have pcap_set_tstamp_precision().
Check for pcap_set_tstamp_precision() in the configure script and, if
it's not there, don't include the code that allows time stamp precisions
to be set.
Wesley Shields [Fri, 16 May 2014 14:32:55 +0000 (10:32 -0400)]
Make droproot say something when successful.
I've seen people run into situations where they were using a command like this:
tcpdump -i eth0 -G 500 -w /root/%H%M%S.pcap
The first file would be created successfully but the second file would not
because their version of tcpdump was dropping privs. It was unclear to them
that this was going on and was causing confusion.
At least with this message in there it should become more evident that
privs are being altered and aid in debugging these kinds of problems.
Denis Ovsienko [Thu, 5 Jun 2014 20:56:05 +0000 (00:56 +0400)]
fix bittok2str_internal() w/o separator (GH #391)
Simplify separator string handling in bittok2str_internal(): use empty
value for the first snprintf() call and set new value after each use.
This makes the terminating null char management unnecessary, especially
that it missed the case where there was no separator and no match (it
would return the previous content of the static buffer unchanged).
This change may affect the output of tcpdump in that before it could
print either "[]" or "[none]" or a string like "[S.]" for TCP flags
value 0. Now it prints "[none]" as that is exactly the value passed to
bittok2str_nosep() in tcp_print().
Michal Sekletar [Wed, 19 Mar 2014 13:14:25 +0000 (14:14 +0100)]
Introduce --time-stamp-precision
A while ago we introduced new API in libpcap which made possible to
request time stamps with higher precision (nanoseconds). This commit
aims to move things forward and implement missing bits. It introduces
new long option --time-stamp-precision. Note that there is no equivalent
short option.
When used for a live capture tcpdump will ask the kernel for time stamp
with desired precision and tcpdump will print fraction part of the time
stamp using respective format. We currently support only microsecond and
nanosecond precision. In the future we might support even more granular
time stamp precision, but we should be fine to support only
microseconds and nanoseconds for now. libpcap doesn't provide anything
else at the moment anyway.
When used in combination with -r/-w options then we obtain time stamps
appropriately scaled up or down from libpcap. Also note that distinct
magic number is used for savefiles containing nanosecond time stamps.
projects / tcpdump / log
