History log of /openbsd-current/usr.sbin/tcpdump/interface.h
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 1.88 21-May-2024 jsg

remove prototypes with no matching function and externs with no var
partly checked by millert@


Revision tags: OPENBSD_7_3_BASE OPENBSD_7_4_BASE OPENBSD_7_5_BASE
# 1.87 28-Feb-2023 claudio

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing.

Pass the right length in nsh_print to default_print(). Fixes on place
that makes tcpdump crash.
Reported by Peter J. Philipp (pjp at delphinusdns dot org)
OK mbuhl@


Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE
# 1.86 17-Aug-2020 dlg

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.


# 1.85 21-Jun-2020 dlg

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld


Revision tags: OPENBSD_6_7_BASE
# 1.84 15-Apr-2020 remi

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.87 28-Feb-2023 claudio

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing.

Pass the right length in nsh_print to default_print(). Fixes on place
that makes tcpdump crash.
Reported by Peter J. Philipp (pjp at delphinusdns dot org)
OK mbuhl@


Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE
# 1.86 17-Aug-2020 dlg

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.


# 1.85 21-Jun-2020 dlg

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld


Revision tags: OPENBSD_6_7_BASE
# 1.84 15-Apr-2020 remi

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.86 17-Aug-2020 dlg

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.


# 1.85 21-Jun-2020 dlg

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld


Revision tags: OPENBSD_6_7_BASE
# 1.84 15-Apr-2020 remi

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.85 21-Jun-2020 dlg

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld


Revision tags: OPENBSD_6_7_BASE
# 1.84 15-Apr-2020 remi

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.84 15-Apr-2020 remi

add support for printing RfC 2332 NBMA Next Hop Resolution Protocol (NHRP)

ok dlg@


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.83 03-Dec-2019 dlg

add support for printing RFC 8300 Network Service Header (NSH)

ok deraadt@


# 1.82 02-Dec-2019 dlg

rewrite dhcpv6 parsing so it follows the rfc, not an incompat draft.

it looks like this code was using draft-ietf-dhc-dhcpv6-14 from
1999. there were 27 drafts, and by the time it got to draft 23 and
the rfc it was significantly different. this code for draft 14
cannot handle actual dhcpv6 messages. im kind of surprised
(disappointed?) that noone noticed before. i only noticed cos the
code was segfaulting on sparc64, and when i tried to fix it the
resulting messages looked nothing like what stock tcpdump produced.

the main difference between the early drafts and what ended up in
the rfc is that the base dhcpv6 messages in early drafts were large
structure with a lot of fixed fields, while the rfc settled on a 4
byte header that contains a 1 byte message type and a 3 byte
transaction id. the rest of the messages are built from dhcp options
fields.

this cuts all the old handling out, and fixes the fault in the
options handling by using EXTRACT_16BITS to get at the code and
length fields instead of using ntohs. dhcpv6 explicitly states that
it does not align options, so this is necessary to avoid faults on
strict alignment archs anyway. no options are pretty printed at the
moment, you just get a numeric type, a length, and a hexdump of the
value. this is still better than the garbage that the draft parsing
produced.

if someone is interested in making this easier to read, it would
be a straightforward and well contained project to better handle
option printing.

ok deraadt@


Revision tags: OPENBSD_6_6_BASE
# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.81 26-May-2019 dlg

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


Revision tags: OPENBSD_6_5_BASE
# 1.80 05-Apr-2019 dlg

support printing cdp over gre and ppp

ok deraadt@ mpi@ sthen@


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.79 22-Oct-2018 kn

Remove #ifdef INET6

There's not reason to build without IPv6 support, `-U INET6' builds were
broken anyway.

Fix an empty redefine for IPPROTO_IPV6 in print-ip.c while here.

No object change on amd64 and sparc64 with clang, gcc compiles differently
but behaviour stays the same.

OK denis deraadt


Revision tags: OPENBSD_6_4_BASE
# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.78 06-Jul-2018 dlg

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c


# 1.77 06-Jul-2018 dlg

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.


# 1.76 06-Jul-2018 dlg

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.


# 1.75 06-Jul-2018 dlg

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.


# 1.74 06-Jul-2018 dlg

Rework UDP parsing, particularly around IP addresses.

This originally started as trying to put a consistent space between
the UDP header information and the payload parsing, but while doing
that I noticed inconsistent IPv4 vs IPv6 handling.

Apart from the default "srcip.srcport > dstip.dstpor" output, all
the other places that IP addresses were printed assumed IPv4. It
looks like it is possible that udp_print() can be called without
an IP header, which made these blind IPv4 prints turn into NULL
derefs.

This fixes the problem above by only having a single place that
prints the addresses out, and makes sure to get the difference
between IPv4, IPv6 and no IP correct.

This changes how the checksum is calculated. It incrementally builds
the UDP checksum by feeding the IPv4 and v6 addresses in separately,
then using common code for the rest of the pseudo header and actual
payload.

Lastly, this does make printing the space between the UDP header
and its payload consistent. The UDP code is now responsible for
adding a space after itself so the payload parsers don't have to.
They got it wrong in some cases anyway, so this should be a lot
more uniform.

help and ok sthen@


# 1.73 06-Jul-2018 dlg

move the ip checksumming code into in_cksum.c

this is part of a bigger change that refactors udp handling, but
works on hosts of both endians.

discussed at length with proctor@
ok sthen@


Revision tags: OPENBSD_6_3_BASE
# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.72 10-Feb-2018 dlg

print etherip on ipv6.


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.71 06-Feb-2018 dlg

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


# 1.70 03-Feb-2018 mpi

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision


Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
# 1.69 16-Nov-2016 reyk

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@


# 1.68 22-Oct-2016 rzalamena

Teach tcpdump(8) how to read OpenFlow packets. This initial implementation
supports the following message types: hello, error, echo request/reply,
feature request/reply, set config, packet-in, packet-out, flow removed and
flow mod.

We currently only support printing this messages for OpenFlow 1.3.5, however
it is possible to reuse some functions and get other versions working too.

ok deraadt@


Revision tags: OPENBSD_6_0_BASE
# 1.67 11-Jul-2016 rzalamena

Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@


Revision tags: OPENBSD_5_9_BASE
# 1.66 15-Nov-2015 mmcc

Remove more register keywords.

ok daniel@, discussed on hackers@


Revision tags: OPENBSD_5_8_BASE
# 1.65 05-Apr-2015 guenther

Upstream has retired the gnuc.h header, so do so as well, killing a gcc 2.x
reference.

ok sthen@ jca@ deraadt@


Revision tags: OPENBSD_5_7_BASE
# 1.64 20-Nov-2014 jsg

Make ip6_print() take an unsigned length matching
ip_print() and others.

Allows code deciding on a minimum length to memmove()
to work as intended, preventing various crashes found
with the afl fuzzer. Callers of ip6_print() should of
course be fixed to provide sane lengths as well.

ok deraadt@ djm@


Revision tags: OPENBSD_5_6_BASE
# 1.63 20-Jun-2014 lteo

Import in_cksum_shouldbe() from mainline tcpdump; this is needed by my
upcoming commit which will fix and improve the display of bad checksums
for the major protocols.

ok henning@


Revision tags: OPENBSD_5_5_BASE
# 1.62 11-Jan-2014 lteo

Make icmp_print() accept the length variable, which is the length of the
packet without the IP header. This is needed by the next commit that
will allow tcpdump to detect bad ICMP checksums.

Related functions like {tcp,udp,icmp6}_print() already accept this
length variable, so this change makes icmp_print() consistent with
them as well.

This commit makes no functional change to tcpdump itself.

OK florian@


Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
# 1.61 06-Apr-2010 jsg

Add support for decoding MLDv2 initially from tcpdump.org via FreeBSD,
cleaned up to be less gross after some suggestions from stsp.

ok stsp@


Revision tags: OPENBSD_4_7_BASE
# 1.60 12-Jan-2010 naddy

Add TCP/UDP checksum display for v6 and clean up the checksum
calculation. Mostly from tcpdump.org; ok jsing@


# 1.59 04-Nov-2009 jsing

Add support to tcpdump for decoding the GPRS Tunnelling Protocol (GTP),
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.

This work has been kindly sponsored by SystemNet AS (www.systemnet.no).

"commit" deraadt@


Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
# 1.58 14-Feb-2009 sthen

increase the default snaplen to 116, allows capture of pflog+ipv6+tcp
without knobs. ok djm, deraadt.


# 1.57 16-Oct-2008 mpf

Add support for IEEE "slow protocols" LACP, MARKER as per 802.3ad.
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@


Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.56 07-Oct-2007 deraadt

trash $Header goo which is just annoying; 5595


# 1.55 28-Aug-2007 markus

add -I option for printing the interfaces;
ok hshoexer, henning, mcbridge (some time ago)


Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
# 1.54 01-Jun-2006 moritz

Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@


# 1.53 23-May-2006 stevesk

add VLAN Query Protocol (VQP) dissector; ok canacar@ markus@


# 1.52 28-Mar-2006 reyk

Add a simple printer for IEEE 802.1AB LLDP, the Link Layer Discovery
Protocol.

LLDP is used by some switch vendors as a replacement for the non-free
Cizzco Discovery Protocol (CDP) due to some Cisco patentry...

ok brad@


Revision tags: OPENBSD_3_9_BASE
# 1.51 22-Nov-2005 reyk

add printer for IAPP and hostapd(8) messages

ok canacar@, tested by aanriot@ and others


# 1.50 08-Oct-2005 canacar

Add a best effort mpls decoder. From Jason L. Wright.
Since the encapsulated protocol information is not always
available in the MPLS tag stack. The decoder attempts
to guess the protocol.
ok brad@


Revision tags: OPENBSD_3_8_BASE
# 1.49 28-May-2005 reyk

support decapsulation of 802.11 data frames

ok canacar@


Revision tags: OPENBSD_3_7_BASE
# 1.48 07-Mar-2005 reyk

add a printer for 802.11 and for additional radiotap headers,
use -y IEEE802_11 or IEEE802_11_RADIO if supported by the driver.

ok canacar@


# 1.47 16-Sep-2004 markus

add -T tcp to enforce interpretation as TCP


Revision tags: OPENBSD_3_6_BASE
# 1.46 20-Jun-2004 avsm

- do not use __attribute__((volatile)) as its a synonym for __dead nowadays
- bad format string "\%s" -> "%s" in print-ike.c
fixes parsing using CIL, discussed with millert@ niklas@


# 1.45 21-May-2004 brad

add DLT_PPP_ETHER support plus some fixes for pppoe_if_print().

ok canacar@

From: Marc Huber <pppoe at pro-bono-publico dot de>


# 1.44 28-Apr-2004 mcbride

Make tcpdump print carp as carp. Printing vrrp can be forced with -T vrrp.

ok markus@ pb@


Revision tags: OPENBSD_3_5_BASE
# 1.43 28-Jan-2004 canacar

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@


# 1.42 18-Jan-2004 otto

Sync print-domain with tcpdump.org; avoids tcpdump barfing on bogus
DNS traffic.

ok canacar@ jakob@


# 1.41 15-Dec-2003 mcbride

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.40 21-Aug-2003 frantzen

print the operating system of TCP SYN packets with the -o option


# 1.39 26-Jun-2003 deraadt

ansi and protos


# 1.38 11-Jun-2003 markus

support for NAT-T (draft-ietf-ipsec-udp-encaps-06.txt); ok deraadt@


# 1.37 14-May-2003 canacar

libpcap and tcpdump now understand the new pflog datalink type.
old datalink type is still recognized.

ok henning@ dhartmei@ frantzen@


Revision tags: OPENBSD_3_3_BASE
# 1.36 20-Feb-2003 jason

add printing of ipcomp, and while in the neighborhood, make ah/esp actually
check the length of the data


# 1.35 30-Nov-2002 mickey

pfsync support; deraadt@ ok


# 1.34 30-Nov-2002 deraadt

stop breaking the damn tree mickey


# 1.33 29-Nov-2002 mickey

tcpdump support for pfsync; henning@ ok


Revision tags: OPENBSD_3_2_BASE
# 1.32 12-Jul-2002 pvalchev

In TTEST2(), check to make sure the "l" argument isn't so large that
"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.
From tcpdump CVS via fenner@FreeBSD


Revision tags: OPENBSD_3_1_BASE
# 1.31 19-Feb-2002 millert

branches: 1.31.2;
We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.


# 1.30 23-Jan-2002 mickey

proper handling for DLT_NULL and DLT_LOOP (header byte swapping); pointed out and tested by Alexander Yurchenko <grange@rt.mipt.ru>


# 1.29 22-Jan-2002 mickey

HSRP dissector, from Julian Cowley <julian@lava.net> via tcpdump.org


Revision tags: OPENBSD_3_0_BASE
# 1.28 02-Oct-2001 deraadt

branches: 1.28.2;
change timeval to bpf_timeval; 32 bit in size, permitting much greater portability


# 1.27 25-Jun-2001 provos

interpret DLT_PFLOG


Revision tags: OPENBSD_2_9_BASE
# 1.26 09-Apr-2001 ho

Extend IKE knowledge so we can parse the rest (normally encrypted parts)
of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)


# 1.25 08-Apr-2001 jakob

add support for printing cdp (Cisco Discovery Protocol), from tcpdump.org


# 1.24 06-Mar-2001 jakob

add lwres (BINDv9 resolver) printing. from tcpdump.org and modified by ho@


# 1.23 05-Mar-2001 jakob

add relts_print, safeputs and safeputchar


# 1.22 05-Feb-2001 jason

etherip printing code... handles draft (v2) and current (v3)


# 1.21 07-Dec-2000 mickey

timed printing; from Ben Smithurst <ben@scientia.demon.co.uk>; via tcpdump.org


# 1.20 07-Dec-2000 mickey

smb printing; from Andrew Tridgell; via tcpdump.org


# 1.19 07-Dec-2000 mickey

add vrrp printing; from tcpdump.org


Revision tags: OPENBSD_2_8_BASE
# 1.18 19-Oct-2000 jason

code for printing bridge spanning tree packets
also fix a bug where llc encoded frames are hex dumped twice when -x is used


# 1.17 03-Oct-2000 ho

Compile with -Wall. Add $OpenBSD$. (jakob@ ok)


Revision tags: OPENBSD_2_7_BASE
# 1.16 26-Apr-2000 jakob

INET6
DHCP/BOOTP
tcp & udp checksum detection
numerous bugfixes


# 1.15 16-Jan-2000 jakob

BGP support (from KAME/WIDE). INET6 parts not done yet.


# 1.14 16-Jan-2000 jakob

Mobile IP support (from KAME/NetBSD)


# 1.13 16-Jan-2000 jakob

L2TP support (from KAME)


Revision tags: OPENBSD_2_6_BASE
# 1.12 16-Sep-1999 brad

delcare esp_print and radius_print


# 1.11 28-Jul-1999 jakob

- Merge some changes from tcpdump 3.4
-a flag; attempt to convert network and broadcast addresses to names
Improved signal handling
Miscellaneous fixes and typos
OSPF MD5 authentication support

- -X flag; emacs-hexl print (including ascii)

- Add ECN bits to TCP and IP headers

- IKE & IPsec (ESP & AH) support

OK deraadt@


Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
# 1.10 22-Sep-1998 provos

make tcpdump aware of SACK (RFC 2018), loosely based on a patch from
hari@cs.berkeley.edu.


# 1.9 25-Jun-1998 mickey

add cisco netflow proto printing; not tested w/ version 5, but should work anyways


# 1.8 11-Jun-1998 provos

handle IPSec processed packets (DLT_ENC) in libpcap, display them with
tcpdump + additional info (SPI + which type of transforms where passed).


Revision tags: OPENBSD_2_2_BASE OPENBSD_2_3_BASE
# 1.7 25-Jul-1997 mickey

#if __STDC__ --> #ifdef __STDC__


# 1.6 23-Jul-1997 denny

Better handling for AppleTalk, and netatalk in particular.
Handle native Ethertalk phase 1 & 2 as well as the localtalk encapsulation a la Kinetics FastPath previously handled.


Revision tags: OPENBSD_2_1_BASE
# 1.5 12-Dec-1996 bitblt

*** empty log message ***


Revision tags: OPENBSD_2_0_BASE
# 1.4 13-Jul-1996 mickey

it is 3.2 now.


# 1.3 10-Jun-1996 deraadt

sync to latest


# 1.2 04-Mar-1996 mickey

Updating to the latest LBL release.
Sun's SKIP support added.


# 1.1 18-Oct-1995 deraadt

branches: 1.1.1;
Initial revision