Re: [tcpdump-workers] question on DLT_ types

2004-04-01 Thread Hannes Gredler 
On Thu, Mar 25, 2004 at 02:00:44PM -0600, alex medvedev wrote:
| hi,
| 
| how do the DLT_ types get assigned?

post your request to the list ...
first come first serve 
once its in the code it is assigned

| is there some "central authority" that does it?

no

| or are they arbitrarily assigned and therefore different between
| platforms (e.g. AIX with its IFT_ types).

new DLT_s should be consistent across platform; some
legacy DLTs are afaik in the wild as everybody allocated
wildly DLTs and did not report back their usage

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Patch for libpcap pcap_stats_linux

2004-04-02 Thread Hannes Gredler 
On Wed, Mar 31, 2004 at 10:16:55AM +0200, Alberto Ornaghi wrote:
| Hannes Gredler wrote:
| >On Fri, Jan 02, 2004 at 09:33:31AM +1100, Erik de Castro Lopo wrote:
| >
| >| The patch below, adds a static variable to pcap_stats_linux() which 
| >| holds a running total of the packet statistics so that the behaviour
| >| of pcap_stats() on Linux matches the behaviour of FreeBSD.
| >
| >checked in;
| 
| why this patch was not included in the 0.8.3 release ?
| it is in the cvs, modified by guy to handle more than one pcap_t in use, 
| but is missing in the release tarball...

afaik we only committed that to HEAD and not to the 3_8 branch;
so it will certainly be in 3_9 or whatever is next;

reason for that is that i was not 100% sure if this is a bugfix
or a new "feature" (albeit a small one) and i took the conservative
approach ... 

if you want it in 3_8_3 pls incorporate guys' suggestions
and re-submit it;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] proposed new pcap format

2004-04-02 Thread Hannes Gredler 
On Thu, Mar 25, 2004 at 09:25:43AM -0800, Richard Sharpe wrote:
| On Fri, 26 Mar 2004, Darren Reed wrote:
| 
| > >   okay, divide the 32-bit space into two 16-bit spaces.
| > >   vendor 0 will be reserved.
| > >   tcpdump.org will be vendor 1.
| > > 
| > >   vendor 0x will be reserved (for the NSA).
| > 
| > Why not make both 32bit ?
| > 
| > I say that because design requirements are different, today, than they
| > were 15 years ago.
| 
| I tend to agree with that. 16 bits seems awefully small for a vendor id 
| these days.

i concur - also we have a printer in oui.c that takes 32-bit
integers as input 

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Proposed new pcap format

2004-04-14 Thread Hannes Gredler 
On Wed, Apr 14, 2004 at 03:06:09AM -0400, Jefferson Ogata wrote:
[ ... ]
| I think we should take a hard look at 
| whether it's really appropriate to define yet another hard binary file 

| format when XML can provide the same functionality with modest storage 
| overhead, and has many added benefits.

jefferson,

we are trying to converge on a sucessor to the current pcap format
which is (practiacally) not extensible at all, mostly due to
absenence of TLV encoding;

so lets not make the mistake and compare apples (a non-extensible binary
file format) with oranges (a extensible ascii/mime/xml) one and
be reasonable ...

proper TLV encoding and decent sizes of the types and values [16/32 bits]
are key to extensible long lasting protocols/formats that meet efficiency,
storage and bandwidth goals;

i really only can speak for routing protocols [which my main expertise]
and all the sucessful routing protocols [BGP,IS-IS,LDP,RSVP] are binary encoded
albeit with a proper, extensible TLV and subTLV [nesting] orientation;
actually distributed systems do live much longer than even simple
file formats ... so one might ask if it does work for distributed systems
why does it not work for storage ? 

i certainly do think that and XML _output_ of the binary file [not storage]
does makes sense however IMHO that does not mandate to store the data
and requiring conversion to a XML tag like structure which may impose
performance constraints especially when you are thinking about capturing
speeds of oc192c and above;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Proposed new pcap format

2004-04-14 Thread Hannes Gredler 
On Wed, Apr 14, 2004 at 08:25:25AM +0200, Fulvio Risso wrote:

| I agree with Loris.
| I know that this flag would be extremely useful, but there are no guarantees
| that you're able to get this info from the NIC / NIC driver.
| Perhaps, what we should to is to use 2 bits for each flag, where the first
| one means "flag is valid", and the second one it is the flag value.
| E.g.:
| 
|   1 00  0 . . . . . .
|  ^^^   ^^^  ^^^^^^
|  "incoming" flag   packet is"outcoming" flag   No meaning
|  is valid  not "incoming"   is NOT valid



why not assigining simple codepoints for the direction information;

i.e.

0 ... invalid/undefined/unsupported etc.
1 ... incoming
2 ... outgoing

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] IGRP

2004-04-28 Thread Hannes Gredler 
On Wed, Apr 28, 2004 at 10:03:56PM -0400, Michael Richardson wrote:
| -BEGIN PGP SIGNED MESSAGE-
| 
| 
| Hannes,
|   ipproto.c has IPPROTO_IGRP, but ipproto.h doens't define it.
| 
| Is this supposed to be protocol=9 ("IGP"), which you have as
| IPPROTO_PIGP, or???

yes, cisco is using proto #9 for IGRP and #88 for EIGRP;
apologies for breaking the build;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] IGRP

2004-04-29 Thread Hannes Gredler 
On Wed, Apr 28, 2004 at 07:23:31PM -0700, Guy Harris wrote:
[ .. ]
| The "temporary patch" Michael checked in is, in fact, the correct fix.
| 
| That raises another question, though - "print-ip.c" now treats both 
| protocol 9 and protocol 88 as IGRP, but the packet formats are, I 
| think, different - should we *only* treat IPPROTO_PIGP as IGRP, and 
| handle IPPROTO_EIGRP either not at all or with an "eigrp_print()" 
| routine?


i think the eigrp_print() option is the way to go 

just discovered that we have no eigrp decoder in tcpdump -
i was under the false impression that print_igrp() would
handle the eigrp formats as well  bummer
anyway eigrp (at least the IP flavour) would be IMHO a worthwhile
thing to implement (the proto is still around and no signs that it becomes
dead0; would somebody on the list hav the courtesy to send me a few
eigrp .pcap captures then i'll cook something up;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] text format stability

2004-06-24 Thread Hannes Gredler 
eddie,

i did most of the vflag changes in the last 18 months
along with my work on the rsvp,bgp,isis,ospf,lmp,rip,pim,eigrp
dissectors;

the rationale behind this is that you get brief one-line
information that is good enough for troubleshooting
and for a detailed information (vv) we switch
to multiline output;

does this break existing scripts ?
most certainly: however we have not yet found out how to
progress the software in terms of new protcols and multilayer
encapsualation support (gre/l2tp/mpls) and still stay 100%
downwards compatible;

my take is that until we change tcpdump output to
an optional machine-parsable output (could be XML,
could be anything else) we cannot solve this issue
fundamentally;

i had some offline discussion with michael and our current
understanding is that we need to progress tcpdump which today just
prints frames to a new structure that builds protocol trees;

on the frame end we finally render the frame to a format
that human|machine prcessors can understand; i.e. decouple
protocol dissection from output rendering;

it would be interesting to know from the community if
such an effort would be seen worthwile;

opinions ?

/hannes


On Wed, Jun 23, 2004 at 01:38:41PM -0700, Eddie Kohler wrote:
| Hi all,
| 
| I've noticed, painfully, that recent minor releases of tcpdump have 
| changed the longstanding format for "tcpdump -v" text output.  This 
| isn't an inherently bad idea, but there are a lot of scripts in the 
| world that parse tcpdump text output, and that are broken by arbitrary 
| format changes.  (For example, I have regression tests that check for 
| particular packet characteristics; comparing to tcpdump text output can 
| be better than pcap files for this purpose.)
| 
| I hope that the tcpdump-workers plan to re-stabilize the tcpdump text 
| format soon, and that the next release will change a major version 
| number, to make the format changes more obvious to users.
| 
| Thanks very much,
| Eddie Kohler


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] text format stability

2004-06-25 Thread Hannes Gredler 
On Thu, Jun 24, 2004 at 10:56:09AM -0700, Eddie Kohler wrote:

eddie,

[ ... ]

| Similarly, it seems a mistake to put IP header information (tos, ttl, id, 
| offset, flags, proto, length) before the addresses.  This changes 
| longstanding tcpdump practice and makes the output *less* readable, since 
| the addresses are generally more important to humans than this info.  We 
| could argue about whether this header info belonged at the end of each line 
| (where tcpdump formerly put it), or immediately after the addresses.  But 
| putting it *before* the addresses is too much.

i am a believer that networking dissectors should print data in the order
they arrive ... header information comes before ip adresses, right ?
the IMHO bad bad practise of printing header information (old format)
at the end of the packet messed up multiline decoders and any decoder
that has to display a hierarchy -> just remember the output mess that
the GRE/IP decoder creates and the difficulty for humans to spot IP[n] TTL
where N is a level of tunnels; - and there is quite a user base [FW-guys]
that are interested in that level of information;

| I was also a little put out by the fact that in the last tcpdump release -v 
| output said "proto 6", and now it says "proto: TCP (6)".  There is great 
| value in picking a format and sticking with it.  I am afraid that these 
| tinkerings will never stop.

host-indep. proto name resolution was on the wishlist long time;
nevermind,  we are pretty much done for the main decoders
[MPLS,IP,IP6,Ether,PPP,CHDLC,TCP] i am not yet done with UDP, FR, IPSec etc.

| It would seem to me that the best approach here would be to design a new 
| format that applied *only in those cases where it was required*: 
| gre/l2tp/mpls tunneling.  And of course it doesn't matter how new protocols 
| are printed, there are no backwards compatibility issues.

i strongly have to disagree here:

the main problem in the past was that we had no output consistiency
across the dissectors ... the recent work aligned the style and
readability to a common format which we should stick to ... agreed;

maybe it would be also a good idea to publish a output guide to make
things uniform right from the beginning when people work on new
dissectors;

| >my take is that until we change tcpdump output to
| >an optional machine-parsable output (could be XML,
| >could be anything else) we cannot solve this issue
| >fundamentally;
| 
| You cannot *solve* it, but your current course makes life much harder for 
| the installed base of tcpdump users.

apologies if i created discomfort ... we have been on this course
for 18 months now and generally the feedback on readability of tcpdump
outputs was a positive one;

| >i had some offline discussion with michael and our current
| >understanding is that we need to progress tcpdump which today just
| >prints frames to a new structure that builds protocol trees;
| >
| >on the frame end we finally render the frame to a format
| >that human|machine prcessors can understand; i.e. decouple
| >protocol dissection from output rendering;
| >
| >it would be interesting to know from the community if
| >such an effort would be seen worthwile;
| >
| >opinions ?
| 
| I don't see how this internal restructuring would affect tcpdump users.
| 
| In summary, I hope I can convince you to change "-v" text output back 
| towards the older format, for the common cases that most tcpdump users care 
| about. Think of it this way: until very recently, users could run "tcpdump 
| -v" and get the same output they would expect from Stevens' books.  The 
| wire formats have not changed.  Why should tcpdump's output?

the stevens book is a good source for learning about ip however
not a normative ref. for tcpdump output style;

wrt change / why ?: for the above mentioned reasons: old-tcpdump was
non-uniform, misordered, non-hierarchy capable and we felt to
progress it further rather than keeping it dormant;



i may kindly ask to adapt your scripts b/c i do not want to backout the
changes made; also i can reassure that the mentioned dissectors are
relatively stable i.e. it is unlikely that there will be further changes
here;


/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] text format stability

2004-06-25 Thread Hannes Gredler 
eddie,

On Fri, Jun 25, 2004 at 09:34:47AM -0700, Eddie Kohler wrote:
 
| These changes should not have been implemented globally, without some flag 
| or option to preserve the old behavior.  Such a flag should be added.

i had to make a call between polluting the code base further with
new flags that may not used consitiently [e.g. q flag is my favourite example]
or re-aligning the use of exisiting flags; [personally i only use typically
-v -vv -e -x]; i did deliberately take the risk that i may break things

IMHO adding functionality and consistiency is worth dropping some
downwards compatability;

output of structured data to non/structured is condemned to fail anyway;
  for example my employer was facing the same problem that everytime we changed
  the UI of our routing SW customers had to adapt their provisioning scripts,
  which (surprise) caused a lot of discomfort;
  finally we ended up exposing a machine parsebale
  interface encompassing XML tags;

| My point in writing was to point out that there is a large audience of 
| tcpdump users who process its output with scripts.  There are thousands of 
| scripts out there that you have broken, not just mine.  You haven't heard 
| from them yet because new tcpdump hasn't seen wide distribution.

well 3_8 is out since march ... it is in all major OS distributions and
so far we did get only a single ;-) complaint. [i am not saying that your
concerns are no valid] i am just saying that we had to horsetrade
a bit and some things may fall through the cracks ...
 
| I don't feel that tcpdump output should be frozen forever; some changes are 
| appropriate.  But the changes I've seen have seemed indiscriminate.  Again, 
| why put a comma after the TCP flags?  Why reorder the TCP fields relative 
| to one another?  Why change the way 'cksum' is spelled?  Why print out the 
| checksum when it's valid?  Why not leave the IP addresses at the beginning 
| of the line? Abstract reasons, about the physical order, are not good 
| enough.

again consistency ... we use the "cksum 0x1234 (correct)" style in
many dissectors;

print-vrrp.c
print-udp.c
print-tcp.c
print-isoclns.c
print-ip.c
print-icmp6.c
print-icmp.c

printing _all_ elements (checksum, ip ttl, dhcp options) not just som
based on content makes actually script marsing much more easy ...
many firewall guys expressed concerns that they want to see all the
fields [IP ID] for detecting handcrafted packets etc 

---
a question: can we turn this (valuable) discourse in something productive ?

i was thinking for quite a while about a output style-guide for
new/existing dissectors; the primary target would be implementers
for new dissectors however what i learned from the discussion is that
there may be need for a normative spec that scripters can rely on
[albeit not 100%]

thoughts ?

/hannes


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] text format stability

2004-06-25 Thread Hannes Gredler 
On Fri, Jun 25, 2004 at 02:21:24PM -0700, Christian Kreibich wrote:
| Hi,
| 
| On Fri, 2004-06-25 at 02:04, Hannes Gredler wrote:
| >
| > i am a believer that networking dissectors should print data in the order
| > they arrive ... header information comes before ip adresses, right ?
| > the IMHO bad bad practise of printing header information (old format)
| > at the end of the packet messed up multiline decoders and any decoder
| 
| just in case you really go forward with implementing configurable
| output, then by all means consider adding an option that allows
| disabling multiline output. It's a real pita.
| 
| Otherwise I'm with Eddie on this -- you really don't want to change the
| tcpdump textual output without a good reason and a *big* warning sign
| after everbody finally got their regexes to do what they wanted :)
| 
| A few months ago this list saw a discussion of the future capture file
| format (what's the latest on that btw), and back then I suggested in
| context of Jefferson's XML proposal that while I personally think an XML
| capture format is not the right idea, an XML based tcpdump output would
| be great in the long term -- it would certainly eliminate a lot of
| parsing ambiguity.

i concur ... nice TLV oriented binary encoding is good for .pcap storage
however for further processing an XML output maybe ideal; that way tcpdump
also could evolve to a "parsing middleware" fitting a nice niche
between full-featured decoders like ethereal;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

2004-07-01 Thread Hannes Gredler 
darren,

can we have a .pcap sample showing such a frame for
the /tests directory ?

/hannes

On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote:
| I've been using this patch to print IP packets inside PPP HDLC
| frames found in raw 1xRTT traffic.  I've been able to find few
| details on the actual PPP header format apart from what "0x7eff"
| means and observing traffic for 0x7e21.  The end result is extra
| output of the form "{ PPP HDLC IP 1.2.3.4 > 2.3.4.5: GREv1call 0}"
| 
| It may not be particularly efficient because it malloc's a new
| buffer for each packet (rather than using a static buffer) but
| better that than limit the program's capabilities w.r.t recursive
| decoding was what I decided.
| 
| Darren
| 
| *** print-ppp.c.orig  Wed Mar 24 14:30:06 2004
| --- print-ppp.c   Thu Jul  1 21:01:59 2004
| ***
| *** 370,375 
| --- 370,376 
|   static int print_ccp_config_options (const u_char *p, int);
|   static int print_bacp_config_options (const u_char *p, int);
|   static void handle_ppp (u_int proto, const u_char *p, int length);
| + static int ppp_hdlc(const u_int proto, const u_char *p, int length);
|   
|   /* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */
|   static void
| ***
| *** 1052,1057 
| --- 1053,1109 
|   }
|   
|   
| + static int
| + ppp_hdlc(const u_int proto, const u_char *p, int length)
| + {
| + u_char *b, *s, *t, c;
| + int i, l, offset;
| + const void *se;
| + 
| + switch (proto & 0xff)
| + {
| + case 0xff :
| + if (p[0] != 3 || p[1] != 0 || p[2] != 0x21)
| + return -1;
| + offset = 3;
| + break;
| + case 0x21 :
| + offset = 0;
| + break;
| + default :
| + return -1;
| + }
| + 
| + b = (u_char *)malloc(length);
| + if (b == NULL)
| + return -1;
| + 
| + /*
| +  * Unescape all the data into a temporary, private, buffer.
| +  * Do this so that we dont overwrite the original packet
| +  * contents.
| +  */
| + for (s = (u_char *)p + offset, t = b, i = length; i > 0; i--) {
| + c = *s++;
| + if (c == 0x7d) {
| + if (i > 1) {
| + i--;
| + c = *s++ ^ 0x20;
| + } else
| + continue;
| + }
| + *t++ = c;
| + }
| + 
| + printf("PPP-HDLC ");
| + se = snapend;
| + snapend = t;
| + ip_print(b, t - b);
| + snapend = se;
| + free(b);
| + }
| + 
| + 
|   /* PPP */
|   static void
|   handle_ppp(u_int proto, const u_char *p, int length)
| ***
| *** 1097,1105 
|   mpls_print(p, length);
|   break;
|   default:
| ! printf("unknown PPP protocol (0x%04x)", proto);
| ! print_unknown_data(p,"\n\t",length);
| ! break;
|   }
|   }
|   
| --- 1149,1159 
|   mpls_print(p, length);
|   break;
|   default:
| ! if (((proto >> 8) != 0x7e) || (ppp_hdlc(proto, p, length) == -1)) {
| ! printf("unknown PPP protocol (0x%04x)}", proto);
| ! print_unknown_data(p,"\n\t",length);
| ! }
| ! break;
|   }
|   }
|   
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

2004-07-02 Thread Hannes Gredler 
darren,

see questions/responses inline;

On Fri, Jul 02, 2004 at 01:28:20AM +1000, Darren Reed wrote:
| In some email I received from Hannes Gredler, sie wrote:
| > darren,
| > 
| > can we have a .pcap sample showing such a frame for
| > the /tests directory ?
| 
| I've semi-hand constructed this file because of privacy
| concerns about the real data.

you can send it to me unicast then i am not going to publish it;

--

i have some questions wrt to the format based on the .pcap
file that you supplied;

the 1st byte 0x7e seems to introduce a HDLC frame;

after that i can see 4 different frame formats:


frame 1 0x:  2145  6edc 5a00 006a 2f52 080a 1122
0x0010:  330a 1133 4430 8188 0b00 4ad4 9d5a 5a5a
0x0020:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0030:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0040:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0050:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0060:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a7d 5d7d
0x0070:  5d

this seems to be some sort of shortcut IP frame ... 21 being
codepoint for IPv4; should be use then 0x57 for IPv6 ?


frame 2 0x:  c021 7d29 5d7d 207d 2860 89ca 54ff

this looks like a LCP frame , correct ? so the second
format is a fully blown PPP proto-id;


frame 3 0x:  ff03 c021 0a5d 0008 5241 249e 8531

looks like a regular PPP frame ... 0xff03 followed by a proto-id

frame 4 0x:  ff03 0021 4500 0067 616e  802f 
0x0010:  0a01 2233 0a11 2233 3001 880b 0047 43e4
0x0020:   005a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0030:  5a5a 5a5a 5a5a 5a5a 5a7d 5e5a 5a5a 5a5a
0x0040:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0050:  5a5a 5a5a 5a5a 5a5a 5a5a 5a7d 5d5a 5a5a
0x0060:  5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a}

frame 5 0x:  ff03 c021 0a5e 0008 5241 249e eb99

same as 4 ...


frame 6 0x:  ff7d 23c0 217d 2126 7d20 7d34 7d22 7d26
0x0010:  7d20 7d20 7d20 7d20 7d25 7d26 65f1 b237
0x0020:  7d27 7d22 7d28 7d22 3c6b

ok this one i have some problems with ... 0xc021 looks like LCP
again but what is 0xff7d23 ?

except like frame 6 i would formulate the encoding logic like:

test for 0xff03 -> call ppp_print()
test for 0x21 -> call ip_print()
test for 0x57 -> call ip6print()

default: -> call ppp_handle()

---


could you maybe also provide a pointer to a spec where the escaping
routines and or the 0x7e escape hack is described ?

wrt the curly bracket at the end of the hexdump -that not a bug
this is an artifact of the l2tp dissector and i'll also have
a look at that;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

2004-07-02 Thread Hannes Gredler 
On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote:
| I've been using this patch to print IP packets inside PPP HDLC
| frames found in raw 1xRTT traffic.  I've been able to find few
| details on the actual PPP header format apart from what "0x7eff"
| means and observing traffic for 0x7e21.  The end result is extra
| output of the form "{ PPP HDLC IP 1.2.3.4 > 2.3.4.5: GREv1call 0}"
| 
| It may not be particularly efficient because it malloc's a new
| buffer for each packet (rather than using a static buffer) but
| better that than limit the program's capabilities w.r.t recursive
| decoding was what I decided.
| 
| Darren

darren,

thanks for your submission - i have checked in the attached patch;

/hannes
Index: print-ppp.c
===
RCS file: /tcpdump/master/tcpdump/print-ppp.c,v
retrieving revision 1.95
diff -u -r1.95 print-ppp.c
--- print-ppp.c 2 Jul 2004 06:32:47 -   1.95
+++ print-ppp.c 2 Jul 2004 20:15:32 -
@@ -47,6 +47,7 @@
 
 #include 
 #include 
+#include 
 
 #include "interface.h"
 #include "extract.h"
@@ -370,6 +371,7 @@
 static int print_ccp_config_options (const u_char *p, int);
 static int print_bacp_config_options (const u_char *p, int);
 static void handle_ppp (u_int proto, const u_char *p, int length);
+static void ppp_hdlc(const u_char *p, int length);
 
 /* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */
 static void
@@ -1052,10 +1054,81 @@
 }
 
 
+static void
+ppp_hdlc(const u_char *p, int length)
+{
+   u_char *b, *s, *t, c;
+   int i, proto;
+   const void *se;
+
+   b = (u_int8_t *)malloc(length);
+   if (b == NULL)
+   return;
+
+   /*
+* Unescape all the data into a temporary, private, buffer.
+* Do this so that we dont overwrite the original packet
+* contents.
+*/
+   for (s = (u_char *)p, t = b, i = length; i > 0; i--) {
+   c = *s++;
+   if (c == 0x7d) {
+   if (i > 1) {
+   i--;
+   c = *s++ ^ 0x20;
+   } else
+   continue;
+   }
+   *t++ = c;
+   }
+
+   se = snapend;
+   snapend = t;
+
+/* now lets guess about the payload codepoint format */
+proto = *b; /* start with a one-octet codepoint guess */
+
+switch (proto) {
+case PPP_IP:
+ip_print(b+1, t - b - 1);
+goto cleanup;
+#ifdef INET6
+case PPP_IPV6:
+ip6_print(b+1, t - b - 1);
+goto cleanup;
+#endif
+default: /* no luck - try next guess */
+break;
+}
+
+proto = EXTRACT_16BITS(b); /* next guess - load two octets */
+
+switch (proto) {
+case 0xff03: /* looks like a PPP frame */
+proto = EXTRACT_16BITS(b+2); /* load the PPP proto-id */
+handle_ppp(proto, b+4, t - b - 4);
+break;
+default: /* last guess - proto must be a PPP proto-id */
+handle_ppp(proto, b+2, t - b - 2);
+break;
+}
+
+cleanup:
+snapend = se;
+   free(b);
+return;
+}
+
+
 /* PPP */
 static void
 handle_ppp(u_int proto, const u_char *p, int length)
 {
+if ((proto & 0xff00) == 0x7e00) {/* is this an escape code ? */
+ppp_hdlc(p-1, length);
+return;
+}
+
switch (proto) {
case PPP_LCP:
case PPP_IPCP:
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Bug in print-ppp.c

2004-07-13 Thread Hannes Gredler 
thanks for your submission - checked in; - /hannes

On Tue, Jul 13, 2004 at 03:04:43PM +1000, Darren Reed wrote:
| I've come across a packet that causes me to get a stack trace something
| like this:
| #0  0x in ?? ()
| #1  0x0807a0bd in handle_ctrl_proto (proto=32855, pptr=0x8195c82 "\001", length=14) 
at print-ppp.c:450
| #2  0x0807be24 in handle_ppp (proto=32855, p=0x8195c82 "\001", length=14) at 
print-ppp.c:1143
| #3  0x0807c072 in ppp_print (p=0x8195c82 "\001", length=14) at print-ppp.c:1229
| #4  0x0805fd22 in gre_print_1 (bp=0x8195c80 "\200W\001", length=28) at 
print-gre.c:305
| #5  0x0805f757 in gre_print (bp=0x8195c74 "0\001\210\v", length=28) at 
print-gre.c:108
| #6  0x080634c2 in ip_print (bp=0x8195c60 "E", length=48) at print-ip.c:606
| #7  0x08060307 in gtpv1u_print (bp=0x8195c60 "E", length=48) at print-gtp.c:323
| #8  0x080919d6 in udp_print (bp=0x8195c4c "\bh\bh", length=60, bp2=0x8195c38 "E", 
fragmented=0) at print-udp.c:635
| #9  0x080633b9 in ip_print (bp=0x8195c38 "E", length=88) at print-ip.c:539
| #10 0x0805e062 in ether_encap_print (ether_type=2048, p=0x8195c38 "E", length=88, 
caplen=88, extracted_ether_type=0xb2d0)
| at print-ether.c:189
| #11 0x0805de85 in ether_print (p=0x8195c38 "E", length=88, caplen=88) at 
print-ether.c:142
| #12 0x0805def3 in ether_if_print (h=0xb340, p=0x8195c2a "") at print-ether.c:162
| #13 0x08094fc9 in print_packet (user=0xb520 "ÖÞ\005\b", h=0xb340, 
sp=0x8195c2a "") at tcpdump.c:1188
| #14 0x080a389a in pcap_offline_read ()
| #15 0x0809b486 in pcap_loop ()
| #16 0x08094b55 in main (argc=5, argv=0xb594) at tcpdump.c:997
| #17 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
| 
| Somewhere around like 445, print-ppp.c has:
| default:
| /*
|  * This should never happen, but we set
|  * "pfunc" to squelch uninitialized
|  * variable warnings from compilers.
|  */
| pfunc = NULL;
| break;
| }
| 
| Adding a printout after the closing }, I see this for one packet:
| pfunc (nil) tptr 0x8195c86 len 14 x 10 proto 0x8057 ptr 0x8195c82 length 14
| 
| We've come here from handle_ppp() which calls handl_ctrl_proto() for
| PPP_IPV6CP.
| 
| This patch (modulo white space) solves this problem for now.
| 
| *** print-ppp.c 8 Jul 2004 11:10:37 -   1.2
| --- print-ppp.c 13 Jul 2004 05:01:15 -
| ***
| *** 447,452 
| --- 447,454 
| pfunc = NULL;
| break;
| }
| +   if (pfunc == NULL)
| +   break;
| if ((j = (*pfunc)(tptr, len)) == 0)
| break;
| x -= j;
| 
| Darren
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] How tcpdump works?

2004-07-22 Thread Hannes Gredler 
On Thu, Jul 22, 2004 at 01:03:49PM +0200, C?sar C?rdenas wrote:
| Hi:
| 
| In reviewing a file captured from a server I found my IP adress as a source
| or as a destination, but there is not combination without my IP adress.
| 

most likely you have a LAN-switch in your network, which means that you
only see unicast traffic from/your IP adress and broad/multicast packets;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

2004-08-17 Thread Hannes Gredler 
karsten,

could you elaborate a bit more on "it creates binary incompatible filters";

in my testbed the linux machine creates 100% correct BPF filters;

e.g.

--->encaps is LINUX_SLL
# tcpdump -i ppp0 icmp   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

--->lets try the filter code for icmp 
# tcpdump -i ppp0 -d icmp   
(000) ldh  [14]
(001) jeq  #0x800   jt 2jf 5
(002) ldb  [25]
(003) jeq  #0x1 jt 4jf 5
(004) ret  #96
(005) ret  #0

---> lets match on inbound direction
# tcpdump -d -i ppp0 inbound 
(000) ldh  [0]
(001) jeq  #0x0 jt 2jf 3
(002) ret  #96
(003) ret  #0

---> and outbound
# tcpdump -d -i ppp0 outbound   
(000) ldh  [0]
(001) jeq  #0x4 jt 2jf 3
(002) ret  #96
(003) ret  #0


/hannes


On Tue, Aug 17, 2004 at 12:53:54PM +0200, Karsten Keil wrote:
| Hi,
| 
| between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer
| support the faked IN/OUT flag which was needed to compile filter rules
| for the PPP activ/passiv filtering.
| The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag,
| so for traffic analysers it is confusing to have a faked first byte.
| 
| But for activ/passiv filtering, which is needed to determine for dial on
| demand which pakets are allowed to create a new connection or which pakets
| hold the current connection open, it is a strong demand to differ between
| own (OUT) and incoming traffic (which may contain unwanted pakets, like
| port scans or pakets from old lost connections (dynamic IPs maybe
| reassingned).
| 
| So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which
| used a faked 16 byte ethernet header instead of the 4 byte PPP header.
| I implement a solution based on this, but it has big disadventages:
| 
| - it creates binary incompatible filters, it need new core routines for
|   activ/passiv filter (which replace the 4 byte header with a 16 byte
|   header) 
| - waste of resources, the paket handler must extend the headspace from 4 to
|   16 byte only for executing the filter
| 
| Because the incompatibility this solutions was rejected by the PPP
| maintainers and I think they are right.
| 
| A solution may be to create a new DLT_PPP_INOUT (better names welcome),
| which take the first PPP byte, which is not needed for filtering as IN/OUT
| Flag (same behavior as libpcap 0.7 DLT_PPP had).
| This solution is backward compatible and need no changes in the PPP core
| routines. Old ppp binary (libpcap 0.7 based) will still work.
| The main DLT_PPP for traffic analyser stuff will remain clean and not
| got confused this extra stuff.
| 
| So I need a DLT number assigned for this new DLT_PPP_INOUT.
| 
| -- 
| Karsten Keil
| ISDN development
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] modifying source code

2004-08-17 Thread Hannes Gredler 
On Tue, Aug 17, 2004 at 03:16:27AM +0100, neha agrawal wrote:
| hello!
| i am capturing packets using tcpdump. i want
| to read the packet header and all.. as tcpdump reads
| and put the information in data base.i dont want to
| read  from output generated by tcpdump.. but read
| information of packets as and when tcpdump reads.. and
| put them in database.. can u let me know which source
| files i need to modify. is there some document
| describing flow of the source code of tcpdump..
| thanks
| neha


neha,

as a good start i would encourage you to read through the

ethernet [print-ethernet.c]
ip   [print-ip.c]
and ppp  [print-ppp.c]

printers;

it should not be too difficult to hook in a database dumper;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

2004-08-18 Thread Hannes Gredler 
karsten,

i have checked in support for the new DLT_PPP_WITH_DIRECTION (166) and
  LINKTYPE_PPP_WITH_DIRECTION (166)

also i tweaked libpcap to treat it like PPP plus support of
the inbound/outbound tokens;

see below testresults ...

# ./tcpdump -dr ppp-dlt166.pcap "inbound"  
reading from file ppp-dlt166.pcap, link-type 166
(000) ldb  [0]
(001) jeq  #0x0 jt 2jf 3
(002) ret  #4474
(003) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "outbound"  
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldb  [0]
(001) jeq  #0x1 jt 2jf 3
(002) ret  #4474
(003) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && inbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh  [2]
(001) jeq  #0x21jt 2jf 5
(002) ldb  [0]
(003) jeq  #0x0 jt 4jf 5
(004) ret  #4474
(005) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && outbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh  [2]
(001) jeq  #0x21jt 2jf 5
(002) ldb  [0]
(003) jeq  #0x1 jt 4jf 5
(004) ret  #4474
(005) ret  #0

let me know if this fits your needs;

/hannes


On Wed, Aug 18, 2004 at 02:23:21PM +0200, Karsten Keil wrote:

| It was here in the PPP filter context. The normal 4 byte header looks like:
| 
| FF 03   P1 P2 give a 16 bit protocol ID for identyfy the data
| following the haeder, which maybe PPP control data or IP/IPX payload data. 
| Since the PPP filtering is only called for IP/IPX payload frames, the
| constant FF byte was redefined as IN/OUT Flag (1 := OUT, 0:= IN).
| Note: The Filter is called after doing all decompression, so its allways
| a simple PPP payload data frame (in case of outgoing, it is called before
| doing compression or add multilink headers).
| 
| > 
| > Note also that, for any DLT_PPP packets that *did* have an extra first 
| > byte in the header, any *other* filter expression wouldn't work, as the 
| > rest of the code for PPP assumed that it *wasn't* there.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

2004-08-18 Thread Hannes Gredler 
karsten,

i have checked in support for DLT_PPP_WITH_DIRECTION in
tcpdump and the PPP printer - the PPP printer shows now
the direction (hidden under the -e flag)

/hannes


---

karsten,

i have checked in support for the new DLT_PPP_WITH_DIRECTION (166) and
  LINKTYPE_PPP_WITH_DIRECTION (166)

also i tweaked libpcap to treat it like PPP plus support of
the inbound/outbound tokens;

see below testresults ...

# ./tcpdump -dr ppp-dlt166.pcap "inbound"  
reading from file ppp-dlt166.pcap, link-type 166
(000) ldb  [0]
(001) jeq  #0x0 jt 2jf 3
(002) ret  #4474
(003) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "outbound"  
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldb  [0]
(001) jeq  #0x1 jt 2jf 3
(002) ret  #4474
(003) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && inbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh  [2]
(001) jeq  #0x21jt 2jf 5
(002) ldb  [0]
(003) jeq  #0x0 jt 4jf 5
(004) ret  #4474
(005) ret  #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && outbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh  [2]
(001) jeq  #0x21jt 2jf 5
(002) ldb  [0]
(003) jeq  #0x1 jt 4jf 5
(004) ret  #4474
(005) ret  #0

let me know if this fits your needs;

/hannes


On Wed, Aug 18, 2004 at 02:23:21PM +0200, Karsten Keil wrote:

| It was here in the PPP filter context. The normal 4 byte header looks like:
| 
| FF 03   P1 P2 give a 16 bit protocol ID for identyfy the data
| following the haeder, which maybe PPP control data or IP/IPX payload data. 
| Since the PPP filtering is only called for IP/IPX payload frames, the
| constant FF byte was redefined as IN/OUT Flag (1 := OUT, 0:= IN).
| Note: The Filter is called after doing all decompression, so its allways
| a simple PPP payload data frame (in case of outgoing, it is called before
| doing compression or add multilink headers).
| 
| > 
| > Note also that, for any DLT_PPP packets that *did* have an extra first 
| > byte in the header, any *other* filter expression wouldn't work, as the 
| > rest of the code for PPP assumed that it *wasn't* there.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

2004-08-19 Thread Hannes Gredler 
karsten,

could not reprodoce -> anoncvs is working for me;
can you try again, pls ?

/hannes

On Thu, Aug 19, 2004 at 02:56:47AM +0200, Karsten Keil wrote:
| On Wed, Aug 18, 2004 at 06:36:22PM +0200, Karsten Keil wrote:
| > Hi Hannes,
| > 
| > On Wed, Aug 18, 2004 at 05:27:41PM +0200, Hannes Gredler wrote:
| > > karsten,
| > > 
| > > i have checked in support for DLT_PPP_WITH_DIRECTION in
| > > tcpdump and the PPP printer - the PPP printer shows now
| > > the direction (hidden under the -e flag)
| > > 
| > > /hannes
| > > 
| > 
| > Thank you very much for this work, it will save me a lot
| > of time to implement it myself, since I don't known the libpcap
| > good enough.
| > I will test it next days and report results here.
| > 
| 
| Hmm, unfortunatly it seems that anoncvs is still not working
| without extra authorisation and also the daily snapshoots are
| not actual (last: libpcap-2004.07.22), so I cannot get the
| changes.
| 
| -- 
| Karsten Keil
| SuSE Labs
| ISDN development
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

2004-08-19 Thread Hannes Gredler 
On Thu, Aug 19, 2004 at 02:52:38PM +0200, Karsten Keil wrote:
| On Thu, Aug 19, 2004 at 01:27:45PM +0200, Hannes Gredler wrote:
| > karsten,
| > 
| > could not reproduce -> anoncvs is working for me;
| > can you try again, pls ?
| > 
| 
| I think because your IP was registered (here was a thread about this
| problem in july).

correct, michael requires you to have a valid PTR entry ...
assume at your employer there must be some workstation with a valid
PTR entry ;-)

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] x.9 branch

2004-09-24 Thread Hannes Gredler 
On Thu, Sep 23, 2004 at 12:23:55PM -0700, Guy Harris wrote:
| (blah blah blah the other brain fart was sending it from sonic.net again 
| blah blah blah duplicate message dissector blah blah blah)
| 
| Michael Richardson wrote:
| 
| >  You tell me.
| >  We didn't do a 0.8.4 yet, but this sounds like significant enough to
| >warrant 0.9, but maybe I'm wrong.
| 
| Sorry, brain fart, I didn't notice the ".9".
| 
| If we branch from HEAD, it would definitely be an 0.9/3.9 release.
| Libpcap includes significant new functionality, such as support for
| sending packets, and there are also significant changes to tcpdump -
| and, yes, the radiotap support is a significant change in and of itself,
| so it arguably belongs in a 3.9 release rather than a 3.8.4 release.
| 

[changed subject:]

any suggestion for a x.9 branch date ? what about 31-oct-04 ?

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Buffer size question

2004-10-15 Thread Hannes Gredler 
shouldn't we have upper/lower boundary checks for
such a buffer ?

i.e. minbuffer 1.5K
 maxbuffer 128K

/hannes

On Thu, Oct 14, 2004 at 02:29:14PM -0400, Ed Maste wrote:
| > I'll download one of the nightly tars and try out the 
| > environment variable idea.
| 
| Here's my simple patch to allow an environment variable
| PCAP_BUFSIZE to override the default initial buffer size.
| 
| --- pcap-bpf.cTue Oct  5 03:23:39 2004
| +++ pcap-bpf.c.newThu Oct 14 14:21:41 2004
| @@ -578,6 +578,7 @@
|   u_int v;
|   pcap_t *p;
|   struct utsname osinfo;
| + char *cp;
|  
|  #ifdef HAVE_DAG_API
|   if (strstr(device, "dag")) {
| @@ -626,6 +627,8 @@
|*/
|   if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
|   v = 32768;
| + if ((cp = getenv("PCAP_BUFSIZE")))
| + v = atoi(cp);
|   for ( ; v != 0; v >>= 1) {
|   /* Ignore the return value - this is because the call fails
|* on BPF systems that don't have kernel malloc.  And if
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] packet dumping

2005-01-02 Thread Hannes Gredler 
hi,

i am not 100% sure if i do understand your question;

if its regarding printing a hexdump of an arbitrary
(including ICMP) then you may want to try tcpdump
with the -X flag;

see the tcpdump man page for details;

/hannes

On Sat, Jan 01, 2005 at 05:30:03AM -0800, linux lover wrote:
| Hi all,
|  I want to know which program and which statement
| in that prints HEX dump of ICMP packet. I want to
| write my own sniffer but not getting how to print
| packets content and in which format to look like
| 4500 003a feac 4000 4006 b7fe c0a8 01c1
| c0a8 0101 0403 05dc 1d83 3d44 1bd2 e615
| 8018 16d0 fe41  0101 080a  c3e9
|  894f 5061 7261 6700
| I am doing this on linux as a kernel sniffer module.
| Any other help is appreciated.
| Thanks in advance.
| regards,
| linux_lover

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Problem in print-egp.c

2005-01-12 Thread Hannes Gredler 
checked in 3_8 and HEAD branch - tx, /hannes

On Fri, Jan 07, 2005 at 07:45:32PM +0100, [EMAIL PROTECTED] wrote:
| 
| Hi,
| There is a bug in egp_print fonction from print-egp.c
| tcpdump don't print correct egp packet smaller than 32bytes, because their
| size was inferior to egp struct size.
| Here you'll find the patch.
| I have posted it on sourceforge. But i don't know how sf patch submitting
| system works.
| So I send it to this mailing list.
| I hope it's the appropriate place...
| Does the patch will be integrated to the next version of tcpdump?
| 
| Nicolas FERRERO
| 
| 
| diff -urN tcpdump-3.8.3/interface.h tcpdump/interface.h
| --- tcpdump-3.8.3/interface.h 2004-03-17 20:47:48.0 +0100
| +++ tcpdump/interface.h   2004-12-23 03:48:12.796318448 +0100
| @@ -216,7 +216,7 @@
|  extern void default_print(const u_char *, u_int);
|  extern void default_print_unaligned(const u_char *, u_int);
|  extern void dvmrp_print(const u_char *, u_int);
| -extern void egp_print(const u_char *);
| +extern void egp_print(const u_char *, u_int);
|  extern u_int enc_if_print(const struct pcap_pkthdr *, const u_char *);
| extern u_int pflog_if_print(const struct pcap_pkthdr *, const u_char *);
| extern u_int arcnet_if_print(const struct pcap_pkthdr *, const u_char *);
| diff -urN tcpdump-3.8.3/print-egp.c tcpdump/print-egp.c
| --- tcpdump-3.8.3/print-egp.c 2003-11-16 09:51:18.0 +0100
| +++ tcpdump/print-egp.c   2004-12-23 04:51:21.991273256 +0100
| @@ -214,7 +214,7 @@
|  }
| 
|  void
| -egp_print(register const u_int8_t *bp)
| +egp_print(register const u_int8_t *bp, register u_int length)
|  {
|   register const struct egp_packet *egp;
|   register int status;
| @@ -222,7 +222,7 @@
|   register int type;
| 
|   egp = (struct egp_packet *)bp;
| - if (!TTEST(*egp)) {
| + if (!TTEST2(*egp, length)) {
|   printf("[|egp]");
|   return;
|   }
| diff -urN tcpdump-3.8.3/print-ip.c tcpdump/print-ip.c
| --- tcpdump-3.8.3/print-ip.c  2004-03-24 10:01:39.0 +0100
| +++ tcpdump/print-ip.c2004-12-23 03:47:18.108632240 +0100
| @@ -551,7 +551,7 @@
|   break;
| 
|   case IPPROTO_EGP:
| - egp_print(cp);
| + egp_print(cp, len);
|   break;
| 
|   case IPPROTO_OSPF:
| 
| 
| 
| 
| 
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] More information about print_egp problem

2005-01-12 Thread Hannes Gredler 
On Tue, Jan 11, 2005 at 02:53:29AM +0100, [EMAIL PROTECTED] wrote:
| Hi,
| There is an error in the last message tcpdump print correctly egp paquet
| in ascii and hexadecimal, but for egp paquet neighbor reachabily messages
| the autonomous system num and the sequence num are not printed. I can see
| only an [|egp].
| It's because the size of an egp nrm packet is inferior to the egp
| structure size.
| 
| You can find the patch to correct it in the last mail about egp.
| Thanks,

missed that one - can you pls resubmit - /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] guessing when TSO is present

2005-01-22 Thread Hannes Gredler 
checked in - thanks for the submission - /hannes

On Wed, Jan 19, 2005 at 05:35:13PM -0800, Rick Jones wrote:
| A while back I think I posted something asking about what to do about TSO 
| (large send) and how it generated "IP bad-len 0" output  when tracing on a 
| TSO-enabled sender.
| 
| I had a couple spare cycles, so I decided to just take a WAG at what might 
| be done, which was to say that if the IP len was zero, just go ahead and 
| guess that this was a TSO and set the len to the length parm pass-in to 
| print-ip and hope.

[ ... ] 

| basically, if the IP len is zero, ass-u-me that the segment is TSO and wing 
| it.
| 
| rick jones


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] DLT_PRISM_HEADER etc. and bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel")

2005-01-27 Thread Hannes Gredler 
On Wed, Jan 26, 2005 at 01:44:28PM +0100, Karl Gaissmaier wrote:
| Hello,
| 
| the following bpf filters with ethernet addresses like
| 'ether host ' or synonym: 'wlan host '
| and others with mac address checks like gateway, multicast, ...
| are not handled within gencode.c if you monitor a WLAN device in
| monitor mode with PRISM header prependend.
| 
| There are missing CASE statements for DLT_PRISM_HEADER in
| the different filter checks and a modified gen_wlanhostop
| to shift the packet the prism header length, but using the
| same logic as for the DLT_IEEE802_11 link layer.
| 
| The same is true for the other driver specific prepended 802.11
| headers like DLT_IEEE802_11_RADIO and DLT_IEEE802_11_RADIO_AVS.
| 
| It would be nice if someone could spend some time to fix this.
| 

now while you are it, you are welcome to submit a patch ...

the "i don't think my code is good enough" excuse will not be
accepted as there are enough competent reviewers on the list;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] can't do CVS checkouts/updates anymore

2005-02-07 Thread Hannes Gredler 
gert,

i am not maintaining the cvs server [michael does -
so he is the only one who can comment ] - 

wrt the cdp printer
can you send me your print-cdp file and i'll check
it in;

/hannes

On Thu, Feb 03, 2005 at 01:06:21PM +0100, Gert Doering wrote:
| Hi,
| 
| since quite a while, I can't do CVS pserver operations anymore (at
| least half a year, but since I had no need to actually do anything
| to the sources, I never bothered enough to send mail).  
| 
| I asked Hannes Gredler privately, he says "works for me", but it 
| doesn't work for me.  I tried 4 different machines (Linux, NetBSD, 
| SCO, some with IPv4+IPv6, some with only IPv4) but the result is always
| the same:
| 
| [EMAIL PROTECTED]:/user/gert$ cvs -d :pserver:[EMAIL 
PROTECTED]:/tcpdump/master login
| Logging in to :pserver:[EMAIL PROTECTED]:2401/tcpdump/master
| CVS password: 
| cvs [login aborted]: end of file from server (consult above messages if any)
| 
| (this is from "miyu.greenie.muc.de", 193.149.48.180, consistent forward
| and reverse DNS for IPv4 and IPv6, Linux.  Last attempt was done at 
| 12:05 GMT, just when composing this e-mail - so you might see it in the
| server logs)
| 
| Any idea what is causing this?  It looks like an over-eager tcp wrapper
| is kicking me for some reason.
| 
| I have some new items for print-cdp.c that I'd like to integrate, test,
| and then send upstream...
| 
| gert
| 
| -- 
| USENET is *not* the non-clickable part of WWW!
|//www.muc.de/~gert/
| Gert Doering - Munich, Germany [EMAIL PROTECTED]
| fax: +49-89-35655025[EMAIL PROTECTED]
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Welcome to the tcpdump-workers list!

2005-02-20 Thread Hannes Gredler 
On Fri, Feb 18, 2005 at 03:28:50PM +0400, Ramsurrun Visham wrote:
| Hi,
| 
| 1) wanted to ask how to make tcpdump show mac addresses? 

use the e flag [tcpdump -e ] for displaying link-layer information;
 
| 2) how can I pass the packet that has been captured by tcpdump to iptables?
| 

not sure i understand ... what is the problem you're trying to solve ?

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] ICMP header

2005-03-01 Thread Hannes Gredler 
On Sun, Feb 27, 2005 at 10:37:34PM +0400, Ramsurrun Visham wrote:
| Hi to all,
| 
| I would like to know how do we grab the icmp header from an ethernet frame. I 
believe we have to jump pass the ethernet and IP headers..

no - we actually need to parse through the IP header to find out if the header
is variable length [IP options etc.]

have a look at the point where the icmp printer is called in print-ip.c

---

case IPPROTO_ICMP:
/* pass on the MF bit plus the offset to detect 
fragments */
icmp_print(cp, len, (const u_char *)ip, (off & 0x3fff));
break;
 
---

| u_char * handle_IP(u_char *args, const struct pcap_pkthdr* pkthdr, const 
u_char* packet)
| 
| {
|const struct my_ip* p;
|u_int length = pkthdr->len;
| 
|ip = (struct my_ip*)(packet + sizeof(struct ether_header));
|length -= sizeof(struct ether_header);
| }
| 
| I tried to check the tcpdump source code but couldn't understand it. I looked 
in print_icmp.c and print_ip.c in particular.

| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Problem with packet on ATM

2005-03-01 Thread Hannes Gredler 
On Tue, Mar 01, 2005 at 10:19:25AM +0100, Eric Leblond wrote:
| Hi,
| 
| I had to dump some RFC2684 atm bridge interfaces for a customer. We
| often have some strange messages :
| 09:09:43.262575 77:9c:7d:60:8:0 c:3f:b4:8:0:0 4500 401:
|  0183 df1d  7111 96fb 527f 2537 d50b
|  858f 7325 18ca 016f 36a5 474e 4403 aa2e
|  0101 789c 9ba2 c714 e861 e421 e01e daa8
|  fedc d6ea ef23 d5bb d353 7f85 fa3d 13f7
|  60f3 730c aa57 353f 25e1 c012 16e4 18e5
|  e8c1
| It seems tcpdump looses the link header (2bytes) and that consequently
| the whole packet reading is shift. We've found that because we know that
| the source mac address is :
|   00:00:77:9c:7d:60
| Furthermore, the protocol is 0800 thus explaining the last 2 bytes of
| the MAC address.
| 
| Same problem occurs when testing it on an ATM clip interface.
| 
| This is weird but it does only occur on some packets mainly TCP one (as
| we can guess from packet content) other are correctly parsed.
| 
| Is this a known problem ?

can you send me the binary .pcap file that contains such a frame and i'll have 
a look - /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Customization of tcpdump for some specific requirements...

2005-04-06 Thread Hannes Gredler 
On Tue, Apr 05, 2005 at 10:36:59AM -0700, Shyam Kumar wrote:
| 
| [1] Data Representation is handled by tcpdump code only or both by
| tcpdump code & libpcap code??

if by data-representation you mean dissecting protocols then this
is done by tcpdump;
 
| [2] which *.c & *.h files deals with data representation in tcpdump &
| libpcap code ??

pretty much each protocol has its own print-.c file

| [3] Can the data representation part be easily segregated from parsing &
| filtering mechanism??

not easy doable ... after the tpcdump 3.9 release we will start working on
getting the parsing part independent from the display output; the goal is to
render the display output based on a generic datastructure in every target
format that users are interested (xml etc.) without ever tweaking the parsing 
code
again;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Automatic report from sources (tcpdump libpcap

2005-04-09 Thread Hannes Gredler 
ack, will do ... - /hannes

On Sat, Apr 09, 2005 at 03:18:28AM -0700, Guy Harris wrote:
| Automatic cvs log generator /tcpdump/bin/makelog wrote:
| 
| >Description:
| >-add support for llc based protocols (iso, etc..) for ethernet
| > by checking the proto against the ethermtu and bumping
| > the link-layer offset by two.
| >
| >-add support for vlan and mpls hierarchies by not absolute
| >  setting offsets but rather incrementing them;
| >
| >  example(s):
| >
| >  mpls 10 && mpls 1024
| >=filters for outerlabel 10 and inner label 1024
| >  vlan 100 && vlan 200
| >=filters for vlan 200 encapsulated withing vlan 100
| >  vlan 300 && mpls 17
| >=filters for mpls label 17 encapsulated in vlan 300
| >Modified files:
| > File: libpcap/gencode.c; Revision: 1.223;
| > Date: 2005/04/08 14:40:38; Author: hannes; Lines:  (+62 -71)
| 
| You might want to update the tcpdump man page to document that.
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] pcap next gerneration / adding communication

2005-04-09 Thread Hannes Gredler 
On Fri, Apr 08, 2005 at 05:15:15AM -0700, Bruce M Simpson wrote:
| On Fri, Apr 08, 2005 at 11:57:33AM +0200, Pilz Rene wrote:
| > I want to add a feature where someone can connect and use a 
| > network-interface of a remote computer to capture data. As ronnie 
| > sahlberg has already pointed out in the ethereal list,
| > authentication and athoriztion should be one of the topics there. For 
| > sure the will be several more issues.
| 

i typically use the following command for remote capturing:

ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -" > capture-file.pcap

authentication/authorization/confidentiality and transport provided by ssh;

does this help ?

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] pcap next gerneration / adding communication

2005-04-10 Thread Hannes Gredler 
if you want to do live capturing and decode using ethereal/tethereal then you'd 
simply do:

ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -" | tethereal -nli -

/hannes

On Sat, Apr 09, 2005 at 05:05:16PM +0200, Pilz Rene wrote:
| Thanks for the suggestion. I need it in that way, that I can use it like 
| local captureable network interface.
| This is due the fact, that I need it in a program which uses the 
| libpcap. In my case is it ethereal. And when
| I download the files first, then I have no advantage to the solutions, 
| which I use now.
| 
| Thanks anyway.
| 
| /rene
| 
| Hannes Gredler wrote:
| 
| >On Fri, Apr 08, 2005 at 05:15:15AM -0700, Bruce M Simpson wrote:
| >| On Fri, Apr 08, 2005 at 11:57:33AM +0200, Pilz Rene wrote:
| >| > I want to add a feature where someone can connect and use a 
| >| > network-interface of a remote computer to capture data. As ronnie 
| >| > sahlberg has already pointed out in the ethereal list,
| >| > authentication and athoriztion should be one of the topics there. For 
| >| > sure the will be several more issues.
| >| 
| >
| >i typically use the following command for remote capturing:
| >
| >ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -" > 
| >capture-file.pcap
| >
| >authentication/authorization/confidentiality and transport provided by ssh;
| >
| >does this help ?
| >
| >/hannes
| >-
| >This is the tcpdump-workers list.
| >Visit https://lists.sandelman.ca/ to unsubscribe.
| >
| > 
| >
| 
| 
| -- 
| Dipl-Ing (FH) MSc. C.E Ren? Pilz
| ftw. Telekommunications Research Center Vienna http://www.ftw.at
| Tech Gate Vienna, Donaucitystra?e 1, A-1220 Wien
| Mobile: +43 664 8269871 Office: +43 1 5052830-13  Fax: +43 1 5052830-99
| 
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] compile failed on NetBSD-1.6.2

2005-04-12 Thread Hannes Gredler 
checked in; - /hannes

On Tue, Apr 12, 2005 at 06:38:18AM +0900, TANAKA Shin-ya wrote:
| Hi,
| while trying to compile libpcap-2005.04.11 on NetBSD-1.6.2, I got this error:
| 
| $ make
| gcc -O2 -I. -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -c ./pcap-bpf.c
| ./pcap-bpf.c: In function `pcap_open_live':
| ./pcap-bpf.c:732: parse error before `:'
| *** Error code 1
| 
| Stop.
| make: stopped in /tmp/aaa/libpcap-2005.04.11
| 
| 
| to solve this error, apply the following patch.
| 
| diff -ur libpcap-2005.04.11.orig/pcap-bpf.c libpcap-2005.04.11/pcap-bpf.c
| --- libpcap-2005.04.11.orig/pcap-bpf.cSun Feb 27 06:58:05 2005
| +++ libpcap-2005.04.11/pcap-bpf.c Mon Apr 11 22:12:18 2005
| @@ -729,7 +729,7 @@
|  #endif
|  #ifdef PCAP_FDDIPAD
|   if (v == DLT_FDDI)
| - p->fddipad = PCAP_FDDIPAD:
| + p->fddipad = PCAP_FDDIPAD;
|   else
|   p->fddipad = 0;
|  #endif
| 
| 
| 
| 
| 
| ---
| 2GB?$B$^$G%a!<%k$d2hA|$J$ICy$aJ|Bj!*$5$i$KFCE5$$$C$Q$$"v
| livedoor ?$B%.%,%a!<%i!<%W%i%9 ?$B!Z?7EP>l![
| http://gigamailerplus.livedoor.com/
| 
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed in cvs it seems, 1 not)

2005-04-25 Thread Hannes Gredler 

On Sun, Apr 24, 2005 at 04:02:56PM -0400, v9 wrote:
| 
| i'm not totally sure this is the right place to send this, but i hope
| so.

it is the right place ...
 
| 
| 3 infinite loop dos bugs... the bgp and ldp one SEEM to be fixed in the
| cvs versions...the isis one isn't.

have checked in fixes into CVS-{HEAD, 3.9, 3.8}

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] another infinite loop in tcpdump, RSVP this time (ethereal too)

2005-04-25 Thread Hannes Gredler 
On Sun, Apr 24, 2005 at 10:11:53PM -0400, v9 wrote:
| 
| sorry i didn't include this one in the original message...noticed it

fixed in tcpdump cvs and 3.9 - tx, /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

2005-04-25 Thread Hannes Gredler 
for software [3.9,cvs] that has not even been released yet ? - /hannes

On Mon, Apr 25, 2005 at 05:28:51PM +0200, Romain Francoise wrote:
| Can someone request CAN numbers for these?  Michael?
| 
| -- 
|   ,''`.
|  : :' :Romain Francoise <[EMAIL PROTECTED]>
|  `. `' http://people.debian.org/~rfrancoise/
|`-
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] tcpdump - fragmented?

2005-04-26 Thread Hannes Gredler 
i am not sure if i understand your question: if your question is
"does tcpdump indicate if an IPv4 packet is fragmented ?" then
the answer is yes, we do display the offset and more-fragment
header flags in verbose (-v) mode;

/hannes

On Tue, Apr 26, 2005 at 11:01:09AM -, soumya r wrote:
| Hello,
|Could anyone please tell whether "tcpdump" produces an output of packets 
in 'fragmented' or 'defragmented' form?
| Thanks
| Soumya.-
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

2005-04-26 Thread Hannes Gredler 
On Mon, Apr 25, 2005 at 07:16:39PM +0200, Romain Francoise wrote:
| Hannes Gredler <[EMAIL PROTECTED]> writes:
| 
| > for software [3.9,cvs] that has not even been released yet ?
| 
| All the exploits mention tcpdump 3.8.x as being affected.  I didn't run
| them to check that it's really the case, though... did you?

you're right for 3.8 it makes sense ... i did check meanwhile and both
isis and rsvp are affected [just committed the outstanding 3.8 fix for rsvp]

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

2005-04-27 Thread Hannes Gredler 
On Tue, Apr 26, 2005 at 07:40:42PM +0200, Romain Francoise wrote:
| Hannes Gredler <[EMAIL PROTECTED]> writes:
| 
| > you're right for 3.8 it makes sense ... i did check meanwhile and both
| > isis and rsvp are affected [just committed the outstanding 3.8 fix for
| > rsvp]
| 
| Okay, thanks.  I have fixes for isis and rsvp but bgp and ldp are more
| problematic, they're said to be fixed in 3.9/CVS but the versions have
| diverged so much since 3.8 that I don't really know what's relevant...
| Do you plan to merge fixes in the 3.8 branch or should I hack things
| myself?

i have checked in fixes for ldp/bgp plus testfiles for the 3.8 branch;

so all 4 reported exploits are fixed now in the 3.8 branch;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] 802.1Q VLAN packets

2005-05-10 Thread Hannes Gredler 
On Tue, May 10, 2005 at 04:09:36PM +, David Moron wrote:
| Hi,
| 
| Where can I find the files related to the VLAN packets. I'm trying to 
| write a simple program to extract IP packets inside VLAN packets using pcap.

for the BPF code generator look into gencode.c / libpcap
for the vlan printer in tcpdump look into print-ether.c

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] preperation for 3.9 branch

2005-05-17 Thread Hannes Gredler 
On Mon, May 16, 2005 at 11:20:20AM -0700, Guy Harris wrote:
| Gianluca Varenni wrote:
| 
| >Is there any new plan for the release of libpcap 0.9?
| 
| At this point, I don't have anything additional planned for tcpdump 
| (other than perhaps grabbing some more capture files from the Ethereal 
| Web site and from mail to the Ethereal list, and running tcpdump against 
| those captures and "fuzzed" versions of those captures), but the fuzzed 
| captured tests I've run all pass now (which doesn't mean there aren't 
| any more bugs for fuzz testing to find, but it means that some obvious 
| ones were fixed).

i have a support for 4 more juniper specific DLTs on the boilerplate plus
support for another BGP SAFI - i'd be gratfule if we could delay the R1
release until end of this week;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] 3.9 release

2005-05-25 Thread Hannes Gredler 
go ahead .. i have committed my stuff  - /hannes

On Wed, May 25, 2005 at 01:19:02PM -0400, mcr wrote:
| -BEGIN PGP SIGNED MESSAGE-
| 
| 
| Hi, I haven't cut the branch yet. Tonight, I think.
| 
| I have a good excuse --- a child process was spawned, and it doesn't
| take well to resource limits yet :-)
| 
| - -- 
| ] Michael Richardson  Xelerance Corporation, Ottawa, ON |  firewalls  
[
| ] mcr @ xelerance.com   Now doing IPsec training, see   |net 
architect[
| ] http://www.sandelman.ca/mcr/www.xelerance.com/training/   |device 
driver[
| ]I'm a dad: http://www.sandelman.ca/lrmr/ 
[
| 
| 
| 
| -BEGIN PGP SIGNATURE-
| Version: GnuPG v1.2.2 (GNU/Linux)
| Comment: Finger me for keys
| 
| iQCVAwUBQpSzhIqHRg3pndX9AQErrQQAvBGhDcpGVMoH9DoCjeE3PgN+eVhhEKI5
| RVH/GdnYImtTA1RL+MjEvgk49cajuvb62fJwI4XzBGsIVGG9jj6QIubVaGdhAazo
| zJfAlGZR/dBFUzo97Kqi/vf3m81BIHo7TyN622C7bYj+EPQfGgjbgk45/3NMyaw3
| N5fcT//7gvs=
| =i+lw
| -END PGP SIGNATURE-
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] MPLS

2005-06-16 Thread Hannes Gredler 
On Fri, Jun 10, 2005 at 12:07:44PM +0200, Paolo Lucente wrote:
| Hello,
| i wish to share (hoping it might be found of interest) a patch i've
| written for personal use; it merges fine against the daily tarball of
| 09-06-2005 (yesterday). It aims to enhance the actual support for MPLS
| label hierarchies in a BPF filter.
| 
| Actually it's not possible, for example, to match a label ignoring the
| content of the upper ones. The patch allows to write an expression like
| 'mpls 1:10 and mpls 3:1024' which checks whether the 2nd label has
| value 10 and the 4th has value 1024 (the top label is meant to be
| 0).

thats does not seem to be correct - i.e.

./tcpdump -ndr ppp.pcap "mpls && mpls && mpls 10"
reading from file ppp.pcap, link-type PPP (PPP)
(000) ldh  [2]
(001) jeq  #0x281   jt 2jf 6
(002) ld   [12]
(003) and  #0xf000
(004) jeq  #0x186a  jt 5jf 6
(005) ret  #1500
(006) ret  #0

does not compare the MPLS label at position 8 [middle label] and
does not compare the MPLS label at potition 4 [top label] but
does compare the MPLS label at position 12 [bottom label];

---

there is one minor nit with the current code - in case of stacked MPLS
labels it does not verify if the Bottom of Stack bit of the previous
label is cleared;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] septel support on libpcap

2005-06-23 Thread Hannes Gredler 
On Thu, Jun 23, 2005 at 10:39:59PM +0300, gilbert HOYEK wrote:
[ ... ]
| Note: dissectors for ss7 protocols do not exist in tcpdump , so anyone who 
| would use it with tcpdump must add these dissectors.Instead they do exsit 
| in Ethereal.

gilbert, call for you to write one ;-) - let me know if you need help; - /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] print GRE over IPv6 packets

2005-07-03 Thread Hannes Gredler 
On Sat, Jul 02, 2005 at 11:45:56AM +0200, Gert Doering wrote:
| Hi,
| 
| I'm working on adding Cisco-compatible GRE over IPv6 tunneling, and
| the following patch to tcpdump makes tcpdump dissect Cisco-encapsulated
| GRE-over-IPv6 packets.
| 
| The current GRE RFC (rfc2784) neither documents IPv6-over-GRE nor
| GRE-over-IPv6, and there are no IETF drafts either - so it's hard to
| find a normative reference.  
| 
| "It works, though" - and is simple enough to look "obviously correct".
| 
| Hannes, could you check it in, please?
| 
| gert

have added it along with support for RSVP over IPv6; - /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] IP header filtering of MPLS packets

2005-07-08 Thread Hannes Gredler 
sven,

you need to specify the keyword "mpls" in order to
shift the offsets to match IP addresses;

i.e. 

tcpdump -n -i eth1 -O -vv "mpls && src net 195.113.0.0/16" 

pls turn off the optimizer [-O flag] as without tcpdump
returns the error "tcpdump: expression rejects all packets";

guy, do you have any idea what cause the optimizer to dead-optimize
this expression ?

/hannes

On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote:
| Hi All,
| 
| I need to monitor a link with MPLS enabled. Is it possible to filter
| MPLS packets based on IP header fields? IP header is after MPLS header
| and tcpdump correctly recognizes that:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847
| 
| 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255)
| IP (tos 0x0, ttl  60, id 10954, offset 0, flags [DF], length: 1500)
| 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 win 
1728
| 
| but when I add filter for say source IP address, tcpdump fails:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16
| 
| eth1 not found (did you install the module?), down or already in use.
| Using Linux packet capture on eth1
| tcpdump: WARNING: setsockopt: Protocol not available
| tcpdump: WARNING: eth1: no IPv4 address assigned
| tcpdump: expression rejects all packets
| 
| when I try just to filter source IP addresses without requesting packets
| with MPLS headers, it works, but tcpdump returns only packets that did
| not have an MPLS header (multicast and a few other special packets of
| inter-router communication):
| 
| tcpdump -n -i eth1 -vv src net 195.113.0.0/16
| 
| 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune
| upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: 233.10.47.22 
join=1
| 194.160.9.2(S) prune=0)
| 
| Thanks.
| 
| Regards,
| 
| Sven Ubik
| CESNET
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] IP header filtering of MPLS packets

2005-07-08 Thread Hannes Gredler 
seven,

sorry brain-fart;

the optimizer does the right thing;

the problem is that the bpf_code generation in
conjunction with the keyword "mpls" is broken;

i'll have a a look at that;

/hannes

--

sven,

you need to specify the keyword "mpls" in order to
shift the offsets to match IP addresses;

i.e. 

tcpdump -n -i eth1 -O -vv "mpls && src net 195.113.0.0/16" 

pls turn off the optimizer [-O flag] as without tcpdump
returns the error "tcpdump: expression rejects all packets";

guy, do you have any idea what cause the optimizer to dead-optimize
this expression ?

/hannes

On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote:
| Hi All,
| 
| I need to monitor a link with MPLS enabled. Is it possible to filter
| MPLS packets based on IP header fields? IP header is after MPLS header
| and tcpdump correctly recognizes that:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847
| 
| 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255)
| IP (tos 0x0, ttl  60, id 10954, offset 0, flags [DF], length: 1500)
| 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 win 
1728
| 
| but when I add filter for say source IP address, tcpdump fails:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16
| 
| eth1 not found (did you install the module?), down or already in use.
| Using Linux packet capture on eth1
| tcpdump: WARNING: setsockopt: Protocol not available
| tcpdump: WARNING: eth1: no IPv4 address assigned
| tcpdump: expression rejects all packets
| 
| when I try just to filter source IP addresses without requesting packets
| with MPLS headers, it works, but tcpdump returns only packets that did
| not have an MPLS header (multicast and a few other special packets of
| inter-router communication):
| 
| tcpdump -n -i eth1 -vv src net 195.113.0.0/16
| 
| 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune
| upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: 233.10.47.22 
join=1
| 194.160.9.2(S) prune=0)
| 
| Thanks.
| 
| Regards,
| 
| Sven Ubik
| CESNET
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] IP header filtering of MPLS packets

2005-07-08 Thread Hannes Gredler 
sven,

i have just checked in a fix for MPLS code generation into libpcap HEAD and 0_9:

---
if we have a MPLS label stack deeper > 1 then generate a match 
  for a cleared bottom-of-stack-bit of the previous MPLS shim header  
  rather than just incrementing the offset; 

if there is a compined expression of MPLS and IP like e.g.
  "mpls && ip" | "mpls && ip host" | "mpls && ip src net"
  then poison the linkoffset to make sure that other code generators
  do not try to match link-layer protos like Q_ARP, Q_RARP etc.

introduce a new function gen_null() that matches against the first nibble
  of the IP header and matches if the bottom-of-stack bit is set;  

TODO: IPv6 stuff i.e. gen_host6() etc.
--

so tcpdump -nvvi eth1 "mpls && src net 195.113.0.0/16"

should work now;

/hannes

On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote:
| Hi All,
| 
| I need to monitor a link with MPLS enabled. Is it possible to filter
| MPLS packets based on IP header fields? IP header is after MPLS header
| and tcpdump correctly recognizes that:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847
| 
| 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255)
| IP (tos 0x0, ttl  60, id 10954, offset 0, flags [DF], length: 1500)
| 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 win 
1728
| 
| but when I add filter for say source IP address, tcpdump fails:
| 
| tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16
| 
| eth1 not found (did you install the module?), down or already in use.
| Using Linux packet capture on eth1
| tcpdump: WARNING: setsockopt: Protocol not available
| tcpdump: WARNING: eth1: no IPv4 address assigned
| tcpdump: expression rejects all packets
| 
| when I try just to filter source IP addresses without requesting packets
| with MPLS headers, it works, but tcpdump returns only packets that did
| not have an MPLS header (multicast and a few other special packets of
| inter-router communication):
| 
| tcpdump -n -i eth1 -vv src net 195.113.0.0/16
| 
| 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune
| upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: 233.10.47.22 
join=1
| 194.160.9.2(S) prune=0)
| 
| Thanks.
| 
| Regards,
| 
| Sven Ubik
| CESNET

| 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] print-slow.c

2005-07-13 Thread Hannes Gredler 
On Tue, Jul 12, 2005 at 11:10:38PM -0700, Loris Degioanni wrote:
| Some genius had the idea of adding a new file (print-slow.c) to the 
| repository few hours before the x.9.2 release, without at least trying 
| to recompile on all the platforms. Result: tcpdump 3.9.2 doesn't compile 
| under Windows (even if it used to compile the night before the release).

that was me - guilty;
 
| We already checked in a patch, are there plans for a x.9.3 release? If 
| yes, could people stop to do breaking commits before it's done?

you could help me avoiding those things by writing up a document that
describes what files you need on windows to be touched / added;
i only test on freebsd and linux;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] Updated time-based dumpfile rotation (against 3.9.1)

2005-07-20 Thread Hannes Gredler 
will,

pls could you re-submit your patch as a unified diff against CVS head;

/hannes

On Tue, Jul 19, 2005 at 10:29:04PM -0700, Will Drewry wrote:
| Hi All -
| 
| I've recently rewritten the patch I submitted last November which
| allows tcpdump to automagically rotate dump files based on some time
| in seconds specified by the -G argument.  I rewrote the patch to have
| less impact on the tcpdump code in hopes that this patch will be
| better received.  The patch can be found below:
| 
| 
https://sourceforge.net/tracker/index.php?func=detail&aid=1066046&group_id=53066&atid=469575
| 
| Any questions, comments, suggestions, fixes, etc are appreciated! I
| would love to see this functionality go upstream some day, and I'm
| more than willing to do what's needed to get it into shape.
| 
| Thanks!
| will

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] misprinting of GRE tunneled packets on NetBSD Sparc64

2005-07-26 Thread Hannes Gredler 
On Tue, Jul 26, 2005 at 04:34:16PM +0200, Gert Doering wrote:
| Hi,
| 
| I'm sure this is going to be difficult to diagnose - so I need some 
| help to figure out where to start.
| 
| Setup: 
|   NetBSD -current (3.99.7) on Sparc64.
|   IPv6-over-GRE-over-IPv4 tunneling
|   tcpdump HEAD from CVS
|   system libpcap
| 
| $ ./tcpdump -V
| tcpdump version 3.9-PRE-CVS
| libpcap version 0.8.3
| 
| (this is because using libpcap-3.9-PRE-CVS makes tcpdump core dump, for
| whatever reason??!)

can i have the core file for inspection, pls ?
 
| 
| Sniffing on the LAN for "host " gives:
| 
| tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
| listening on hme0, link-type EN10MB (Ethernet), capture size 65535 bytes
| 16:14:04.595494 IP 172.30.1.153 > 193.149.44.208: GREv0, length 60: IP6 
2001:608:8003::1 > 2001:608:4::3: ICMP6, echo request, seq 0, length 16
| 16:14:04.700420 IP 193.149.44.208 > 172.30.1.153: GREv0, length 60: IP6 
2001:608:4::3 > 2001:608:8003::1: ICMP6, echo reply, seq 0, length 16
| 16:14:05.595419 IP 172.30.1.153 > 193.149.44.208: GREv0, length 60: IP6 
2001:608:8003::1 > 2001:608:4::3: ICMP6, echo request, seq 1, length 16
| 16:14:05.746677 IP 193.149.44.208 > 172.30.1.153: GREv0, length 60: IP6 
2001:608:4::3 > 2001:608:8003::1: ICMP6, echo reply, seq 1, length 16
| 
| -> perfect, this is exactly how it should be.
| 
| 
| Sniffing on the tunnel interface (gre0) gives:
| 
| [EMAIL PROTECTED]:/home/gert/cdp/tcpdump$ SU ./tcpdump -n -s0 -i gre0
| tcpdump: WARNING: gre0: no IPv4 address assigned
| tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
| listening on gre0, link-type NULL (BSD loopback), capture size 65535 bytes
| 16:16:28.835438 IP6 2001:608:8003::1 > 2001:608:4::3: ICMP6, echo request, 
seq 0, length 16
| 16:16:28.937041 IP6 , wrong link-layer encapsulationbad-hlen 0
| 16:16:29.835377 IP6 2001:608:8003::1 > 2001:608:4::3: ICMP6, echo request, 
seq 1, length 16
| 16:16:29.947910 IP6 , wrong link-layer encapsulationbad-hlen 0
| 
| -> which is weird.  Outgoing packets are properly decoded, incoming
| packets are not properly displayed.
| 
| With "-X", the packets look like this:
| 
| 16:32:36.925380 IP6 2001:608:8003::1 > 2001:608:4::3: ICMP6, echo request, 
seq 1, length 16
| 0x:  6000  0010 3a40 2001 0608 8003   `.:@
| 0x0010:     0001 2001 0608 0004   
| 0x0020:     0003 8000 1c21 ecc8 0001  ...!
| 0x0030:  42e6 4984 000e 1e34  B.I4
| 16:32:37.024946 IP6 , wrong link-layer encapsulationbad-hlen 0
| 0x:  6000  0010 3a3d 2001 0608 0004   `.:=
| 0x0010:     0003 2001 0608 8003   
| 0x0020:     0001 8100 1b21 ecc8 0001  ...!
| 0x0030:  42e6 4984 000e 1e34  B.I4
| 
| (The pinging itself works fine, so the issue is not "corrupted packets"
| but more "corrupted signalling kernel->libpcap" or such).
| 
| 
| What could be causing this effect?  How can I narrow this down, and 
| get it fixed / fix it?

can you send me the .pcap of the gre tunnel and i have a look;

i am anticipating a kernel issue - 
typically we get this error message when the kernel tells us
that the payload is IPv4 [and in reality is IPv6] - that makes
the IPv4 printer bark;

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] 0.9.4/3.9.4 release?

2005-08-19 Thread Hannes Gredler 

Michael Richardson wrote:


-BEGIN PGP SIGNED MESSAGE-


 


"Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
   


   Guy> I've checked in some libpcap fixes for HP-UX and Mike Kershaw's
   Guy> support for radiotap in Linux, and Hannes has checked in some
   Guy> changes in both libpcap and tcpdump for additional Juniper
   Guy> link-layer types.
 



i have not yet done the printers for those (but that should be 
straightforward)

can you give me the weekend to complete those, pls ?


   Guy> Unless there are some other fixes in the pipeline, or some
   Guy> tcpdump vulnerabilities not yet fixed, this might be a good
   Guy> time to do 0.9.4 and 3.9.4 releases (which, unlike 0.9.3 and
   Guy> 3.9.3, will identify themselves correctly).  
 


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] DCCP - print all ACKs

2005-11-03 Thread Hannes Gredler 

checked into HEAD;

who is going to receive credit/blame for this patch ?

andrea, ian or both ?

tx, /hannes

Ian McDonald wrote:

Hi there folks,

Andrea Bittau picked up we weren't displaying ACKs for close packets
and provided a preliminary patch.

I've gone through the spec and reworked the patch slightly and it now
prints for all relevant packets.

This patch is against latest weekly CVS of tcpdump - 2005.10.03

Can this please be added to tcpdump?

Regards,

Ian
--
Ian McDonald
http://wand.net.nz/~iam4
WAND Network Research Group
University of Waikato
New Zealand




diff -uprN -X dontdiff tcpdump-2005.10.03/print-dccp.c dccpdump/print-dccp.c
--- tcpdump-2005.10.03/print-dccp.c 2005-09-20 18:25:20.0 +1200
+++ dccpdump/print-dccp.c   2005-11-04 12:06:48.0 +1300
@@ -155,25 +155,32 @@ static u_int64_t dccp_seqno(const struct
return seqno;
 }
 
-static u_int64_t dccp_ack_no(const struct dccp_hdr *dh,

-   const struct dccp_hdr_ack_bits *dh_ack)
+static inline unsigned int dccp_basic_hdr_len(const struct dccp_hdr *dh)
 {
+   return sizeof(*dh) + (DCCPH_X(dh) ? sizeof(struct dccp_hdr_ext) : 0);
+}
+
+static void dccp_print_ack_no(const u_char *bp)
+{
+   const struct dccp_hdr *dh = (const struct dccp_hdr *)bp;
+   const struct dccp_hdr_ack_bits *dh_ack =
+   (struct dccp_hdr_ack_bits *)(bp + dccp_basic_hdr_len(dh));
+
+   TCHECK2(*dh_ack,4);
u_int32_t ack_high = DCCPH_ACK(dh_ack);
u_int64_t ackno = EXTRACT_24BITS(&ack_high) & 0xFF;
 
 	if (DCCPH_X(dh) != 0) {

+   TCHECK2(*dh_ack,8);
u_int32_t ack_low = dh_ack->dccph_ack_nr_low;

ackno &= 0x00;  /* clear reserved field */
ackno = (ackno << 32) + EXTRACT_32BITS(&ack_low);
}
 
-	return ackno;

-}
-
-static inline unsigned int dccp_basic_hdr_len(const struct dccp_hdr *dh)
-{
-   return sizeof(*dh) + (DCCPH_X(dh) ? sizeof(struct dccp_hdr_ext) : 0);
+   (void)printf("(ack=%" PRIu64 ") ", ackno);
+trunc:
+   return;
 }
 
 static inline unsigned int dccp_packet_hdr_len(const u_int8_t type)
@@ -309,9 +316,7 @@ void dccp_print(const u_char *bp, const 
 		struct dccp_hdr_response *dhr =

(struct dccp_hdr_response *)(bp + 
dccp_basic_hdr_len(dh));
TCHECK(*dhr);
-   (void)printf("response (service=%d, ack=%" PRIu64 ") ",
-dhr->dccph_resp_service,
-dccp_ack_no(dh,&(dhr->dccph_resp_ack)));
+   (void)printf("response (service=%d) ", dhr->dccph_resp_service);
extlen += 12;
break;
}
@@ -319,20 +324,12 @@ void dccp_print(const u_char *bp, const 
 		(void)printf("data ");

break;
case DCCP_PKT_ACK: {
-   struct dccp_hdr_ack_bits *dha =
-   (struct dccp_hdr_ack_bits *)(bp + 
dccp_basic_hdr_len(dh));
-   TCHECK(*dha);
-   (void)printf("ack (ack=%" PRIu64 ") ",
-dccp_ack_no(dh,dha));
+   (void)printf("ack ");
extlen += 8;
break;
}
case DCCP_PKT_DATAACK: {
-   struct dccp_hdr_ack_bits *dha =
-   (struct dccp_hdr_ack_bits *)(bp + 
dccp_basic_hdr_len(dh));
-   TCHECK(*dha);
-   (void)printf("dataack (ack=%" PRIu64 ") ",
-dccp_ack_no(dh,dha));
+   (void)printf("dataack ");
extlen += 8;
break;
}
@@ -366,6 +363,10 @@ void dccp_print(const u_char *bp, const 
 		break;

}
 
+	if ((DCCPH_TYPE(dh) != DCCP_PKT_DATA) && 
+			(DCCPH_TYPE(dh) != DCCP_PKT_REQUEST))

+   dccp_print_ack_no(bp);
+
if (vflag < 2)
return;
 





-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] DCCP - print all ACKs

2005-11-03 Thread Hannes Gredler 

Ian is already on the blamelist (aka CREDITS) - so i just have added Andrea;

tx again for your submission;

/hannes

Ian McDonald wrote:

On 04/11/05, Hannes Gredler <[EMAIL PROTECTED]> wrote:


checked into HEAD;

who is going to receive credit/blame for this patch ?

andrea, ian or both ?



Both

--
Ian McDonald
http://wand.net.nz/~iam4
WAND Network Research Group
University of Waikato
New Zealand

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Paquets smaller than 64 bytes

2005-11-23 Thread Hannes Gredler 



David Rosal wrote:
[ ... ]
But what's is very strange is that 
everytime I make a capture session with tcpdump I get *many* packets of 
60 bytes that are not originated in my own machine nor are them sent to it.


Here's an example of the output of tcpdump:
$ tcpdump -c5 '(host not 193.145.45.234 && len < 64)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:23:12.896879 802.1d config 802c.00:08:21:23:f0:80.800f root 
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15

14:23:13.207367 arp who-has efpc266.upf.es tell telecom.upf.es
14:23:13.207963 arp who-has efpc148.upf.es tell telecom.upf.es
14:23:14.895948 802.1d config 802c.00:08:21:23:f0:80.800f root 
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15
14:23:16.895997 802.1d config 802c.00:08:21:23:f0:80.800f root 
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15

$

Could anyone explain me the reason for that behaviour?


the example packets you have provided are all broadcasts which
by definition should be seen by all hosts on your local LAN.

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] libpcap for PPP raw data problem

2005-12-05 Thread Hannes Gredler 

libpcap does not do what you want it to do ...
however you may want to look at the text2pcap utility
that is bundled with ethereal.

/hannes

BinaryChen(TP/SH) wrote:

Hi,
 
I have captured some raw PPP data from serial driver, and I want use libpcap to convert to pcap file format so the ethereal can help me do some analyze. Can anyone provide some sample or hints to me?
 
Thanks a lot.
 
Binary Chen

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] gettimeofday() on Win32

2005-12-05 Thread Hannes Gredler 

would'nt it make sense to guard your private gettimeofday() function
with #if defined(_MSC_VER) || defined(_MSC_EXTENSIONS) || defined(__WATCOMC__)

/hannes

Gisle Vanem wrote:
The recent (?) -G option requires gettimeofday() which isn't available 
on Win32. Attached is a patch to util.c which adds this function.


--gv
--- tcpdump-2005.12.03/util.cThu Jun 16 00:19:38 2005
+++ util.cSat Dec 03 17:01:05 2005
@@ -526,3 +526,44 @@
else
printf("\\%03o", ch);
}
+
+#ifdef WIN32
+/*
+ * Number of micro-seconds between the beginning of the Windows epoch
+ * (Jan. 1, 1601) and the Unix epoch (Jan. 1, 1970).
+ *
+ * This assumes all Win32 compilers have 64-bit support.
+ */
+#if defined(_MSC_VER) || defined(_MSC_EXTENSIONS) || defined(__WATCOMC__)
+  #define DELTA_EPOCH_IN_USEC  116444736Ui64
+#else
+  #define DELTA_EPOCH_IN_USEC  116444736ULL
+#endif
+
+static u_int64_t filetime_to_unix_epoch (const FILETIME *ft)
+{
+u_int64_t res = (u_int64_t) ft->dwHighDateTime << 32;
+
+res |= ft->dwLowDateTime;
+res /= 10;   /* from 100 nano-sec periods to usec */
+res -= DELTA_EPOCH_IN_USEC;  /* from Win epoch to Unix epoch */
+return (res);
+}
+
+int gettimeofday (struct timeval *tv, void *tz _U_)
+{
+FILETIME  ft;
+u_int64_t tim;
+
+if (!tv) {
+errno = EINVAL;
+return (-1);
+}
+GetSystemTimeAsFileTime (&ft);
+tim = filetime_to_unix_epoch (&ft);
+tv->tv_sec  = (long) (tim / 100L);
+tv->tv_usec = (long) (tim % 100L);
+return (0);
+}
+#endif




-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] gettimeofday() on Win32

2005-12-05 Thread Hannes Gredler 

pls ignore prev. comment -> brain fart - checked in your patch - /hannes

Gisle Vanem wrote:
The recent (?) -G option requires gettimeofday() which isn't available 
on Win32. Attached is a patch to util.c which adds this function.


--gv
--- tcpdump-2005.12.03/util.cThu Jun 16 00:19:38 2005
+++ util.cSat Dec 03 17:01:05 2005
@@ -526,3 +526,44 @@
else
printf("\\%03o", ch);
}
+
+#ifdef WIN32
+/*
+ * Number of micro-seconds between the beginning of the Windows epoch
+ * (Jan. 1, 1601) and the Unix epoch (Jan. 1, 1970).
+ *
+ * This assumes all Win32 compilers have 64-bit support.
+ */
+#if defined(_MSC_VER) || defined(_MSC_EXTENSIONS) || defined(__WATCOMC__)
+  #define DELTA_EPOCH_IN_USEC  116444736Ui64
+#else
+  #define DELTA_EPOCH_IN_USEC  116444736ULL
+#endif
+
+static u_int64_t filetime_to_unix_epoch (const FILETIME *ft)
+{
+u_int64_t res = (u_int64_t) ft->dwHighDateTime << 32;
+
+res |= ft->dwLowDateTime;
+res /= 10;   /* from 100 nano-sec periods to usec */
+res -= DELTA_EPOCH_IN_USEC;  /* from Win epoch to Unix epoch */
+return (res);
+}
+
+int gettimeofday (struct timeval *tv, void *tz _U_)
+{
+FILETIME  ft;
+u_int64_t tim;
+
+if (!tv) {
+errno = EINVAL;
+return (-1);
+}
+GetSystemTimeAsFileTime (&ft);
+tim = filetime_to_unix_epoch (&ft);
+tv->tv_sec  = (long) (tim / 100L);
+tv->tv_usec = (long) (tim % 100L);
+return (0);
+}
+#endif




-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

:Re: [tcpdump-workers] libpcap for PPP raw data problem

2005-12-05 Thread Hannes Gredler 

from the manpage:


NAME
   text2pcap - Generate a capture file from an ASCII hexdump of packets

SYNOPSYS
   text2pcap [ -h ] [ -d ] [ -q ] [ -o hex|oct ] [ -l typenum ] [ -e l3pid 
] [ -i proto ] [ -m max-packet ]
   [ -u srcport,destport ] [ -T srcport,destport ] [ -s 
srcport,destport,tag ] [ -S srcport,destport,ppi ]
   [ -t timefmt ] infile outfile

DESCRIPTION
   Text2pcap is a program that reads in an ASCII hex dump and writes the 
data described into a libpcap-style cap-
   ture file.  text2pcap can read hexdumps with multiple packets in them, 
and build a capture file of multiple
   packets.  text2pcap is also capable of generating dummy Ethernet, IP and 
UDP, TCP, or SCTP headers, in order to
   build fully processable packet dumps from hexdumps of application-level 
data only.

[ ... ]

/hannes

BinaryChen(TP/SH) wrote:

Hi Hannes,
 
Have you used the text2pcap? What function does it provide?
In its man page, it support change hexdump result to pcap format, but in 
ASCII format.

I wonder to know what is hexdump'ed? The raw data or ...
 
Thanks a lot.
 
Binary Chen



*From:* [EMAIL PROTECTED] ´ú±í Hannes Gredler
*Sent:* 2005-12-5 (ÐÇÆÚÒ») 16:07
*To:* tcpdump-workers@lists.tcpdump.org
*Subject:* Spam:Re: [tcpdump-workers] libpcap for PPP raw data problem

libpcap does not do what you want it to do ...
however you may want to look at the text2pcap utility
that is bundled with ethereal.

/hannes

BinaryChen(TP/SH) wrote:
 > Hi,
 > 
 > I have captured some raw PPP data from serial driver, and I want use 
libpcap to convert to pcap file format so the ethereal can help me do 
some analyze. Can anyone provide some sample or hints to me?
 > 
 > Thanks a lot.
 > 
 > Binary Chen

 > -
 > This is the tcpdump-workers list.
 > Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.




-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] timestamp difference since first packet under

2005-12-12 Thread Hannes Gredler 

could you provide me a pointer to the openBSD source tree containing the -t
modification then i can see if we can check this in;

/hannes

nero one wrote:

Hello.  OpenBSD added the -t option which, from what I understand, a very 
similar output to
tethereal's default timestamp "Add -t option (timestamp difference since the first packet)". 
How can I get the same functionality under linux?  I can't find a tarball anywhere that'll give me

that.

My problem is this.  I'm tcpdumping on two systems (A & B) and C on a tapped line. 


[A]-+-[B]
| \ 
|  network tap

|
   [C]

without -t (regular output) .. if i'm throwing lots of juice from system A 
to system to system
B so that I can see if [C] is capturing at the exact same time as [B]

A) need to set up NTP
B) still need to take into account any type of discepancy in miliseconds between 
system B & C when
comparing dumps

so for instance .. if B sees the packet at .398348 and C sees it at .398350, 
does that mean that
it took longer to get to B than C?
Was the system clock off by a few milimiliseconds maybe?

In scenario B) (-t) ... the packets start at point 0.
and so the actual latency from start to finish can be easily calculated.

anyways.  feedback on this would be great

thanks :)

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-

This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] timestamp difference since first packet under

2005-12-13 Thread Hannes Gredler 

found the openBSD tcpdump tree meanwhile ...

have added the desired functionality to HEAD.
would you mind checking out if it fits your needs ?

/hannes

nero one wrote:

Hello.  OpenBSD added the -t option which, from what I understand, a very 
similar output to
tethereal's default timestamp "Add -t option (timestamp difference since the first packet)". 
How can I get the same functionality under linux?  I can't find a tarball anywhere that'll give me

that.

My problem is this.  I'm tcpdumping on two systems (A & B) and C on a tapped line. 


[A]-+-[B]
| \ 
|  network tap

|
   [C]

without -t (regular output) .. if i'm throwing lots of juice from system A 
to system to system
B so that I can see if [C] is capturing at the exact same time as [B]

A) need to set up NTP
B) still need to take into account any type of discepancy in miliseconds between 
system B & C when
comparing dumps

so for instance .. if B sees the packet at .398348 and C sees it at .398350, 
does that mean that
it took longer to get to B than C?
Was the system clock off by a few milimiliseconds maybe?

In scenario B) (-t) ... the packets start at point 0.
and so the actual latency from start to finish can be easily calculated.

anyways.  feedback on this would be great

thanks :)

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-

This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] timestamp difference since first packet under

2005-12-13 Thread Hannes Gredler 



Guy Harris wrote:

Hannes Gredler wrote:


found the openBSD tcpdump tree meanwhile ...

have added the desired functionality to HEAD.



Do we want relative time stamps (-ttt, for secs/usecs since previous 
packet, and -t, for secs/usecs since first packet) to be printed as 
HH:MM:SS.UU, or seconds.UU?


in the sense of having an indicator wether this is a relative/or absolute 
timestamp ?

The original "-ttt" was, I think, clearly broken, as no decimal point 
was printed if the delta was less than 1 second, and a space was printed 
after the decimal point if the delta was >= 1 second, so fixing that is 
definitely right.


OpenBSD prints them as seconds.UU, rather than HH:MM:SS.UU.


saw that and i deliberatly decided against it i.e.
to print HH:MM:SS.UU as it IMHO makes things easier to read for
long-term traces ...

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] timestamp difference since first packet under

2005-12-13 Thread Hannes Gredler 



nero one wrote:

Hannes,

Thanks so much for what looks like something promising.  Only issue here is 
that i'm not quite
sure what you're talking about when you're saying "added functionality to 
HEAD".  Could you be a
bit more explicit or rephrase that perhaps? :)  Is HEAD a directory somewhere 
in the CVS system,
or ?


HEAD is the head of the CVS tree where we do check in all the fancy and new 
stuff ;-)

if you do an anonmymous CVS checkout and don't specify a branch e.g. 
tcpdump_3_9 then
you'll get the HEAD of the tree ...

/hannes


Hannes Gredler wrote:


found the openBSD tcpdump tree meanwhile ...

have added the desired functionality to HEAD.


Do we want relative time stamps (-ttt, for secs/usecs since previous 
packet, and -t, for secs/usecs since first packet) to be printed as 
HH:MM:SS.UU, or seconds.UU?


The original "-ttt" was, I think, clearly broken, as no decimal point 
was printed if the delta was less than 1 second, and a space was printed 
after the decimal point if the delta was >= 1 second, so fixing that is 
definitely right.


OpenBSD prints them as seconds.UU, rather than HH:MM:SS.UU.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.





__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] timestamp difference since first packet under

2005-12-14 Thread Hannes Gredler 
I suppose we could get really ambitious and support strftime()-like  
formats ("strftime()-like" because, for relative times, you don't  have 
any date fields, just time fields).


that would be a really nice idea - so we'd have essentially three
distinct -t behaviours

1.  print absolute timestamps
2.  print relative (prev. packet) timestamps
3.  print relative (first packet) timestamps

plus a format code (is there a standard fmt code for usecs ?)
for relative timestamps we'd need to print e.g. the number of months/years
rather than the month/year abbrev itself ...

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] testing the list

2006-02-17 Thread Hannes Gredler 

works fine ... - /hannes

Michael Richardson wrote:

This is another test of the mailing list.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] error when installling in freeBSD

2006-02-19 Thread Hannes Gredler 

pls try a "make clean;make" - /hannes

PRITHU wrote:

Dear all,
 I was trying to install tcpdump 3.8.3 in freeBSD
5.4, I get the following error -

tcpdump.o(.text+0x8f6): In function `main':
: undefined reference to `pcap_debug'


I have also passsed --enable-yydebug to libpcap's
configure script. But it still gives the same error.

Any help?
Thank You,
Pritula Dhungel.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-

This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] error when installling in freeBSD

2006-02-20 Thread Hannes Gredler 

also .. do you have libpcap installed ?

---

pls try a "make clean;make" - /hannes

PRITHU wrote:

Dear all,
 I was trying to install tcpdump 3.8.3 in freeBSD
5.4, I get the following error -

tcpdump.o(.text+0x8f6): In function `main':
: undefined reference to `pcap_debug'


I have also passsed --enable-yydebug to libpcap's
configure script. But it still gives the same error.

Any help?
Thank You,
Pritula Dhungel.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-

This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] tcpdump -r option

2006-02-21 Thread Hannes Gredler 



Latha G wrote:

Hi all,

Thanks for your support till now.
I want to clarify few things about the tcpdump -r option
I just used tcpdump -w dump.pcap
The -r option is used just to read back what we stored using -w option or
can we use the dump.pcap file as network and we can apply all options &
filters
  i mean like tcpdump -n -c 1 -r dump.pcap (or)  tcpdump -A -r dump.pcap
can i apply any filter expression and options on this file...
is it ok...
since i didn't use any option or filter while capturing it through -w
option..
is the output what i get from tcpdump -n -c 1 -r dump.pcap looks same as
tcpdump -n -c 1 or any difference is there?


there won't be any difference


Means what i want to clarify is , Is the behaviour of tcpdump when applied
with -r option is same as when it applied on the network directly..


your understanding is correct


And one more is, the captured file dump.pcap can i take to any other system
and then apply tcpdump , and can i expect the output  should be same as that
of on my system


if both systems are configured with the same timezone, yes.

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] "truncated arp " message while using -s option

2006-02-23 Thread Hannes Gredler 



Guy Harris wrote:
The most recent update to the ARP printing code (which isn't yet in a 
release) prints "[|ARP]" for all the truncation cases.


i took the courtesy of cleaning up the printer recently ...
hope i did not break too much ;-)

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] fragmented packets

2006-02-24 Thread Hannes Gredler 

Luis Del Pino wrote:

Hello, i have a question. I am filtering UDP segments by port. In fragmented
packets, i only capture the UDP segment and i can't capture the other
fragments. My questions are: could the fragments loss? or if a fragment is
lost in the network, the UDP segment entirely is it lost?. i'm sorry for my
English.


UDP port numbers are only contained in the first fragment -
and tcpdump does not reassemble fragments
that means you will loose all non-zero fragments.

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Missing af.h

2006-02-26 Thread Hannes Gredler 

af.{c,h} are new files used for AF printing/resolution;
if they would have been committed (blush) they would have been there ...
guy fixed that already ...

/hannes

Gisle Vanem wrote:
This file is needed by print-bgp.c, print-ldp.c and print-rip.c, but 
missing

from the tar-ball. Should it be generated by configure? And the FILES list
af.c as well. That's missing too.

BTW. addrtoname.c on Win32 is missing ETHER_ADDR_LEN. A fix:

--- tcpdump-2006.02.25\addrtoname.c Sat Feb 11 21:11:40 2006
+++ addrtoname.cSat Feb 25 17:26:17 2006
@@ -68,6 +68,10 @@
#include "extract.h"
#include "oui.h"

+#ifndef ETHER_ADDR_LEN
+#include "ether.h"
+#endif
+
/*
 * hash tables for whatever-to-name translations
 *

--gv

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Missing af.h

2006-02-26 Thread Hannes Gredler 

BTW. addrtoname.c on Win32 is missing ETHER_ADDR_LEN. A fix:

--- tcpdump-2006.02.25\addrtoname.c Sat Feb 11 21:11:40 2006
+++ addrtoname.cSat Feb 25 17:26:17 2006
@@ -68,6 +68,10 @@
#include "extract.h"
#include "oui.h"

+#ifndef ETHER_ADDR_LEN
+#include "ether.h"
+#endif
+


tx, committed to head and 3.9 - /hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Missing af.h

2006-02-26 Thread Hannes Gredler 

that was contained in my original file -> fixed; - /hannes

Gisle Vanem wrote:

"Guy Harris" <[EMAIL PROTECTED]> wrote:

No - it, and af.c, should probably be generated from the stuff removed 
from print-bgp.c.


I've checked in versions of af.c and af.h generated that way.



netdissect.h isn't atomic; it needs  ahead of it (from 
tcpdump-stdinc.h). Hence:


--- tcpdump-2006.02.26\af.c Sat Feb 25 19:42:32 2006
+++ af.cSun Feb 26 16:18:00 2006
@@ -32,6 +32,8 @@
"@(#) $Header: /tcpdump/master/tcpdump/af.c,v 1.1 2006/02/25 
20:42:32 guy Exp $ (LBL)";

#endif

+#include 
+
#include "netdissect.h"
#include "af.h"

--gv
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] tcpdump output format

2006-03-06 Thread Hannes Gredler 



Latha G wrote:

Hi all,

I have one question about the output format of tcpdump.
How can we know whether the output from the tcpdump is in the correct
format?
Any file is there to know about the format of the output?


there is no central file - very printer controls its own output formay


The printing of packets on the standard output is tcpdump's implementation
dependent, right?


correct - whenever we add/improve a printer the output format is likely
to change ;-)


Is the the output format will be changed from version to version???


not regularly


Then, where can I find the format of the output?


ls -l print-*.c


like for IP packets the output should be like that.


i am afraid there is no such document ...


in that way , i want...

I got the doubt because..
arp packet once i got is,
13:39:20.680816 arp who-has 172.16.0.136 tell mech_23_28.ac.in
and some other time i got is,
 13:39:20.680816 arp who-has 172.16.0.136 (Broadcast) tell
mech_23_28.ac.in
Any small help be appreciated..

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] tcpdump output format

2006-03-07 Thread Hannes Gredler 

latha,

i fail to understand what your problem is ...
what disturbs you with the (broadcast) output
i.e. what is wrong with this ?

/hannes

Latha G wrote:

Hi Hanees,

Thanks for ur reply...
I referred print-arp.c for arp output format..no where i found (Broadcast)
is using...but it is appearing on the output...[refer to my first mail]
If there is no such information like the output should be printed like
this..
then how can we know whether it is a correct output or not..

And one more thing is , Is the tcpdump tested on any platform(OS)? so that i
can refer
the output on that platform..

My tcpdump version: 3.9.4


On 3/6/06, Hannes Gredler <[EMAIL PROTECTED]> wrote:




Latha G wrote:


Hi all,

I have one question about the output format of tcpdump.
How can we know whether the output from the tcpdump is in the correct
format?
Any file is there to know about the format of the output?


there is no central file - very printer controls its own output formay



The printing of packets on the standard output is tcpdump's


implementation


dependent, right?


correct - whenever we add/improve a printer the output format is likely
to change ;-)



Is the the output format will be changed from version to version???


not regularly



Then, where can I find the format of the output?


ls -l print-*.c



like for IP packets the output should be like that.


i am afraid there is no such document ...



in that way , i want...

I got the doubt because..
arp packet once i got is,
   13:39:20.680816 arp who-has 172.16.0.136 tell mech_23_28.ac.in
and some other time i got is,
13:39:20.680816 arp who-has 172.16.0.136 (Broadcast) tell
mech_23_28.ac.in
Any small help be appreciated..


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.






--
Thaks & Regards,
Latha.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] UDP Fragments

2006-03-11 Thread Hannes Gredler 

luis,

see the answer to the same questions answered a few weeks before.

bottomline is: tcpdump does not perform fragment reassembly and
there is no way to catch the fragments bases on port numbers.

/hannes

Luis Del Pino wrote:

Hi, I'm Luis del Pino, What filter could I use to capture UDP datagrams and
its fragments?

I have this filter "dst 192.168.0.120 and (udp dst port 10005 or udp dst
port 10006 or udp dst port 10007)" but it doesn't capture the fragments. I
only want capture its fragments and not capture all IP datagrams. i have
thought to use the fields, flag and fragment offset in the IP  datagram.

Thanks
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Checksum

2006-03-15 Thread Hannes Gredler 

sure - it could be that the data got corrupted by transit nodes;


Luis Del Pino wrote:

When I capture an UDP datagram from a well-known source, Could the checksum
be incorrect? do I have to calculate it? or How Could I ask other entity
about it?

Thanks
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] How to set snaplen for tcpdump

2006-03-16 Thread Hannes Gredler 

a quick look into the man pages usually helps a lot ;-)

---

NAME
   tcpdump - dump traffic on a network

SYNOPSIS
   tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
   [ -C file_size ] [ -F file ]
   [ -i interface ] [ -m module ] [ -M secret ]
   [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]

   [ -W filecount ]
   [ -E [EMAIL PROTECTED] algo:secret,...  ]
   [ -G rotate_seconds ] [ -y datalinktype ] [ -Z user ]
   [ expression ]

---


[EMAIL PROTECTED] wrote:

Hi,

Default snaplen value for tcpdump is 96 bytes. I need to change the
snaplen value. How to set it. What's the command for that.
If any one has any idea, please pass it on.

Regards,
Santosh



The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.

www.wipro.com-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] compress savefiles after each rotation

2006-03-23 Thread Hannes Gredler 

checked in - tx for your submission; - /hannes

Sebastien Raveau wrote:

Hello everybody,


I am submitting this patch for tcpdump that adds the -z flag (to be used in 
conjunction with -C or -G) which can be used to specify a command tcpdump 
should execute on each savefile after it's been rotated.


For example, running:
tcpdump -G 3600 -z bzip2 -w "capture%Y%m%d%H%M%S.pcap"
will make tcpdump close its current savefile and open a new one every hour, 
continue dumping packets in the new savefile while bzip2 compresses (with 
minimum priority so that this does not disturb the capture) the previous 
savefile and renames it to something like capture20060312153936.pcap.bz2


This might sound like a crazy idea, but check it, sometimes the size of 
compressed savefiles is down to 30% of the size of original savefiles! :-)


It has been thoroughly tested on Linux and should work on all Unices as I 
always pay attention to writing code that is compliant with the Single UNIX 
Specification, but since I don't use Windows, I don't know if this patch 
might break Windows compatibility or not... Could somebody please check that 
for me?



Kind regards,





diff -ur tcpdump-2006.03.12/CREDITS tcpdump/CREDITS
--- tcpdump-2006.03.12/CREDITS  2006-02-03 09:32:39.0 +0100
+++ tcpdump/CREDITS 2006-03-12 14:59:10.0 +0100
@@ -123,6 +123,7 @@
Sami Farin  <[EMAIL PROTECTED]>
Scott Rose  <[EMAIL PROTECTED]>
Sebastian Krahmer   <[EMAIL PROTECTED]>
+   Sebastien Raveau<[EMAIL PROTECTED]>
Sebastien Vincent   <[EMAIL PROTECTED]>
Seth Webster<[EMAIL PROTECTED]>
Shinsuke Suzuki <[EMAIL PROTECTED]>
Only in tcpdump: Makefile
Only in tcpdump: addrtoname.o
Only in tcpdump: af.o
Only in tcpdump: checksum.o
Only in tcpdump: config.h
Only in tcpdump: config.log
Only in tcpdump: config.status
Only in tcpdump: cpack.o
Only in tcpdump: gmpls.o
Only in tcpdump: gmt2local.o
Only in tcpdump: ipproto.o
Only in tcpdump: l2vpn.o
Only in tcpdump: machdep.o
Only in tcpdump: nlpid.o
Only in tcpdump: oui.o
Only in tcpdump: parsenfsfh.o
Only in tcpdump: pcap_dump_ftell.o
Only in tcpdump: print-802_11.o
Only in tcpdump: print-ah.o
Only in tcpdump: print-aodv.o
Only in tcpdump: print-ap1394.o
Only in tcpdump: print-arcnet.o
Only in tcpdump: print-arp.o
Only in tcpdump: print-ascii.o
Only in tcpdump: print-atalk.o
Only in tcpdump: print-atm.o
Only in tcpdump: print-beep.o
Only in tcpdump: print-bfd.o
Only in tcpdump: print-bgp.o
Only in tcpdump: print-bootp.o
Only in tcpdump: print-cdp.o
Only in tcpdump: print-chdlc.o
Only in tcpdump: print-cip.o
Only in tcpdump: print-cnfp.o
Only in tcpdump: print-dccp.o
Only in tcpdump: print-decnet.o
Only in tcpdump: print-domain.o
Only in tcpdump: print-dvmrp.o
Only in tcpdump: print-eap.o
Only in tcpdump: print-egp.o
Only in tcpdump: print-eigrp.o
Only in tcpdump: print-enc.o
Only in tcpdump: print-esp.o
Only in tcpdump: print-ether.o
Only in tcpdump: print-fddi.o
Only in tcpdump: print-fr.o
Only in tcpdump: print-gre.o
Only in tcpdump: print-hsrp.o
Only in tcpdump: print-icmp.o
Only in tcpdump: print-igmp.o
Only in tcpdump: print-igrp.o
Only in tcpdump: print-ip.o
Only in tcpdump: print-ipcomp.o
Only in tcpdump: print-ipfc.o
Only in tcpdump: print-ipx.o
Only in tcpdump: print-isakmp.o
Only in tcpdump: print-isoclns.o
Only in tcpdump: print-juniper.o
Only in tcpdump: print-krb.o
Only in tcpdump: print-l2tp.o
Only in tcpdump: print-lane.o
Only in tcpdump: print-ldp.o
Only in tcpdump: print-llc.o
Only in tcpdump: print-lmp.o
Only in tcpdump: print-lspping.o
Only in tcpdump: print-lwres.o
Only in tcpdump: print-mobile.o
Only in tcpdump: print-mpcp.o
Only in tcpdump: print-mpls.o
Only in tcpdump: print-msdp.o
Only in tcpdump: print-nfs.o
Only in tcpdump: print-ntp.o
Only in tcpdump: print-null.o
Only in tcpdump: print-ospf.o
Only in tcpdump: print-pflog.o
Only in tcpdump: print-pgm.o
Only in tcpdump: print-pim.o
Only in tcpdump: print-ppp.o
Only in tcpdump: print-pppoe.o
Only in tcpdump: print-pptp.o
Only in tcpdump: print-radius.o
Only in tcpdump: print-raw.o
Only in tcpdump: print-rip.o
Only in tcpdump: print-rsvp.o
Only in tcpdump: print-rx.o
Only in tcpdump: print-sctp.o
Only in tcpdump: print-sip.o
Only in tcpdump: print-sl.o
Only in tcpdump: print-sll.o
Only in tcpdump: print-slow.o
Only in tcpdump: print-smb.o
Only in tcpdump: print-snmp.o
Only in tcpdump: print-stp.o
Only in tcpdump: print-sunatm.o
Only in tcpdump: print-sunrpc.o
Only in tcpdump: print-symantec.o
Only in tcpdump: print-syslog.o
Only in tcpdump: print-tcp.o
Only in tcpdump: print-telnet.o
Only in tcpdump: print-tftp.o
Only in tcpdump: print-timed.o
Only in tcpdump: print-token.o
Only in tcpdump: print-udp.o
Only in tcpdump: print-vjc.o
Only in tcpdump: print-vqp.o
Only in tcpdump: print-vrrp.o

Re: [tcpdump-workers] A broken filter...

2006-04-02 Thread Hannes Gredler 



Dan Joumaa wrote:


Hello,

I am trying to capture all ethernet packets with the source host's first 
3 octets being 00, 09, and bf. It was suggested that I used this filter: 
"ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf." When packets 
are sent that should match, nothing comes through. When I remove the 
filter, I'm able to receive the packets, along with every other packet.


What's wrong with my filter?


perhaps the filter is alright and the data is wrong ;-) -> i.e.

an  idea that come sinto mind is that
the packets come in using 802.1Q (VLAN) encaps ...

can you provide some more information about your capturing interface ?

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] how to construct tcpdump readable packets

2006-04-07 Thread Hannes Gredler 

latha,

you may want to check the text2pcap utility
that comes along with ethereal for learning about
conversion to a libpcap readable format.

/hannes

Latha G wrote:

Hi all,

Is there any way to construct manually a tcpdump readable packet?
As we know the header structres, we can fill those header information and
put it in a string(packet)..
then how to convert this packet to a raw packet such that it can be read by
tcpdump?

Thanks in advance.


--
Regards,
Latha.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Assumptions needed to get the same tcpdump

2006-04-12 Thread Hannes Gredler 

if your DNS is configured correct on both systems and you don't do any
site local private adressing then you should get the identical output
on both systems - if you specifiy the -n flag then tcpdump does not attempt
to resolve names, you should be fine i.e. identical output irrespective
how broken your DNS is.

/hannes

Latha G wrote:

Hi all,

Cann't we expect the output of tcpdump on different systems for the same
input file
to be same?
I am not getting the same output, in the sense it was differencing at the
hostnames..I suppose the problem might be DNS lookups,
one was using and the other one not.
Whether the both systems has to be DNS enabled or disabled?
Is this assumption is needed to get the same output?
Like wise , are there any other assumptions ? or it is impossible to get the
same output on different systems?

Thanks in advance.


--
Regards,
Latha.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] what is the flag -c mean

2006-05-05 Thread Hannes Gredler 

the -c flag (c = count) means that capturing is stopped after  packets ... 
/hannes


Lan Qing wrote:

hello,
I'm of tcpdump,and i got the fllowing words while i'm reading the tcpdump
man page
"   Tcpdump  will,  if not run with the -c flag, continue capturing packets
until it is interrupted by a SIGINT signal  or a SIGTERM sig-nal ; if run
with the  -c flag,  it  will  capture packets until it is interrupted by a
SIGINT or SIGTERM signal or the specified number of packets have been
processed."
it says a lot about -c flag,but it seems like -c flag will not work here(it
is the same using it or not using it). Can someone explan that for me.
thank you for any help.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] about struct in_addr

2006-05-05 Thread Hannes Gredler 

what is the point ? - the storage space is the same ...

Lan Qing wrote:

hello,
I read the fllowing words in the c header file 
"
/* Internet address.  */
typedef uint32_t in_addr_t;
struct in_addr
 {
   in_addr_t s_addr;
 };"
the struct in_addr have only one variable in it, is there any necessary to
define a struct like that?
why not use "typedef in_addr_t in_addr;" directly?

thank you!
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Filtering based on multiple IP address.

2006-05-18 Thread Hannes Gredler 

1. Is there is a limit in the length of filter string


afaik 256 BPF instructions


2. What will be the performance impact because of having a huge filter
string.


linear performance impact


3. Will PCAP automatically reduce the the filter string for performance.


not for a chain of explicit hostanmes

4. Else, can some one provide with a logic to reduce the filter string 
(from

a lot of host address to a simple net address if possible).


you way wnat to have a look what BPF filtercode your expression produces
to get an idea about the processing complexity.

(simply run tcpdump with the -d flag and you'll see the BPF filtercode as
executed by BPF capable kernels).

[EMAIL PROTECTED] ~ $ tcpdump -ndi eth0 "ip && src host 192.168.1.1"
(000) ldh  [12]
(001) jeq  #0x800   jt 2jf 5
(002) ld   [26]
(003) jeq  #0xc0a80101  jt 4jf 5
(004) ret  #96
(005) ret  #0

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] compiling problem

2006-06-07 Thread Hannes Gredler 

zubin,

unless you post qualified information -
for example the config.log file i fear nobody's
crystal ball on the list is clear enough to provide an answer
your question.

/hannes


[EMAIL PROTECTED] wrote:

Hi guys,
 I havent heard from anyone and I really need solution to this problem.
 I was able to successfully create makefile.

 When I tried to run the 'make' command with this option in the makefile
 #CCOPT = -O2
 CCOPT = -g
 I get this error

print-dhcp6.o:./print-dhcp6.c:445: more undefined references to  
`__ntohs' follow

print-dhcp6.o: In function `dhcp6opt_print':
./print-dhcp6.c:465: undefined reference to `__ntohl'
./print-dhcp6.c:469: undefined reference to `__ntohl'
./print-dhcp6.c:489: undefined reference to `__ntohl'
./print-dhcp6.c:551: undefined reference to `__ntohl'
./print-dhcp6.c:563: undefined reference to `__ntohs'
./print-dhcp6.c:573: undefined reference to `__ntohl'
./print-dhcp6.c:574: undefined reference to `__ntohl'
./print-dhcp6.c:575: undefined reference to `__ntohl'
./print-dhcp6.c:596: undefined reference to `__ntohl'
./print-dhcp6.c:598: undefined reference to `__ntohl'


I wanted to use -g so later I can use debuuger like gdb, ddd to debug  
the program.

I would really appreciate help on this matter.

Thanks for your consideration,
zubin


This message was sent using IMP, the Internet Messaging Program.



-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Verbose output of tcpdump on protocols of different

2006-07-27 Thread Hannes Gredler 

mikhail,

what you are suggesting makes sense
and you are welcome to submit a patch ;-)

/hannes

Mikhail Manuylov wrote:

Hello,

I need to parse output of tcpdump printing contents of snmp packets
and insert to database.

First time I thought that output can be explained with some regexps,
but when I looked into sources I've suddenly changed my mind and have
choosed to yacc. Now I'm writing grammar of tcpdump's output in BNF (
because PDML and wireshark is not my choise ).

All I need is snmp printing which is done with verbose flag ( -v |
vflag ). But I DON'T need verbose printing of low level protocols (
ip, udp ). For optional printing of Ethernet header there exists flag
(-e | eflag ), but for ip and udp is not (it depends on vflag). I
don't want to write grammar for that output. Of course I can make some
local crocks (and I will ), but am I the first person complaining
about that behaviour?

I think there should be flags for verbose optional output on EACH
level of tcp|osi model. But because tcpdump only supports BSD style of
cli options, I think config is a good choise there.

Just think about it.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [RESEND][PATCH] enable sniff on USB ports onlinux

2006-10-04 Thread Hannes Gredler 
paolo,

checked in.
can you make a fresh checkout and verify if everything is working as expected ?

tx,

/hannes


Paolo Abeni wrote:
> Hello,
> 
> On Mon, 2006-10-02 at 17:15 -0700, Guy Harris wrote:
>> I've added DLT_USB, with a value of 186.
> 
> Must I resent the whole patch with the new DLT, must I send an
> incremental patch or something else ?!?
> 
> Thanks,
> 
> Paolo
> 
>  
>  
>  --
>  Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>  
>  Sponsor:
>  Refill s.r.l. - Prodotti per TUTTE le stampanti sul mercato a prezzi sempre 
> convenienti. Dal 1993, leader nel compatibile di qualità in Italia.
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5188&d=4-10
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Sniffing inbound ethernet frames only

2006-10-23 Thread Hannes Gredler 


[EMAIL PROTECTED] wrote:
> Dear tcpdump experts,
> 
> I have a Linux box with two Fast Ethernet interfaces.
> In two separate windows on the desktop I want to see
> all inbound ethernet frames (from the wire), but not
> the ethernet frames coming down the local network stack.
> In the left window tcpdump should run to catch all
> incoming ethernet frames from interface eth0.
> In the right window tcpdump should run to catch all
> incoming ethernet frames from interface eth1.
> All outgoing ethernet frames must not be displayed.
> Both tcpdump processes must run in parallel.
> 
> The keyword inbound cannot be used with link level.
> Which tcpdump expression solves the problem?

could you aleborate on the last statement ? -
the keyword 'inbound' should work fine one a linux box ...

/hannes
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Sniffing inbound ethernet frames only

2006-10-24 Thread Hannes Gredler 
> Hello Hannes,
> 
> on SuSE 10.1 (Kernel 2.6.16.13-4) I get the
> following message:
> 
> # tcpdump -i eth1 inbound ether
> tcpdump: inbound/outbound not supported on linktype 1
> # tcpdump --version
> tcpdump version 3.9.4
> libpcap version 0.9.4
> 
> Best regards
> jojo

ok makese sense now - sorry i was confused by junipers DLT for
ethernet which contrary to the 'standard' ethernet DLT 1
does support directions ...

seems the only choice you have left is to filter on your local
MAC adresses to substitute the lack of notion for direction
on the ethernet DLT.

/hannes
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] tcpv6: removal of duplicate code

2006-11-02 Thread Hannes Gredler 
checked in and added you to the hall of shame (aka CREDITS file).

tx for your submission,

/hannes

Gerrit Renker wrote:
> This is an optional patch which removes duplicated code 
> from tcp6_cksum: comparison shows that the code of in_cksum
> re-appears in that function.
> 
> In addition, it fixes a typo in printing invalid checksums:
>   * previously: "cksum xDEAD (incorrect (-> xBEEF)"
>   * now:"cksum xDEAD (incorrect -> xBEEF)"
> 
> 
> Regards
> Gerrit Renker
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH]: [DCCP]: support for variable-length

2006-11-02 Thread Hannes Gredler 
checked in.

tx for your submission.

/hannes

Gerrit Renker wrote:
> This introduces support for variable-length checksum in 
> DCCP, as it is specified in section 9 of RFC 4340. 
> 
> Previously tcpdump was only able to validate full-coverage
> checksums, this patch verifies checksums in accordance with
> the CsCov header field (sec. 5.3). 
> 
> The patch has been tested and verified on DCCPv4 and DCCPv6
> connections, checksums were manually validated, and traces
> can be supplied.  
> 
> 
> 
> In addition, the patch also
>   * removes reduplicated code in dccp6_cksum (which 
>   just repeated the code of in_cksum)
>   * fixes a bug in dccp.h -- the fields of CCVAL and
> CSCOV were swapped (cf. section 5.1 of RFC 4340)
>   * fixes a typo in the display of incorrect checksums
> (these were printed as `cksum xDEAD (incorrect (->  xBEEF)',
>it now will print  `cksum xDEAD (incorrect -> xBEEF)'
> 
> I would like to see this merged as a Linux kernel patch already
> exists for DCCP partial checksum coverage support.
> 
> Regards
> Gerrit Renker
> 
> 
>  dccp.h   |4 ++--
>  print-dccp.c |   34 --
>  2 files changed, 18 insertions(+), 20 deletions(-)
> 
> 
> 
> 
> diff --git a/dccp.h b/dccp.h
> index 1afa8c0..8585060 100644
> --- a/dccp.h
> +++ b/dccp.h
> @@ -36,8 +36,8 @@ struct dccp_hdr {
>   }   dccph_xtrs;
>  };
>  
> -#define DCCPH_CCVAL(dh)  (((dh)->dccph_ccval_cscov) & 0x0F)
> -#define DCCPH_CSCOV(dh)  (((dh)->dccph_ccval_cscov >> 4) & 0x0F)
> +#define DCCPH_CCVAL(dh)  (((dh)->dccph_ccval_cscov >> 4) & 0xF)
> +#define DCCPH_CSCOV(dh)  (((dh)->dccph_ccval_cscov) & 0xF)
>  
>  #define DCCPH_X(dh)  ((dh)->dccph_xtrs.dccph_xtr & 1)
>  #define DCCPH_TYPE(dh)   (((dh)->dccph_xtrs.dccph_xtr >> 1) & 0xF)
> diff --git a/print-dccp.c b/print-dccp.c
> index e6bfca6..d19c500 100644
> --- a/print-dccp.c
> +++ b/print-dccp.c
> @@ -60,9 +60,20 @@ static const char *dccp_feature_nums[] =
>   "check data checksum",
>  };
>  
> +static inline int dccp_csum_coverage(const struct dccp_hdr* dh, u_int len)
> +{
> + int cov;
> + 
> + if (DCCPH_CSCOV(dh) == 0)
> + return len;
> + cov = (dh->dccph_doff + DCCPH_CSCOV(dh) - 1) * sizeof(u_int32_t);
> + return (cov > len)? len : cov;
> +}
> +
>  static int dccp_cksum(const struct ip *ip,
>   const struct dccp_hdr *dh, u_int len)
>  {
> + int cov = dccp_csum_coverage(dh, len);
>   union phu {
>   struct phdr {
>   u_int32_t src;
> @@ -86,15 +97,15 @@ static int dccp_cksum(const struct ip *i
>   phu.ph.dst = ip_finddst(ip);
>  
>   sp = &phu.pa[0];
> - return in_cksum((u_short *)dh, len, 
> sp[0]+sp[1]+sp[2]+sp[3]+sp[4]+sp[5]);
> + return in_cksum((u_short *)dh, cov, 
> sp[0]+sp[1]+sp[2]+sp[3]+sp[4]+sp[5]);
>  }
>  
>  #ifdef INET6
>  static int dccp6_cksum(const struct ip6_hdr *ip6, const struct dccp_hdr *dh, 
> u_int len)
>  {
>   size_t i;
> - const u_int16_t *sp;
> - u_int32_t sum;
> + u_int32_t sum = 0;
> + int cov = dccp_csum_coverage(dh, len);
>   union {
>   struct {
>   struct in6_addr ph_src;
> @@ -113,23 +124,10 @@ static int dccp6_cksum(const struct ip6_
>   phu.ph.ph_len = htonl(len);
>   phu.ph.ph_nxt = IPPROTO_DCCP;
>  
> - sum = 0;
>   for (i = 0; i < sizeof(phu.pa) / sizeof(phu.pa[0]); i++)
>   sum += phu.pa[i];
>  
> - sp = (const u_int16_t *)dh;
> -
> - for (i = 0; i < (len & ~1); i += 2)
> - sum += *sp++;
> -
> - if (len & 1)
> - sum += htons((*(const u_int8_t *)sp) << 8);
> -
> - while (sum > 0x)
> - sum = (sum & 0x) + (sum >> 16);
> - sum = ~sum & 0x;
> -
> - return (sum);
> + return in_cksum((u_short *)dh, cov, sum);
>  }
>  #endif
>  
> @@ -288,7 +286,7 @@ #ifdef INET6
>   dccp_sum = EXTRACT_16BITS(&dh->dccph_checksum); 
>   printf("cksum 0x%04x", dccp_sum);   
>   if (sum != 0) {
> - (void)printf(" (incorrect (-> 0x%04x), 
> ",in_cksum_shouldbe(dccp_sum, sum));
> + (void)printf(" (incorrect -> 0x%04x), 
> ",in_cksum_shouldbe(dccp_sum, sum));
>   } else
>   (void)printf(" (correct), ");
>   }   
> 
> 
> 
> 
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] about tcpdump trace file!

2006-11-02 Thread Hannes Gredler 
> Hi, everybody
> 
>  
> 
>I am a new comer! Nowadays, I want to analyze the tcpdump ¨Cw file. Does
> anyone know some tool or method to do this?
> 

you may want to check libpcap/savefile.c
  [http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/savefile.c?rev=1.147]

to get a better understanding about the .pcap file format.

/hannes
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Outgoing packets capturing problem

2006-11-14 Thread Hannes Gredler 
what DLT type and what filter expression are you using ?

Nickolay wrote:
> Hello.
> 
> I have a problem with outgoing packets capturing. I see only incoming
> packets.
> Any idea?
> 
> Platform: ARM
> kernel: 2.6.16.20.
> libpcap: 0.9.5(--with-pcap=linux)
> tcpdump: 3.9.5.
> 
> Thanks.
> 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] to recognize incoming and outgoing packets

2006-11-23 Thread Hannes Gredler 


Juan Pedro Muñoz Gea wrote:
> Hi all,
> 
> I'm using pcap library to capture live packets.
> I want to distinguish incoming and outgoing captured packets
> in an interface in promiscuous mode, without examining the payload, but I
> don't know the way to do it.
> 
> Using the PF_PACKET sockets family, if we use
> the "recvfrom" function and a "struct sockaddr_ll" in the "from" field, we
> can use the "struct sockaddr_ll.sll_pkttype" to know
> if the captured packet is a PACKET_OUTGOING.
> But I don't know if the there is something similar in the pcap library.
> 
> Also, I would like knowing if I might to apply a "FILTER"
> for all the incoming packets, and so, I would only receive
>  the incoming packets.

yes that is supported and supposed to work.
you may look in the manpage for the keywords "inbound" and "outbound"

HTH,

/hannes
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

  1   2   >