isakmpd can now capture un-encrypted IKE negotiation packets to a

file. In pcap(3) format, so tcpdump(8) can read it.
Idea by Tim Newsham <newsham@lava.net>, work by him and me.
Ok angelos@, niklas@

8 files changed, 494 insertions, 14 deletions

diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index 24041207159..bc41ed87a78 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.23 2001/04/05 23:31:05 ho Exp $
+.\" $OpenBSD: isakmpd.8,v 1.24 2001/04/09 21:21:57 ho Exp $
 .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
 .\"
 .\" Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
@@ -49,6 +49,8 @@
 .Op Fl n
 .Op Fl p Ar listen-port
 .Op Fl P Ar local-port
+.Op Fl L
+.Op Fl l Ar packetlog-file
 .Op Fl r Ar seed
 .Op Fl R Ar report-file
 .Sh DESCRIPTION
@@ -173,7 +175,20 @@ option specifies the listen port the daemon will bind to.
 .It Fl P Ar local-port
 On the other hand, the port specified to capital
 .Fl P
-will be what the daemon binds its local end to when acting as initiator.
+will be what the daemon binds its local end to when acting as
+initiator.
+.It Fl L
+Enable IKE packet capture. When this option is given, 
+.Nm
+will capture to file an unencrypted copy of the negotiation packets it
+is sending and receiveing. This file can later be read by 
+.Xr tcpdump 8
+and other utilities using 
+.Xr pcap 3 .
+.It Fl l Ar packetlog-file
+As option
+.Fl L
+above, but capture to a specified file.
 .It Fl r Ar seed
 If given a deterministic random number sequence will be used internally.
 This is useful for setting up regression tests.
@@ -295,6 +310,8 @@ above. Same mode requirements as isakmpd.conf.
 .It Pa /var/run/isakmpd.fifo
 The FIFO used to manually control
 .Nm isakmpd .
+.It Pa /var/run/isakmpd.pcap
+The default IKE packet capture file.
 .It Pa /var/run/isakmpd.report
 The report file written when
 .Dv SIGUSR1
@@ -305,8 +322,10 @@ is received.
 .Xr isakmpd.conf 5 ,
 .Xr isakmpd.policy 5 ,
 .Xr openssl 8 ,
+.Xr pcap 3 ,
 .Xr photurisd 8 ,
 .Xr ssl 8 ,
+.Xr tcpdump 8 ,
 .Xr vpn 8
 .Sh HISTORY
 The ISAKMP/Oakley key management protocol is described in the RFCs
diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index 3647801d41e..48d1e75ee8f 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: isakmpd.c,v 1.28 2001/04/07 20:36:47 ho Exp $	*/
+/*	$OpenBSD: isakmpd.c,v 1.29 2001/04/09 21:21:57 ho Exp $	*/
 /*	$EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $	*/
 
 /*
@@ -88,6 +88,11 @@ static char *report_file = "/var/run/isakmpd.report";
 /* The default path of the PID file.  */
 static char *pid_file = "/var/run/isakmpd.pid";
 
+#ifdef USE_DEBUG
+/* The path of the IKE packet capture log file.  */
+static char *pcap_file = 0;
+#endif
+
 /*
  * If we receive a USR2 signal, this flag gets set to show we need to
  * rehash our SA soft expiration timers to a uniform distribution.
@@ -101,7 +106,7 @@ usage ()
   fprintf (stderr,
 	   "usage: %s [-c config-file] [-d] [-D class=level] [-f fifo]\n"
 	   "          [-i pid-file] [-n] [-p listen-port] [-P local-port]\n"
-	   "          [-r seed] [-R report-file]\n",
+	   "          [-L] [-l packetlog-file] [-r seed] [-R report-file]\n",
 	   sysdep_progname ());
   exit (1);
 }
@@ -112,9 +117,10 @@ parse_args (int argc, char *argv[])
   int ch;
 #ifdef USE_DEBUG
   int cls, level;
+  int do_packetlog = 0;
 #endif
 
-  while ((ch = getopt (argc, argv, "c:dD:f:i:np:P:r:R:")) != -1) {
+  while ((ch = getopt (argc, argv, "c:dD:f:i:np:P:Ll:r:R:")) != -1) {
     switch (ch) {
     case 'c':
       conf_path = optarg;
@@ -165,6 +171,16 @@ parse_args (int argc, char *argv[])
 	exit (1);
       break;
 
+#ifdef USE_DEBUG
+    case 'l':
+      pcap_file = optarg;
+      /* Fallthrough intended.  */
+
+    case 'L':
+      do_packetlog++;
+      break;
+#endif /* USE_DEBUG */
+
     case 'r':
       srandom (strtoul (optarg, 0, 0));
       regrand = 1;
@@ -181,6 +197,11 @@ parse_args (int argc, char *argv[])
   }
   argc -= optind;
   argv += optind;
+
+#ifdef USE_DEBUG
+  if (do_packetlog && !pcap_file)
+    pcap_file = PCAP_FILE_DEFAULT;
+#endif
 }
 
 /* Reinitialize after a SIGHUP reception.  */
@@ -333,7 +354,7 @@ main (int argc, char *argv[])
       /* Switch to syslog.  */
       log_to (0);
     }
-  
+
   write_pid_file ();
 
   /* Reinitialize on HUP reception.  */
@@ -345,6 +366,12 @@ main (int argc, char *argv[])
   /* Rehash soft expiration timers on USR2 reception.  */
   signal (SIGUSR2, sigusr2);
 
+#ifdef USE_DEBUG
+  /* If we wanted IKE packet capture to file, initialize it now.  */
+  if (pcap_file != 0)
+    log_packet_init (pcap_file);
+#endif
+  
   /* Allocate the file descriptor sets just big enough.  */
   n = getdtablesize ();
   mask_size = howmany (n, NFDBITS) * sizeof (fd_mask);
diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c
index 11f03980545..0b443b897a0 100644
--- a/sbin/isakmpd/log.c
+++ b/sbin/isakmpd/log.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: log.c,v 1.16 2001/01/27 12:03:33 niklas Exp $	*/
+/*	$OpenBSD: log.c,v 1.17 2001/04/09 21:21:57 ho Exp $	*/
 /*	$EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $	*/
 
 /*
@@ -35,25 +35,75 @@
  * This code was written under funding by Ericsson Radio Systems.
  */
 
+#include <sys/types.h>
 #include <sys/time.h>
+
+#ifdef USE_DEBUG
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/uio.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <arpa/inet.h>
+
+#ifdef HAVE_PCAP
+#include <pcap.h>
+#else
+#include "sysdep/common/pcap.h"
+#endif
+
+#endif /* USE_DEBUG */
+
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
+
 #ifdef __STDC__
 #include <stdarg.h>
 #else
 #include <varargs.h>
 #endif
 
+#include "isakmp_num.h"
 #include "log.h"
 
 static void _log_print (int, int, const char *, va_list, int, int);
 
 static FILE *log_output;
+
 #ifdef USE_DEBUG
 static int log_level[LOG_ENDCLASS];
-#endif
+
+#define TCPDUMP_MAGIC	0xa1b2c3d4
+#define SNAPLEN		(64 * 1024)
+
+struct packhdr {
+  struct pcap_pkthdr pcap;		/* pcap file packet header */
+  struct {
+    u_int32_t null_family;		/* NULL encapsulation */
+  } null;
+  struct ip ip;				/* IP header (w/o options) */
+  struct udphdr udp;			/* UDP header */
+};
+
+struct isakmp_hdr {
+  u_int8_t icookie[8], rcookie[8];
+  u_int8_t next, ver, type, flags;
+  u_int32_t msgid, len;
+};
+
+static char *pcaplog_file = NULL;
+static FILE *packet_log;
+static u_int8_t pack[SNAPLEN + sizeof (struct packhdr)];
+static struct packhdr *hdr;
+
+static int udp_cksum (const struct ip *, const struct udphdr *, int);
+static u_int16_t in_cksum (const struct ip *, int);
+#endif /* USE_DEBUG */
 
 void
 log_init (void)
@@ -306,3 +356,247 @@ log_fatal (fmt, va_alist)
   va_end (ap);
   exit (1);
 }
+
+#ifdef USE_DEBUG
+void
+log_packet_init (char *newname)
+{
+  struct pcap_file_header sf_hdr;
+  mode_t old_umask;
+
+  if (pcaplog_file && strcmp (pcaplog_file, PCAP_FILE_DEFAULT) != 0)
+    free (pcaplog_file);
+
+  pcaplog_file = strdup (newname);
+  if (!pcaplog_file)
+    {
+      log_error ("log_packet_init: strdup (\"%s\") failed", newname);
+      return;
+    }
+
+  old_umask = umask (S_IRWXG | S_IRWXO);
+  packet_log = fopen (pcaplog_file, "w");
+  umask (old_umask);
+
+  if (!packet_log)
+    {
+      log_error ("log_packet_init: fopen (\"%s\", \"w\") failed", 
+		 pcaplog_file);
+      return;
+    }
+
+  log_print ("log_packet_init: starting IKE packet capture to file \"%s\"", 
+	     pcaplog_file);
+
+  sf_hdr.magic = TCPDUMP_MAGIC;
+  sf_hdr.version_major = PCAP_VERSION_MAJOR;
+  sf_hdr.version_minor = PCAP_VERSION_MINOR;
+  sf_hdr.thiszone = 0;
+  sf_hdr.snaplen = SNAPLEN;
+  sf_hdr.sigfigs = 0;
+  sf_hdr.linktype = DLT_NULL;
+
+  fwrite ((char *)&sf_hdr, sizeof sf_hdr, 1, packet_log);
+  fflush (packet_log);
+  
+  /* prep dummy header prepended to each packet */
+  hdr = (struct packhdr *)pack;
+  hdr->null.null_family = AF_INET;
+  hdr->ip.ip_v = 0x4;
+  hdr->ip.ip_hl = 0x5;
+  hdr->ip.ip_p = IPPROTO_UDP;
+  hdr->udp.uh_sport = htons (500);
+  hdr->udp.uh_dport = htons (500);
+}
+
+void
+log_packet_restart (char *newname)
+{
+  struct stat st;
+
+  if (packet_log)
+    {
+      log_print ("log_packet_restart: capture already active on file \"%s\"",
+		 pcaplog_file);
+      return;
+    }
+
+  if (newname)
+    {
+      if (stat (newname, &st) == 0)
+	log_print ("log_packet_restart: won't overwrite existing \"%s\"", 
+		   newname);
+      else
+	log_packet_init (newname);
+    }
+  else if (!pcaplog_file)
+    log_packet_init (PCAP_FILE_DEFAULT);
+  else if (stat (pcaplog_file, &st) != 0)
+    log_packet_init (pcaplog_file);
+  else
+    {
+      /* Re-activate capture on current file.  */
+      packet_log = fopen (pcaplog_file, "a");
+      if (!packet_log)
+	log_error ("log_packet_restart: fopen (\"%s\", \"a\") failed", 
+		   pcaplog_file);
+      else
+	log_print ("log_packet_restart: capture restarted on file \"%s\"",
+		   pcaplog_file);
+    }
+}
+
+void
+log_packet_stop (void)
+{
+  /* Stop capture.  */
+  if (packet_log)
+    {
+      fclose (packet_log);
+      log_print ("log_packet_stop: stopped capture");
+    }
+  packet_log = 0;
+}
+
+void
+log_packet_iov (struct sockaddr *src, struct sockaddr *dst, struct iovec *iov,
+		int iovcnt)
+{
+  struct isakmp_hdr *isakmphdr;
+  int off, len, i;
+  
+  len = 0;
+  for (i = 0; i < iovcnt; i++)
+    len += iov[i].iov_len;
+  
+  if (!packet_log || len > SNAPLEN)
+    return;
+  
+  /* copy packet into buffer */
+  off = sizeof *hdr;
+  for (i = 0; i < iovcnt; i++) 
+    {
+      memcpy (pack + off, iov[i].iov_base, iov[i].iov_len);
+      off += iov[i].iov_len;
+    }
+  
+  /* isakmp - turn off the encryption bit in the isakmp hdr */
+  isakmphdr = (struct isakmp_hdr *)(pack + sizeof *hdr);
+  isakmphdr->flags &= ~(ISAKMP_FLAGS_ENC);
+  
+  /* udp */
+  len += sizeof hdr->udp;
+  hdr->udp.uh_ulen = htons (len);
+  
+  /* ip */
+  len += sizeof hdr->ip;
+  hdr->ip.ip_len = htons (len);
+
+  switch (src->sa_family)
+    {
+    case AF_INET:
+      hdr->ip.ip_src.s_addr = ((struct sockaddr_in *)src)->sin_addr.s_addr;
+      hdr->ip.ip_dst.s_addr = ((struct sockaddr_in *)dst)->sin_addr.s_addr;
+      break;
+    case AF_INET6:
+      /* XXX TBD */
+    default:
+      hdr->ip.ip_src.s_addr = 0x02020202;
+      hdr->ip.ip_dst.s_addr = 0x01010101;
+    }
+
+  /* Let's use the IP ID as a "packet counter".  */
+  i = ntohs (hdr->ip.ip_id) + 1;
+  hdr->ip.ip_id = htons (i);
+
+  /* Calculate UDP checksum.  */
+  hdr->udp.uh_sum = 0; 
+  hdr->udp.uh_sum = udp_cksum (&hdr->ip, &hdr->udp, len);
+
+  /* Calculate IP header checksum. */
+  hdr->ip.ip_sum = 0;
+  hdr->ip.ip_sum = in_cksum (&hdr->ip, hdr->ip.ip_hl << 2);
+
+  /* null header */
+  len += sizeof hdr->null;
+  
+  /* pcap file packet header */
+  gettimeofday (&hdr->pcap.ts, 0);
+  hdr->pcap.caplen = len;
+  hdr->pcap.len = len;
+  len += sizeof hdr->pcap;
+  
+  fwrite (pack, len, 1, packet_log);
+  fflush (packet_log);
+  return;
+}
+
+/* Copied from tcpdump/print-udp.c  */
+static int
+udp_cksum (const struct ip *ip, const struct udphdr *up, int len)
+{
+  int i, tlen;
+  union phu {
+    struct phdr {
+      u_int32_t src;
+      u_int32_t dst;
+      u_char mbz;
+      u_char proto;
+      u_int16_t len;
+    } ph;
+    u_int16_t pa[6];
+  } phu;
+  const u_int16_t *sp;
+  u_int32_t sum;
+  tlen = ntohs (ip->ip_len) - ((const char *)up-(const char*)ip);
+  
+  /* pseudo-header.. */
+  phu.ph.len = htons (tlen);
+  phu.ph.mbz = 0;
+  phu.ph.proto = ip->ip_p;
+  memcpy (&phu.ph.src, &ip->ip_src.s_addr, sizeof (u_int32_t));
+  memcpy (&phu.ph.dst, &ip->ip_dst.s_addr, sizeof (u_int32_t));
+  
+  sp = &phu.pa[0];
+  sum = sp[0] + sp[1] + sp[2] + sp[3] + sp[4] + sp[5];
+  
+  sp = (const u_int16_t *)up;
+  
+  for (i = 0; i < (tlen&~1); i += 2)
+    sum += *sp++;
+  
+  if (tlen & 1) {
+    sum += htons ((*(const char *)sp) << 8);
+  }
+  
+  while (sum > 0xffff)
+    sum = (sum & 0xffff) + (sum >> 16);
+  sum = ~sum & 0xffff;
+  
+  return sum;
+}
+
+/* Copied from tcpdump/print-ip.c, modified.  */
+static u_int16_t
+in_cksum (const struct ip *ip, int len)
+{
+  int nleft = len;
+  const u_short *w = (const u_short *)ip;
+  u_short answer;
+  int sum = 0;
+  
+  while (nleft > 1)  {
+    sum += *w++;
+    nleft -= 2;
+  }
+  if (nleft == 1)
+    sum += htons (*(u_char *)w<<8);
+  
+  sum = (sum >> 16) + (sum & 0xffff);     /* add hi 16 to low 16 */
+  sum += (sum >> 16);                     /* add carry */
+  answer = ~sum;                          /* truncate to 16 bits */
+  return answer;
+}
+
+
+#endif /* USE_DEBUG */
diff --git a/sbin/isakmpd/log.h b/sbin/isakmpd/log.h
index e67df75a450..cdfbdcacb1c 100644
--- a/sbin/isakmpd/log.h
+++ b/sbin/isakmpd/log.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: log.h,v 1.9 2001/03/13 14:05:18 ho Exp $	*/
+/*	$OpenBSD: log.h,v 1.10 2001/04/09 21:21:57 ho Exp $	*/
 /*	$EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $	*/
 
 /*
@@ -38,6 +38,8 @@
 #define _LOG_H_
 
 #include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
 #include <stdio.h>
 
 /*
@@ -70,7 +72,14 @@ extern void log_debug (int, int, const char *, ...);
 extern void log_debug_buf (int, int, const char *, const u_int8_t *, size_t);
 extern void log_debug_cmd (int, int);
 
-#else /* USE_DEBUG */
+#define PCAP_FILE_DEFAULT "/var/run/isakmpd.pcap"
+extern void log_packet_init (char *);
+extern void log_packet_iov (struct sockaddr *, struct sockaddr *, 
+			    struct iovec *, int);
+extern void log_packet_restart (char *);
+extern void log_packet_stop (void);
+
+#else /* !USE_DEBUG */
 
 #define LOG_DBG(x)
 #define LOG_DBG_BUF(x)
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index df34abc0132..4fb5ff13e3f 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: message.c,v 1.37 2001/03/13 14:05:19 ho Exp $	*/
+/*	$OpenBSD: message.c,v 1.38 2001/04/09 21:21:57 ho Exp $	*/
 /*	$EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $	*/
 
 /*
@@ -92,6 +92,8 @@ static int message_validate_sig (struct message *, struct payload *);
 static int message_validate_transform (struct message *, struct payload *);
 static int message_validate_vendor (struct message *, struct payload *);
 
+static void message_packet_log (struct message *);
+
 static int (*message_validate_payload[]) (struct message *, struct payload *) =
 {
   message_validate_sa, message_validate_proposal, message_validate_transform,
@@ -1060,6 +1062,9 @@ message_recv (struct message *msg)
     msg->orig = buf;
   msg->orig_sz = sz;
 
+  /* IKE packet capture */
+  message_packet_log (msg);
+
   /*
    * Check the overall payload structure at the same time as indexing them by
    * type.
@@ -1155,6 +1160,9 @@ message_send (struct message *msg)
       msg->retrans = 0;
     }
 
+  /* IKE packet capture */
+  message_packet_log (msg);
+
   /*
    * If the ISAKMP SA has set up encryption, encrypt the message.
    * However, in a retransmit, it is already encrypted.
@@ -1476,6 +1484,33 @@ message_dump_raw (char *header, struct message *msg, int class)
     LOG_DBG ((class, 70, "%s: %s", header, buf));
 }
 
+static void
+message_packet_log (struct message *msg)
+{
+#ifdef USE_DEBUG
+  struct sockaddr *src, *dst;
+  int srclen, dstlen;
+
+  /* Don't log retransmissions. Redundant for incoming packets... */
+  if (msg->xmits > 0)
+    return;
+
+  /* Figure out direction. */
+  if (msg->exchange && msg->exchange->initiator ^ (msg->exchange->step % 2))
+    {
+      msg->transport->vtbl->get_src (msg->transport, &src, &srclen);
+      msg->transport->vtbl->get_dst (msg->transport, &dst, &dstlen);
+    }
+  else
+    {
+      msg->transport->vtbl->get_src (msg->transport, &dst, &dstlen);
+      msg->transport->vtbl->get_dst (msg->transport, &src, &srclen);
+    }
+
+  log_packet_iov (src, dst, msg->iov, msg->iovlen);
+#endif /* USE_DEBUG */
+}
+
 /*
  * Encrypt an outgoing message MSG.  As outgoing messages are represented
  * with an iovec with one segment per payload, we need to coalesce them
diff --git a/sbin/isakmpd/sysdep/common/pcap.h b/sbin/isakmpd/sysdep/common/pcap.h
new file mode 100644
index 00000000000..ac5cbcc8394
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/pcap.h
@@ -0,0 +1,64 @@
+/*	$OpenBSD: pcap.h,v 1.1 2001/04/09 21:21:58 ho Exp $	*/
+
+/*
+ * Copyright (c) 1993, 1994, 1995, 1996, 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the Computer Systems
+ *	Engineering Group at Lawrence Berkeley Laboratory.
+ * 4. Neither the name of the University nor of the Laboratory may be used
+ *    to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#) $Header: /cvs/OpenBSD/src/sbin/isakmpd/sysdep/common/Attic/pcap.h,v 1.1 2001/04/09 21:21:58 ho Exp $ (LBL)
+ */
+
+#ifndef lib_pcap_h
+#define lib_pcap_h
+
+#include <sys/types.h>
+#include <sys/time.h>
+
+#define PCAP_VERSION_MAJOR	2
+#define PCAP_VERSION_MINOR	4
+#define DLT_NULL		0
+
+struct pcap_file_header {
+	u_int32_t magic;
+	u_int16_t version_major;
+	u_int16_t version_minor;
+	int32_t	thiszone;	/* gmt to local correction */
+	u_int32_t sigfigs;	/* accuracy of timestamps */
+	u_int32_t snaplen;	/* max length saved portion of each pkt */
+	u_int32_t linktype;	/* data link type (DLT_*) */
+};
+
+struct pcap_pkthdr {
+	struct timeval ts;	/* time stamp */
+	u_int32_t caplen;	/* length of portion present */
+	u_int32_t len;		/* length this packet (off wire) */
+};
+
+#endif /* lib_pcap_h */
diff --git a/sbin/isakmpd/sysdep/openbsd/Makefile.sysdep b/sbin/isakmpd/sysdep/openbsd/Makefile.sysdep
index d13cd1d5032..6d23a6ed0c3 100644
--- a/sbin/isakmpd/sysdep/openbsd/Makefile.sysdep
+++ b/sbin/isakmpd/sysdep/openbsd/Makefile.sysdep
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.sysdep,v 1.16 2001/02/12 21:37:21 ho Exp $
+#	$OpenBSD: Makefile.sysdep,v 1.17 2001/04/09 21:21:58 ho Exp $
 #	$EOM: Makefile.sysdep,v 1.18 2001/01/26 10:55:22 niklas Exp $
 
 #
@@ -37,7 +37,7 @@
 IPSEC_SRCS=	pf_key_v2.c
 IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
 
-CFLAGS+=	-DHAVE_GETNAMEINFO
+CFLAGS+=	-DHAVE_GETNAMEINFO -DHAVE_PCAP
 
 # Some OpenBSD systems do not provide dlopen(3).
 #.if ${MACHINE_ARCH} != "alpha" && ${MACHINE_ARCH} != "mips" && ${MACHINE_ARCH} != "powerpc" && ${MACHINE_ARCH} != "vax" && ${MACHINE_ARCH} != "m88k"
diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c
index dfc3b05a608..802c8a20f40 100644
--- a/sbin/isakmpd/ui.c
+++ b/sbin/isakmpd/ui.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ui.c,v 1.17 2000/10/07 06:57:25 niklas Exp $	*/
+/*	$OpenBSD: ui.c,v 1.18 2001/04/09 21:21:57 ho Exp $	*/
 /*	$EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $	*/
 
 /*
@@ -224,6 +224,32 @@ ui_debug (char *cmd)
     }
   log_debug_cmd (cls, level);
 }
+
+static void
+ui_packetlog (char *cmd)
+{
+  char subcmd[81];
+
+  if (sscanf (cmd, "p %80s", subcmd) != 1)
+    goto fail;
+
+  if (strncasecmp (subcmd, "on=", 3) == 0)
+    {
+      /* Start capture to a new file.  */
+      if (subcmd[strlen (subcmd) - 1] == '\n')
+	subcmd[strlen (subcmd) - 1] = 0;
+      log_packet_restart (subcmd + 3);
+    }
+  else if (strcasecmp (subcmd, "on") == 0)
+    log_packet_restart (NULL);
+  else if (strcasecmp (subcmd, "off") == 0)
+    log_packet_stop ();
+
+  return;
+
+ fail:
+  log_print ("ui_packetlog: command \"%s\" malformed", cmd);
+}
 #endif /* USE_DEBUG */
 
 /* Report SAs and ongoing exchanges.  */
@@ -275,6 +301,12 @@ ui_handle_command (char *line)
       ui_teardown (line);
       break;
 
+#ifdef USE_DEBUG
+    case 'p':
+      ui_packetlog (line);
+      break;
+#endif
+
     default:
       log_print ("ui_handle_messages: unrecognized command: '%c'", line[0]);
     }