| Age | Commit message (Collapse) | Author |
|---|
|
ok dlg@
|
|
ok jasper@ mpi@
|
|
- print the stage name
- print additional information about the request for Setup packets
- GET_DESCRIPTOR requests are further decoded
tweaks and ok mpi@
|
|
length was smaller than the sizeof the usbpcap header. we'd end up passing a
negative value as the length to default_print().
found with afl-fuzz
ok mpi@
|
|
- add missing rcs id
- use 'goto trunc' as is common with other printers
ok mpi@
|
|
- fprintf(stdout, ...) -> printf()
- fputs(x, stdout) -> printf(); for consistency.
fputs is twice as fast on atom x5-Z8300@1.44GHz but Amdahl sees a pure printf
tcpdump only 2% slower than a pure fputs (for constant strings) tcpdump
to /dev/null across a 20MB/~170k packet pcap file.
ok dlg@ for fputs and ok tedu@ krw@ deraadt@ a2k19 for the rest
|
|
ok deraadt@
|
|
it's nicely backwards compatible, so we can use the same code for
both vxlan and vxlan-gpe.
|
|
they were based on draft-ietf-dhc-dhcpv6-14, which was not what
ended up in the dhcpv6 rfc(s). the current printing code is a lot
smaller and self contained.
ok deraadt@
|
|
it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.
the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.
this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.
if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.
ok deraadt@
|
|
that represent various header fields. One place where OXMs are used is in
the sef_field action, which contains one OXM representing the header field
to set, followed by padding to align the action in the OpenFlow message to
64 bits. Currently, we assume that a set_field action can contain multiple
OXMs and that they do not need to be padded.
This matches the way we handle OpenFlow messages that contain set_field
actions so that we follow the specs.
OK ori claudio
|
|
or a USB device. ok mpi
|
|
agreed by deraadt
|
|
|
|
this was lost when tcpdump learnt to look inside udpencap.
found by, and ok markus@
|
|
While here add a link to the documentation.
OK sthen@
|
|
|
|
|
|
|
|
help/ok deraadt
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.
ok lteo@
|
|
type I and II share their GRE protocol, but you tell them apart by
checking if a sequence number is used. type I does not use a sequence
number and contains a bare ethernet frame. type II contains a
sequence number and a shim header that is already handled by the
code.
tested with a Dell S5048F-ON and an encapsulated remote port mirror setup.
|
|
OK sthen@ deraadt@
|
|
print at least the key-id, and seq when -v is set, and the offset
and len when -vv is set.
ok sthen@ bluhm@
|
|
this is useful for telling the MPLSes apart, and generally understanding
what you're seeing.
|
|
ok deraadt@ mpi@ sthen@
|
|
The caveat with this is that MPLS and MPLS_MCAST look exactly the
same. I could prefix the MCAST line with "multicast" or something,
but like everything else in MPLS the meaning of that protocol type
is supposed to have changed. It's no longer meant to indicate
multicast mpls, but mpls with a label selected by an upstream. So
what's the right thing to do?
noticed by Mitchell Krome, who used this breakage to identify another
problem, which won't happen anymore.
|
|
|
|
this allows tcpdump to be used a quick and dirty firewall. it also
looks like an amazing foot-gun, so be careful.
for example `tcpdump -B drop -i ix1 udp and port 7` lets you
completely drop discard packets in the hardware interrupt handler.
ok sthen@ mikeb@ claudio@ visa@
|
|
ERSPAN II is an 8 byte header before an ethernet payload. the switch
at work doesnt produce erspan III, so I haven't handled that yet.
this at least let's me see what's on the wire so i can contemplate
how i want to deal with the payload.
based on draft-foschiano-erspan-03
|
|
|
|
Standard output should remain the same. Additional information is placed
under the -v flag. -vv can be used to retrieve the asn1 dumps.
Input and OK jmatthew@
|
|
OK claudio@ sthen@
|
|
ok deraadt@
|
|
CFI stood for canonical format indicator, and basically said whether
the payload was ethernet of fddi (with 0 meaning ethernet).
DEI stands for drop eligibility indicator
|
|
|
|
The privsep monitor process handles all privileged operations on behalf
of the unprivileged "packet parser" process. Once it enters its runtime
state, it only needs to:
* Perform DNS and other "numbers to names" lookups, sending results
back over a pipe/socketpair.
* Display the final packet statistics on ^C.
We can finally now drop root privileges in this process as well, as bpf
BIOCGSTATS is still permitted by non-root on open descriptors after it
has been permanently locked with BIOCLOCK. This provides some additional
protection, to go along with the already tight unveil(2) and pledge(2)
restrictions.
With this change tcpdump(8) completely drops root privileges at runtime.
ok mestre@, deraadt@
|
|
This reduces the remaining runtime pledge(2) in the privsep monitor
process to "stdio rpath dns bpf":
- 'rpath' for /etc/{ethers,rpc}, also unveil(2)'d thanks to mestre@!
- 'dns' for DNS lookups
- 'bpf' BIOCGSTATS on ^C
The unprivileged packet parser process remains pledged just "stdio"
This depends on the previous commit that removed YP support from
ethers(5).
ok mestre@
|
|
I missed this part in my previous commit.
|
|
need to be unveiled at runtime in the monitor process.
Cleanup the unused internal privsep "getlines" code, we now explictly
fdpass the OS fingerprints file instead.
ok mestre@ kn@
|
|
There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.
Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.
No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.
OK denis deraadt
|
|
Flow labels used to be 24-bit back in 1995 until the IPv6 header format
changed in 1998 when the field size was reduced to 20-bit.
https://tools.ietf.org/html/rfc1883#section-6
https://tools.ietf.org/html/rfc2460#section-6
OK denis deraadt
|
|
The following files are opened in the privsep proc, with read permissions, and
therefore need to be unveiled:
- /etc/pf.os - for OS fingerprinting, but only unveiled if -o flag is used
- /etc/ethers - ether_ntohost(3)
- /etc/rpc - getrpcbynumber(3)
Additional files are also opened, but they are either opened before reaching
this code path, or are covered by pledge(2)'s dns promise.
shown and tested by a few people
OK brynet@ deraadt@
|
|
ok millert@
|
|
ok claudio@
|
|
that and start listening for failure reports.
|
|
requested by bluhm@ as it broke some regress tests for no good
reason.
|
|
|
