summaryrefslogtreecommitdiff
path: root/usr.sbin/tcpdump
AgeCommit message (Collapse)Author
2018-07-06add support for vxlan packets.David Gwynne
I personally think vxlan looks suspiciously like gre, so I put the parser in print-gre.c
2018-07-06use do { } while (!bottom) instead of again: ... if (!bottom) goto again;David Gwynne
2018-07-06pass the payload to parsers via cp, which is a pointer to the payload.David Gwynne
previously they all had (const u_char *)(up + 1), which was messy.
2018-07-06add "tftp" as a type to use with -TDavid Gwynne
This forces UDP packets to be parsed as tftp messages, which is useful to see the DATA and ACK packets. They're usually on high ports which don't get matched by udp_print, which by default only handled tftp packets on port 69.
2018-07-06Add "mpls" as a type to use with -TDavid Gwynne
This allows arbitrary UDP packets to be parsed as MPLS.
2018-07-06According to RFC7510, IANA allocated port 6635 for MPLS over UDPDavid Gwynne
2018-07-06Add "gre" as a type to use with -TDavid Gwynne
This allows arbitrary UDP packets to be parsed as GRE packets.
2018-07-06Rework UDP parsing, particularly around IP addresses.David Gwynne
This originally started as trying to put a consistent space between the UDP header information and the payload parsing, but while doing that I noticed inconsistent IPv4 vs IPv6 handling. Apart from the default "srcip.srcport > dstip.dstpor" output, all the other places that IP addresses were printed assumed IPv4. It looks like it is possible that udp_print() can be called without an IP header, which made these blind IPv4 prints turn into NULL derefs. This fixes the problem above by only having a single place that prints the addresses out, and makes sure to get the difference between IPv4, IPv6 and no IP correct. This changes how the checksum is calculated. It incrementally builds the UDP checksum by feeding the IPv4 and v6 addresses in separately, then using common code for the rest of the pseudo header and actual payload. Lastly, this does make printing the space between the UDP header and its payload consistent. The UDP code is now responsible for adding a space after itself so the payload parsers don't have to. They got it wrong in some cases anyway, so this should be a lot more uniform. help and ok sthen@
2018-07-06move the ip checksumming code into in_cksum.cDavid Gwynne
this is part of a bigger change that refactors udp handling, but works on hosts of both endians. discussed at length with proctor@ ok sthen@
2018-07-03some style fixes, no functional change.David Gwynne
ok claudio@ mpi@ benno@ bluhm@ deraadt@
2018-07-03handle gre-in-udp trafficDavid Gwynne
ok deraadt@
2018-05-28recognise MikroTik's Ethernet over IP (eoip) protocolDavid Gwynne
eoip is a twisted gre based protocol using version 1 like pptp, but a different protocol id. this splits the gre 1 protocol handling up so it doesn't assume that all packets are pptp, but decides between eoip and pptp based on the protocol field. unknown protocols are unknown rather that assumed to be pptp. ok sthen@
2018-04-28Reference hosts(5) instead of the obsolete networks(5).Ingo Schwarze
While here, also delete the obsolete .Tn macros.
2018-04-03tweak vlan printing to properly decode the priority field.David Gwynne
the vlan specs have the priority of 0 and 1 swapped on the wire, which is how the kernel handles them. eg, if you use pf to set prio 1, it will end up being 0 on the wire. this makes 0 on the wire come out as 1 in tcpdump so it is consistent with the rest of the tooling. ok henning@
2018-02-24make the gre flowid output always 2 chars so payloads stay lined up.David Gwynne
2018-02-10print etherip on ipv6.David Gwynne
2018-02-09use ether_tryprint, which looks inside the ether packet.David Gwynne
ether_print just prints the ether header.
2018-02-09it turns out the wccp header is optionalDavid Gwynne
peek inside the payload to see if the first nibble looks like ipv4. if it isnt ipv4 assume it is the wccp header.
2018-02-08have a go at decoding cisco wccp gre packets, and let them fall into IP.David Gwynne
2018-02-08recognise gre proto 0 as a "keep alive" packetDavid Gwynne
2018-02-07shorten the output for gre keys.David Gwynne
2018-02-06output the data part of LCP Echo-Request and Echo-Reply packets.David Gwynne
2018-02-06rework ppp, pptp, and gre parsing.David Gwynne
this started cos i was looking at pptp, which came out like this: 23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap) 23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap) now it looks like this: 23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request 23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply the big improvement in ppp parsing is it stops parsing based on what the ppp headers say, rather than what bytes have been captured. this also adds parsing of EAP packets. DLT_PPP_SERIAL is now recognised and printed. gre now prints the outer addresses always, not just when it's encapsulated by ipv6 or -v is passed to tcpdump. ok sthen@
2018-02-03Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysedMartin Pieuchot
in wireshark. ok deraadt@, dlg@
2017-12-08Convert snprintf+write into dprintf. It is simply easier to read, andTheo de Raadt
provides retry on short-write file descriptors. ok florian, previous versions seen by millert
2017-10-30Kill <net/slip.h>.Martin Pieuchot
The ioctl(2) it defines is not supported since a long time and most of its defines are already present in tcpdump(8). ok jca@
2017-09-08Whoops, remove extra include.Bryan Steele
2017-09-08fork+exec model for tcpdump(8); re-exec the privileged child after forkBryan Steele
While tcpdump isn't a daemon in the traditional sense, it's not uncommon for people to have long running sessions. At least on OpenBSD, this is even safe thanks to the existing privsep design by otto@, canacar@ and pledge(2) work done by deraadt. ok deraadt@
2017-09-01Make 'tcpdump -v' decode RSN information elements in beaconsStefan Sperling
instead of lazily dumping them in hex. ok mpi@
2017-08-30unsigneds cannot be < 0; ok jca@Otto Moerbeek
2017-08-29quarterly rescan of the tree: remove unneccessary sys/param.h, andTheo de Raadt
annotate the ones which are needed.
2017-07-26Update reference to BGP Shutdown Communication specificationjob
ok benno@
2017-07-25make function match its prototype.Marc Espie
okay deraadt@
2017-06-14Don't support loading appletalk addresses from /etc/appletalk.names.Michal Mazurek
OK deraadt@
2017-06-10Don't describe AppleTalk's output format and bugs.Michal Mazurek
OK claudio@ jmc@ doesn't object
2017-05-30MIN->MINIMUM, even though smb is currently disabled.Theo de Raadt
2017-05-30The capability error codes never made it into a standard and now errorMichal Mazurek
code 7 is for enhanced route refresh. OK claudio@ phessler@
2017-05-30Enable more error codes for BGP. These were commited some time ago, butMichal Mazurek
never enabled. Also add error codes for FSM. With input from Job Snijders. OK phessler@ (previous version), claudio@, deraadt@
2017-05-28Reduce differences between the two pfctl_osfp.c files.Michal Mazurek
Apply three commits from pfctl/pfctl_osfp.c OK bluhm@
2017-05-28Catch up with pfctl/pfctl_osfp.c, no binary change.Michal Mazurek
OK deraadt@
2017-05-24Sync NO_PID value from kernel header to tcpdump source. It isAlexander Bluhm
#ifdef _KERNEL, so it does not work automatically. This prevents some bogus uid and pid print when dumping from pflog interface. from Matthias Pitzl; OK deraadt@
2017-04-24Print bgp administrative shutdown messages (draft-ietf-idr-shutdown)Sebastian Benoit
From Job Snijders <job -AT instituut -DOT- net>, thanks! ok canacar@, deraadt@
2017-04-19Switch base tools from /dev/bpf0 to /dev/bpf. Now that /dev/bpf has beenMartin Natano
around for two releases, it should be safe to do so. ok bluhm deraadt sthen tb yasuoka
2017-03-08Fix etherip version parsing, ok dlg@Jeremie Courreges-Anglas
2017-03-04Make tcpdump show HT protection settings consistently. Previously, nothingStefan Sperling
was displayed if HT protection was disabled. Now it displays as "htprot none". ok sthen@
2017-02-27Print the DNSSEC OKAY flag as "DO", like in upstream tcpdumpJeremie Courreges-Anglas
ok florian@
2017-01-29Fix tcpdump(8) display of duration values provided in 802.11 control frames.Stefan Sperling
These values are in microseconds, not milliseconds. ok sthen@
2017-01-24do not need sys/proc.hTheo de Raadt
2017-01-23Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP onlyTheo de Raadt
upon "inet". Adjust the 4 programs that care about this.
2017-01-20Another ip_ipsp.h missing, found by krw@Claudio Jeker