diff options
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/tcpdump/Makefile | 9 | ||||
-rw-r--r-- | usr.sbin/tcpdump/interface.h | 5 | ||||
-rw-r--r-- | usr.sbin/tcpdump/print-tcp.c | 40 | ||||
-rw-r--r-- | usr.sbin/tcpdump/tcpdump.8 | 17 | ||||
-rw-r--r-- | usr.sbin/tcpdump/tcpdump.c | 21 |
5 files changed, 81 insertions, 11 deletions
diff --git a/usr.sbin/tcpdump/Makefile b/usr.sbin/tcpdump/Makefile index 9eb84ccf8db..defe27e72a4 100644 --- a/usr.sbin/tcpdump/Makefile +++ b/usr.sbin/tcpdump/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.41 2003/07/17 08:45:37 markus Exp $ +# $OpenBSD: Makefile,v 1.42 2003/08/21 19:14:23 frantzen Exp $ # # Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 # The Regents of the University of California. All rights reserved. @@ -53,6 +53,13 @@ SRCS= tcpdump.c addrtoname.c \ print-udpencap.c \ gmt2local.c savestr.c setsignal.c +# TCP OS Fingerprinting +.PATH: ${.CURDIR}/../../sys/net +.PATH: ${.CURDIR}/../../sbin/pfctl +SRCS+= pf_osfp.c pfctl_osfp.c +CFLAGS+=-I${.CURDIR}/../../sbin/pfctl +CFLAGS+=-DFAKE_PF_KERNEL + #SRCS+= smbutil.c print-smb.c AWKS = atime.awk packetdat.awk send-ack.awk stime.awk diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h index 8b7e4a97c2a..87898265d78 100644 --- a/usr.sbin/tcpdump/interface.h +++ b/usr.sbin/tcpdump/interface.h @@ -1,4 +1,4 @@ -/* $OpenBSD: interface.h,v 1.39 2003/06/26 21:36:39 deraadt Exp $ */ +/* $OpenBSD: interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -20,7 +20,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.39 2003/06/26 21:36:39 deraadt Exp $ (LBL) + * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -42,6 +42,7 @@ extern int eflag; /* print ethernet header */ extern int fflag; /* don't translate "foreign" IP address */ extern int nflag; /* leave addresses as numbers */ extern int Nflag; /* remove domains from printed host names */ +extern int oflag; /* OS fingerprint */ extern int qflag; /* quick (shorter) output */ extern int Sflag; /* print raw TCP sequence numbers */ extern int tflag; /* print packet arrival time */ diff --git a/usr.sbin/tcpdump/print-tcp.c b/usr.sbin/tcpdump/print-tcp.c index d28fd983fb6..9b6cd652bdc 100644 --- a/usr.sbin/tcpdump/print-tcp.c +++ b/usr.sbin/tcpdump/print-tcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-tcp.c,v 1.16 2001/12/23 01:05:15 stevesk Exp $ */ +/* $OpenBSD: print-tcp.c,v 1.17 2003/08/21 19:14:23 frantzen Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -23,11 +23,12 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-tcp.c,v 1.16 2001/12/23 01:05:15 stevesk Exp $ (LBL)"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-tcp.c,v 1.17 2003/08/21 19:14:23 frantzen Exp $ (LBL)"; #endif #include <sys/param.h> #include <sys/time.h> +#include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -35,6 +36,8 @@ static const char rcsid[] = #include <netinet/ip_var.h> #include <netinet/tcp.h> #include <netinet/tcpip.h> +#include <net/if.h> +#include <net/pfvar.h> #include <rpc/rpc.h> @@ -388,6 +391,39 @@ tcp_print(register const u_char *bp, register u_int length, } } + /* OS Fingerprint */ + if (oflag && ip6 == NULL && (flags & (TH_SYN|TH_ACK)) == TH_SYN) { + struct pf_osfp_enlist *head = NULL; + struct pf_osfp_entry *fp; + unsigned long left; + left = (unsigned long)(snapend - (const u_char *)tp); + + if (left >= hlen) + head = pf_osfp_fingerprint_hdr(ip, tp); + if (head) { + int prev = 0; + printf(" (src OS:"); + SLIST_FOREACH(fp, head, fp_entry) { + if (fp->fp_enflags & PF_OSFP_EXPANDED) + continue; + if (prev) + printf(","); + printf(" %s", fp->fp_class_nm); + if (fp->fp_version_nm[0]) + printf(" %s", fp->fp_version_nm); + if (fp->fp_subtype_nm[0]) + printf(" %s", fp->fp_subtype_nm); + prev = 1; + } + printf(")"); + } else { + if (left < hlen) + printf(" (src OS: short-pkt)"); + else + printf(" (src OS: unknown)"); + } + } + length -= hlen; if (length > 0 || flags & (TH_SYN | TH_FIN | TH_RST)) (void)printf(" %lu:%lu(%d)", (long) seq, (long) (seq + length), diff --git a/usr.sbin/tcpdump/tcpdump.8 b/usr.sbin/tcpdump/tcpdump.8 index f42801bf4a0..f40eafde937 100644 --- a/usr.sbin/tcpdump/tcpdump.8 +++ b/usr.sbin/tcpdump/tcpdump.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpdump.8,v 1.37 2003/07/17 08:45:37 markus Exp $ +.\" $OpenBSD: tcpdump.8,v 1.38 2003/08/21 19:14:23 frantzen Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .Nd dump traffic on a network .Sh SYNOPSIS .Nm tcpdump -.Op Fl adeflnNOpqStvxX +.Op Fl adeflnNoOpqStvxX .Op Fl c Ar count .Op Fl F Ar file .Op Fl i Ar interface @@ -116,6 +116,12 @@ will print .Dq nic instead of .Dq nic.ddn.mil . +.It Fl o +Print a guess of the possible operating system(s) of hosts that sent TCP SYN +packets. +See +.Xr pf.os 5 +for a description of the passive operating system fingerprints. .It Fl O Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. @@ -1214,7 +1220,7 @@ will be of much use to you. The general format of a tcp protocol line is: .Bd -ragged -offset indent .Ar src No \&> Ar dst : -.Ar flags data\&-seqno ack window urgent options +.Ar flags src\&-os data\&-seqno ack window urgent options .Ed .Pp .Ar src @@ -1241,6 +1247,10 @@ or or a single .Ql \&. .Pq no flags . +.Ar src\&-os +will list a guess of the source host's operating system if the +.Ar -o +command line flag was passed to tcpdump. .Ar data\&-seqno describes the portion of sequence space covered by the data in this packet (see example below). @@ -1932,6 +1942,7 @@ interrupt. .\" traffic(1C), nit(4P), .Xr pcap 3 , .Xr bpf 4 +.Xr pf.os 5 .Sh AUTHORS Van Jacobson .Pq van@ee.lbl.gov , diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c index 6e0935b47b9..0b5f98eccf5 100644 --- a/usr.sbin/tcpdump/tcpdump.c +++ b/usr.sbin/tcpdump/tcpdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdump.c,v 1.32 2003/07/17 08:45:37 markus Exp $ */ +/* $OpenBSD: tcpdump.c,v 1.33 2003/08/21 19:14:23 frantzen Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -26,7 +26,7 @@ static const char copyright[] = "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\ The Regents of the University of California. All rights reserved.\n"; static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.32 2003/07/17 08:45:37 markus Exp $ (LBL)"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.33 2003/08/21 19:14:23 frantzen Exp $ (LBL)"; #endif /* @@ -56,6 +56,13 @@ static const char rcsid[] = #include "setsignal.h" #include "gmt2local.h" +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in.h> +#include <net/pfvar.h> +#include "pfctl.h" +#include "pfctl_parser.h" + int aflag; /* translate network and broadcast addresses */ int dflag; /* print filter code */ int eflag; /* print ethernet header */ @@ -63,6 +70,7 @@ int fflag; /* don't translate "foreign" IP address */ int nflag; /* leave addresses as numbers */ int Nflag; /* remove domains from printed host names */ int Oflag = 1; /* run filter code optimizer */ +int oflag; /* print passive OS fingerprints */ int pflag; /* don't go promiscuous */ int qflag; /* quick (shorter) output */ int Sflag; /* print raw TCP sequence numbers */ @@ -162,7 +170,7 @@ main(int argc, char **argv) error("%s", ebuf); opterr = 0; - while ((op = getopt(argc, argv, "ac:deE:fF:i:lnNOpqr:s:StT:vw:xXY")) != -1) + while ((op = getopt(argc, argv, "ac:deE:fF:i:lnNOopqr:s:StT:vw:xXY")) != -1) switch (op) { case 'a': @@ -215,6 +223,13 @@ main(int argc, char **argv) Oflag = 0; break; + case 'o': + pf_osfp_initialize(); + if (pfctl_file_fingerprints(-1, + PF_OPT_QUIET|PF_OPT_NOACTION, PF_OSFP_FILE) == 0) + oflag = 1; + break; + case 'p': ++pflag; break; |