With this change, we can write/print some contiguous packets from a file.
We can also skip some packets doing a live capture.
The '--skip 0' option is allowed to help some loop in a shell script.
Examples:
Skip 3 packets when printing:
tcpdump -#n --skip 3 -r in.pcap
Write the sixth packet, if any:
tcpdump --skip 5 -c 1 -r in.pcap -w out.pcap
Write up to 5 packets after skipping 3:
tcpdump --skip 3 -c 5 -r in.pcap -w out.pcap
In the -f flag description just refer to the -i flag description to
deduplicate the prose. In the -i flag description reword the "any" note
consistently with that in pcap_create(3PCAP) and pcap_open_live(3PCAP).
This lets us remove a bunch of configure-time and compile-time tests.
Update documentation to reflect this.
WinPcap 4.1.3 is based on libpcap 1.0, but doesn't export all of the new
APIs, so it won't work with code that uses any of the other APIs, which
tcpdump does, so don't test with WinPcap.
Print the new flag using lowercase "e" to avoid confusion with the
existing uppercase flags and "." for ACK. Add/update tests. Document
it in the man page using "AE" as the shorthand.
Format man page references, filter expressions, command-line options and
C names consistently with most other man pages. Fixup capitalization
and wording in a few instances, among other things do not document NFS
as Sun-specific and AFS -- as Transarc-specific. Remove the reference
to bpf(4), which belongs to libpcap only, and the description of bugs
that are entirely libpcap-specific and are documented in pcap-filter(7).
This reference has been in this man page since tcpdump 2.0, which
included both libpcap and a man page with NIT particulars, which later
migrated to a libpcap man page and recently disappeared from there
as a part of SunOS 3.x support, so this reference no longer has any
purpose even remotely.
The lengths will be printed at the beginning of the line or after the
packet number, if any.
'caplen' is the captured length.
'len' is the original (on wire) length.
Examples
1) With -#n
1 caplen 80 len 98 14:41:53.503612 IP 192.168.1.11.43966 > [...]
2) With -n
caplen 80 len 98 14:43:38.185603 IP 192.168.1.11.43966 > [...]
Add a test file with one packet not truncated, the other truncated.
[skip ci]
It's to prevent the shell from (mis-)interpreting the square brackets.
e.g. if there is a file named tcp1 in the current directory,
with tcp[13] == 2, the executed command will be:
tcpdump -i xl0 tcp1 == 2
Result: tcpdump: can't parse filter expression: syntax error
[skip ci]
It's a follow-up to c8623960f0.
The support is now enabled by default. No more "#ifdef GUESS_TSO".
Output example:
length 2016 [was 0, presumed TSO]
Add a test file with presumed TSO.
(From http://cloudshark.org/captures/25e40f73bc1c, found via
https://osqa-ask.wireshark.org/questions/16279/)
Use ND_ICHECKMSG_U() to test an invalid total length < header length.
Output example:
[total length 19 < 20] (invalid)
Add a test file for this case.
Move ND_TCHECK_SIZE(ip) after the new tests.
Add a const qualifier for the ip_print() parameter 'length'.
Update the man page.
In the prose use the names from respective registry [1], which says:
* "PSH", not "PUSH",
* "CWR", not "ECN CWR", and
* "ECE", not "ECN-Echo".
This does not resolve all known inconsistencies related to TCP flags,
but at least makes the problem smaller.
1: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
New option `--print-sampling=NTH` will parse and print every NTH packet,
with all other packets producing no output. This option enables
`--print` and `-S` flags.
Print sampling is useful for real-time inspection of an interface with
a high packet rate, or initial inspection of large capture files.
Support upper-case suffixes (K/M/G) as well as lower-case suffixes.
Make sure nothing *follows* the suffix.
We don't need to check for the suffix before parsing the number; the
parsing routines stop if they see a non-digit character.
Accurate skipping of the link level header was working before the
conversion started, it will hopefully work after the conversion is
complete, but meanwhile be clear about what it is now.
As explained in GH #155, when tcpdump is given -r, -w and -v and it
takes long enough to read from the input file (because it is stdin
connected through network or a pipe to stdout of another tcpdump doing
a live capture), pcap_loop() will error before long. One of the ways to
reproduce the fault is as follows:
$ tcpdump -i eno1 -w - | tcpdump -r - -w /tmp/tmp.pcap -v
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
reading from file -, link-type EN10MB (Ethernet), snapshot length 262144
tcpdump: pcap_loop: error reading dump file: Interrupted system call
Skip the verbose_stats_dump() timer setup in this specific corner case
for the time being and document it.
