| Age | Commit message (Collapse) | Author |
|---|
|
this allows tcpdump to be used a quick and dirty firewall. it also
looks like an amazing foot-gun, so be careful.
for example `tcpdump -B drop -i ix1 udp and port 7` lets you
completely drop discard packets in the hardware interrupt handler.
ok sthen@ mikeb@ claudio@ visa@
|
|
ERSPAN II is an 8 byte header before an ethernet payload. the switch
at work doesnt produce erspan III, so I haven't handled that yet.
this at least let's me see what's on the wire so i can contemplate
how i want to deal with the payload.
based on draft-foschiano-erspan-03
|
|
|
|
Standard output should remain the same. Additional information is placed
under the -v flag. -vv can be used to retrieve the asn1 dumps.
Input and OK jmatthew@
|
|
OK claudio@ sthen@
|
|
ok deraadt@
|
|
CFI stood for canonical format indicator, and basically said whether
the payload was ethernet of fddi (with 0 meaning ethernet).
DEI stands for drop eligibility indicator
|
|
|
|
The privsep monitor process handles all privileged operations on behalf
of the unprivileged "packet parser" process. Once it enters its runtime
state, it only needs to:
* Perform DNS and other "numbers to names" lookups, sending results
back over a pipe/socketpair.
* Display the final packet statistics on ^C.
We can finally now drop root privileges in this process as well, as bpf
BIOCGSTATS is still permitted by non-root on open descriptors after it
has been permanently locked with BIOCLOCK. This provides some additional
protection, to go along with the already tight unveil(2) and pledge(2)
restrictions.
With this change tcpdump(8) completely drops root privileges at runtime.
ok mestre@, deraadt@
|
|
This reduces the remaining runtime pledge(2) in the privsep monitor
process to "stdio rpath dns bpf":
- 'rpath' for /etc/{ethers,rpc}, also unveil(2)'d thanks to mestre@!
- 'dns' for DNS lookups
- 'bpf' BIOCGSTATS on ^C
The unprivileged packet parser process remains pledged just "stdio"
This depends on the previous commit that removed YP support from
ethers(5).
ok mestre@
|
|
I missed this part in my previous commit.
|
|
need to be unveiled at runtime in the monitor process.
Cleanup the unused internal privsep "getlines" code, we now explictly
fdpass the OS fingerprints file instead.
ok mestre@ kn@
|
|
There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.
Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.
No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.
OK denis deraadt
|
|
Flow labels used to be 24-bit back in 1995 until the IPv6 header format
changed in 1998 when the field size was reduced to 20-bit.
https://tools.ietf.org/html/rfc1883#section-6
https://tools.ietf.org/html/rfc2460#section-6
OK denis deraadt
|
|
The following files are opened in the privsep proc, with read permissions, and
therefore need to be unveiled:
- /etc/pf.os - for OS fingerprinting, but only unveiled if -o flag is used
- /etc/ethers - ether_ntohost(3)
- /etc/rpc - getrpcbynumber(3)
Additional files are also opened, but they are either opened before reaching
this code path, or are covered by pledge(2)'s dns promise.
shown and tested by a few people
OK brynet@ deraadt@
|
|
ok millert@
|
|
ok claudio@
|
|
that and start listening for failure reports.
|
|
requested by bluhm@ as it broke some regress tests for no good
reason.
|
|
|
|
I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c
|
|
|
|
previously they all had (const u_char *)(up + 1), which was messy.
|
|
This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.
|
|
This allows arbitrary UDP packets to be parsed as MPLS.
|
|
|
|
This allows arbitrary UDP packets to be parsed as GRE packets.
|
|
This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.
Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.
This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.
This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.
Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.
help and ok sthen@
|
|
this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.
discussed at length with proctor@
ok sthen@
|
|
ok claudio@ mpi@ benno@ bluhm@ deraadt@
|
|
ok deraadt@
|
|
eoip is a twisted gre based protocol using version 1 like pptp, but
a different protocol id. this splits the gre 1 protocol handling
up so it doesn't assume that all packets are pptp, but decides
between eoip and pptp based on the protocol field. unknown protocols
are unknown rather that assumed to be pptp.
ok sthen@
|
|
While here, also delete the obsolete .Tn macros.
|
|
the vlan specs have the priority of 0 and 1 swapped on the wire,
which is how the kernel handles them. eg, if you use pf to set prio
1, it will end up being 0 on the wire. this makes 0 on the wire
come out as 1 in tcpdump so it is consistent with the rest of the
tooling.
ok henning@
|
|
|
|
|
|
ether_print just prints the ether header.
|
|
peek inside the payload to see if the first nibble looks like ipv4.
if it isnt ipv4 assume it is the wccp header.
|
|
|
|
|
|
|
|
|
|
this started cos i was looking at pptp, which came out like this:
23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)
now it looks like this:
23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply
the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.
DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.
ok sthen@
|
|
in wireshark.
ok deraadt@, dlg@
|
|
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert
|
|
The ioctl(2) it defines is not supported since a long time and most of
its defines are already present in tcpdump(8).
ok jca@
|
|
|
|
While tcpdump isn't a daemon in the traditional sense, it's not uncommon
for people to have long running sessions. At least on OpenBSD, this is
even safe thanks to the existing privsep design by otto@, canacar@ and
pledge(2) work done by deraadt.
ok deraadt@
|
|
instead of lazily dumping them in hex.
ok mpi@
|
|
|
