remove prototypes with no matching function and externs with no var
partly checked by millert@

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing.

Pass the right length in nsh_print to default_print(). Fixes on place
that makes tcpdump crash.
Reported by Peter J. Philipp (pjp at delphinusdns dot org)
OK mbuhl@

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@

print etherip on ipv6.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

Remove more register keywords.

ok daniel@, discussed on hackers@

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@

trash $Header goo which is just annoying; 5595

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@

support decapsulation of 802.11 data frames

ok canacar@

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@

add -T tcp to enforce interpretation as TCP

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

print the operating system of TCP SYN packets with the -o option

ansi and protos

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data

pfsync support; deraadt@ ok

stop breaking the damn tree mickey

tcpdump support for pfsync; henning@ ok

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability

interpret DLT_PFLOG

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@

add relts_print, safeputs and safeputchar

etherip printing code... handles draft (v2) and current (v3)

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org

smb printing; from Andrew Tridgell; via tcpdump.org

add vrrp printing; from tcpdump.org

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes

BGP support (from KAME/WIDE). INET6 parts not done yet.

Mobile IP support (from KAME/NetBSD)

L2TP support (from KAME)

delcare esp_print and radius_print

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.

add cisco netflow proto printing; not tested w/ version 5, but should work anyways

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).

#if __STDC__ --> #ifdef __STDC__

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.

*** empty log message ***

it is 3.2 now.

sync to latest

Updating to the latest LBL release.
Sun's SKIP support added.

branches: 1.1.1;
Initial revision

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing.

Pass the right length in nsh_print to default_print(). Fixes on place
that makes tcpdump crash.
Reported by Peter J. Philipp (pjp at delphinusdns dot org)
OK mbuhl@

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@

print etherip on ipv6.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

Remove more register keywords.

ok daniel@, discussed on hackers@

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@

trash $Header goo which is just annoying; 5595

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@

support decapsulation of 802.11 data frames

ok canacar@

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@

add -T tcp to enforce interpretation as TCP

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

print the operating system of TCP SYN packets with the -o option

ansi and protos

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data

pfsync support; deraadt@ ok

stop breaking the damn tree mickey

tcpdump support for pfsync; henning@ ok

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability

interpret DLT_PFLOG

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@

add relts_print, safeputs and safeputchar

etherip printing code... handles draft (v2) and current (v3)

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org

smb printing; from Andrew Tridgell; via tcpdump.org

add vrrp printing; from tcpdump.org

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes

BGP support (from KAME/WIDE). INET6 parts not done yet.

Mobile IP support (from KAME/NetBSD)

L2TP support (from KAME)

delcare esp_print and radius_print

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.

add cisco netflow proto printing; not tested w/ version 5, but should work anyways

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).

#if __STDC__ --> #ifdef __STDC__

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.

*** empty log message ***

it is 3.2 now.

sync to latest

Updating to the latest LBL release.
Sun's SKIP support added.

branches: 1.1.1;
Initial revision

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@

print etherip on ipv6.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

Remove more register keywords.

ok daniel@, discussed on hackers@

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@

trash $Header goo which is just annoying; 5595

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@

support decapsulation of 802.11 data frames

ok canacar@

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@

add -T tcp to enforce interpretation as TCP

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

print the operating system of TCP SYN packets with the -o option

ansi and protos

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data

pfsync support; deraadt@ ok

stop breaking the damn tree mickey

tcpdump support for pfsync; henning@ ok

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability

interpret DLT_PFLOG

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@

add relts_print, safeputs and safeputchar

etherip printing code... handles draft (v2) and current (v3)

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org

smb printing; from Andrew Tridgell; via tcpdump.org

add vrrp printing; from tcpdump.org

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes

BGP support (from KAME/WIDE). INET6 parts not done yet.

Mobile IP support (from KAME/NetBSD)

L2TP support (from KAME)

delcare esp_print and radius_print

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.

add cisco netflow proto printing; not tested w/ version 5, but should work anyways

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).

#if __STDC__ --> #ifdef __STDC__

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.

*** empty log message ***

it is 3.2 now.

sync to latest

Updating to the latest LBL release.
Sun's SKIP support added.

branches: 1.1.1;
Initial revision

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@

print etherip on ipv6.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

Remove more register keywords.

ok daniel@, discussed on hackers@

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@

trash $Header goo which is just annoying; 5595

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@

support decapsulation of 802.11 data frames

ok canacar@

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@

add -T tcp to enforce interpretation as TCP

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

print the operating system of TCP SYN packets with the -o option

ansi and protos

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data

pfsync support; deraadt@ ok

stop breaking the damn tree mickey

tcpdump support for pfsync; henning@ ok

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability

interpret DLT_PFLOG

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@

add relts_print, safeputs and safeputchar

etherip printing code... handles draft (v2) and current (v3)

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org

smb printing; from Andrew Tridgell; via tcpdump.org

add vrrp printing; from tcpdump.org

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes

BGP support (from KAME/WIDE). INET6 parts not done yet.

Mobile IP support (from KAME/NetBSD)

L2TP support (from KAME)

delcare esp_print and radius_print

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.

add cisco netflow proto printing; not tested w/ version 5, but should work anyways

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).

#if __STDC__ --> #ifdef __STDC__

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.

*** empty log message ***

it is 3.2 now.

sync to latest

Updating to the latest LBL release.
Sun's SKIP support added.

branches: 1.1.1;
Initial revision

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@

print etherip on ipv6.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

Remove more register keywords.

ok daniel@, discussed on hackers@

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@

trash $Header goo which is just annoying; 5595

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@

support decapsulation of 802.11 data frames

ok canacar@

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@

add -T tcp to enforce interpretation as TCP

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

print the operating system of TCP SYN packets with the -o option

ansi and protos

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data