The changes associated with this commit introduce the IANA subtree
for LLDP and its first element, the MUDURL, as documented in
draft-ietf-opsawg-mud. This is similar to the changes made for
DHCP and DHCPv6.
[updated to use fn_printn]
Moreover:
Add test files with 'Simple Password', 'Keyed MD5' and
'Meticulous Keyed SHA1' authentications.
Update specification from draft to RFC 5881 for BFD_CONTROL_PORT and
BFD_ECHO_PORT in udp.h.
Add specification RFC 5881 in print-bfd.c.
This commit adds support for RESP as defined in: http://redis.io/topics/protocol.
It also supports inline commands and pipelining. Due to the popularity of RESP,
numerous services are emerging that use this protocol. You may decode RESP packets
on arbitrary ports using the "-T resp" option.
Example captures can be found in tests/resp_*.
A simple way to test this parser is to start redis-server and then run
redis-cli commands such as "redis-cli set key value".
Traditionally, redis-cli monitor is used to debug redis. Unfortunately,
the "monitor" command can cause significant load on a redis-server in
production. This parser may be used as a non-invasive alternative to
redis-cli monitor.
Process bits 29, 30, and 31 in code that's independent of what namespace
we're in:
If we're switching to the radiotap namespace, reset the bit numbers to
start back at 0.
If we're switching to a vendor namespace, get the vendor OUI and
subspace, and the skip length.
Keep trace of which namespace we're in.
If we're *in* a vendor namespace, skip over the data specified by the
skip length (and reset it, as we've processed all the vendor namespace
data and, if there's a subsequent bitmap in the same namespace,
there's nothing more to process. Use cpack_align_and_reserve() to
skip that, so we check that we don't go past the end of the packet
data.
Fixes GitHub tcpdump issue #498.
This removes some bogus errors; update the test output to reflect that.
Reference: IEEE Std 802.3-2012
"If the value of this field is less than or equal to 1500 decimal
(05DC hexadecimal), then the Length/Type field indicates the number
of MAC client data octets contained in the subsequent MAC Client Data
field of the basic frame (Length interpretation)."
Update the output of a test accordingly.
Moreover:
Update reference from draft to RFC5171.
Add bounds and length checks.
Fix TLV length printout. It is the length of the type, length, and value
fields.
Filter out non-printable characters.
Print the Echo TLV with fn_printn(). Note: The format of this list of ID
pairs is not documented in the RFC.
Update the output of a test accordingly.
Add and use istr[] and tstr[] strings.
Comment on the TLV format.
Update some comments.
Moreover:
Add/fix a lot of bounds and length checks.
Add and use tstr[] string.
Fix some typos.
Update the output of a test according to these changes.
Fixing Travis CI build for LISP commit
Adding testcases for lisp notify and register
Fixing build warnings
Added ND_TCHECK for relevant headers
Fixing ND_TCHECK2 issues
Adding support for multiple LOC records for same EID entry
Fixing review issues, adding detailed tests
Adding support for verbose outputs
Adding RFC information for UDP PORT defination
Removing Spaces in type names
Print EID record related flags in verbose mode
Using tok2str
Fixing -Wpedantic issues
Negative testcases, Packet structure comments, verbose mode flag printing
Printing Map Version
Print auth_data, decouple type and xtr_present extraction, handle malformed packets correctly
Tests for latest code changes
Printing useful info incase not built with IPv6 support
This header can be used with Marvell switches to direct packets in/out
of a specific port in a tree of interconnected switches. The header
uses its own Ethertype of 0xdada.
By default, only brief output is printed, showing the switch device,
port, and vlan the packet is to/from. However if -e is given, to print
the link-level header, all fields are printed.
It's also used for WPA/WPA2, so it's a generic "protected by encryption"
flag. Update the name of the macro that checks it, and report it as
"Protected" rather than "WEP Encrypted".
Improve decoding of BSN vendor commands: update printing of commands
that set/get mirror port reporting flag, add decoding of shell exec
commands. Introduce decoding of vendor-specific actions with BSN as the
first such vendor and "mirror" as the first such BSN action.
Add a new test case based on a packet capture produced using Trema
controller and an Arista 7050SX-64 switch in Arista Networks' test lab.
Besides the structures above the capture contains the following items:
* OFPT_QUEUE_GET_CONFIG_REPLY with 0 queues (a valid edge case)
* OFPT_FEATURES_REPLY with ports 21 and 23 having bogus "config" field
(a violation of the protocol, which required temporary patching of the
controller to avoid the session shutdown)
* a set of IP mask manipulation BSN-specific commands
Allow an extra byte in the buffer for snprintf()'s null character,
otherwise it does not work as intended (issue spotted by Gisle Vanem on
Windows, where snprintf() behaviour seems to be different). Update the
tests.
When compiled with Capsicum, tcpdump -E 'file filename' fails to read
the secret from the file with the "Not permitted in capability mode"
error and exits with code 3. Skip respective tests until this logic is
handled in a better way.
Introduce a new function that tries to dispatch an OFPT_VENDOR message
to a vendor-specific printer function. Add such a function for Big
Switch Networks vendor with about as little decoding as necessary to
cover the existing 7050Q OF1.0 capture.
The new function goes into print-openflow.c as vendor name decoding is
the same in all versions of OpenFlow (although in 1.0 it is "vendor"
and in subsequent versions it is "experimenter"). The mapping is from:
https://rs.opennetworking.org/wiki/display/PUBLIC/ONF+Registry
Currently, TESTonce uses 'diff -w' so it ignores all white space.
We need a strict comparison, else there is no difference between, for example,
'Association Setup' and 'AssociationSetup' => removing the option '-w'
The value of the length field in a UDP header includes the length of the
header itself; the values in this capture didn't. The length fields in
the IP headers and the RADIUS headers were correct and consistent with
each other, and the length fields in the UDP headers are now correct and
consistent with both of them.
The sample capture was produced with two Linux hosts (aoetools version
36, kernel module version 85, vblade version 21). One of the hosts
exported a 1MB block device containing a freshly created filesystem and
the other mounted it, wrote a small file and then unmounted.
It's not necessarily there on all platforms. Explicitly invoke the
interpreter to run the TESTonce script; that requires that, when you run
"make check", your path includes the directory in which the Perl
interpreter resides.
SCTP's payload protocol identifiers added.
M3UA tests provided by wireshark
http://wiki.wireshark.org/SampleCaptures#Sigtran_Protocol_Family
But RFC4666 tells that parameter 0x0002 aren't carried by M3UA, so
it's OK that tcpdump doesn't know about this identifier.
Conflicts:
Makefile.in
interface.h
print-sctp.c
sctpConstants.h
-----------------------------------------------------------------------
The change to sctp_print() does three things:
* makes detection of ForCES consider PPID, not just port number
* verifies chunk length of all SCTP_DATA chunks, not just of ForCES
* adds PPID-specific dispatching with a particular case of M3UA
-- Denis
- in this case the destination address used in the pseudo-header is
that of the final destination : the last address of the routing header
- add a pcap file
The sample capture consists of VRRPv2/IPv4, VRRPv3/IPv4 and VRRPv3/IPv6
packets. It was produced using 7 MikroTik devices running RouterOS 6.10
and configured for the same set of virtual addresses with different
priorities per device. The devices were powered on one after another
with a ~30 seconds delay in the order of VRRP priority ascending. The
test cases decode the capture with and without "-v".
It worked on Linux and FreeBSD but OpenCSW build produced the following:
./lmp-v.sh: !: not found
./TESTrun.sh: local: not found
./TESTrun.sh: test: unknown operator ==
Rewrite TESTonce to do only one thing (run a test with given parameters)
but do it well. Split TESTrun.sh into functions and extend it to do only
a specific test if requested. Justify format of the test results and
move most of the test results printing from TESTrun.sh to TESTonce.
tcpdump used to print an empty line for a Loopback (CTP) packet, which
many Cisco switches send by default every 10 seconds. This commit adds
a decoder for the protocol and a test case, which uses the sample
capture from Wireshark wiki (configuration_test_protocol_aka_loop.pcap).
In May 2001 commit ea3df10 implemented support for then-current I-D on
the Route Information ICMPv6 option using type 9. In June 2001 type 9
was assigned to a completely different ICMPv6 option (Source Address
List, RFC3122). In 2005 the I-D became RFC4191 with the same option
encoding and assigned option type 24.
Update a macro to fix decoding and add a test case for it (produced
with an unconfigured instance of a development build of OpenWrt).
This capture was produced using an Arista DCS-7050Q-16 switch running
EOS-4.10.4 software. The controller sends two vendor messages
(BSN_GET_IP_MASK_REQUEST and BSN_GET_MIRRORING_REQUEST) and the switch
sends a reply for each (BSN_GET_IP_MASK_REPLY and
BSN_GET_MIRRORING_REPLY respectively).
Add new decoder for UDP port 5359 and a sample packet capture produced
on a couple of Linux hosts (a server and a client). Besides that, an
existing Babel capture contained AHCP packets and the current AHCP tests
cover 0, 1 and 2 "-v" flags.
The test cases included the timestamp (due to missing -t) and failed
unless run in the same timezone as produced. The failures printed by
print-flags.sh did not make it into the final report because the script
always returned 0.
Strip the timestamps and replace print-flags.sh with some contents in
TESTLIST.
All Babel intervals are encoded in centiseconds and must not be 0. In an
Update TLV the interval value 0xFFFF means infinity (RFC6126 Section
4.4.9). Update the test cases.
...the code
* first looks for '<' and advances to the next character,
* it looks for a number between 0 and 9 and advances to the next
character, (it finds 7)
* it looks for '>' and advances to the next character,
* it looks for a number between 0 and 9 and advances to the next
character, (it finds the '2' of '2010')
=> result: prio is 72 instead of 7.
The code that checks if the character is '>' should be outside the loop
that checks if the character is a number. The attached patch moves this
check.
The new capture contains two datagrams produced by logger utility
(syslog default timestamp format) and two datagrams produced by rsyslog
(RFC3339 timestamp format). One of the rsyslog datagrams has priority
consisting of two figures and the other -- of one figure.
This change removes detection of linux/netfilter/nfnetlink_log.h, which
was only used to provide two constants. The constants are now defined in
print-nflog.c, making it possible to compile (and test) the NFLOG
decoder on all systems, not only Linux.
There is now a test case for the decoder, it was produced on a Linux
host with:
iptables -A INPUT -p udp --source 74.82.42.42 -j NFLOG --nflog-group 20
dig @74.82.42.42 ...
The packet that may be contained in an OFPT_PACKET_IN or OFPT_PACKET_OUT
OpenFlow message is a plain Ethernet frame. Make it possible to have
ether_print() process that frame, with a controlled verbosity level (see
a comment in print-openflow-1.0.c for details). Update an existing test
case to employ the new feature.
The Link Management Protocol version 1 sample capture added to the tests
directory in commit 212eef2 was produced using non-standard UDP port
49998. Later assignment of port 701 reflected in commit 960aee5 made it
impossible to decode the capture.
This change adds a -T override for LMP, uses it to replace the broken
test with two working tests and dismisses the custom test script,
lmp.sh.
This capture was produced using a NEC PF5240 switch running OS-F3PA
V4.0.1.0 and configured for one OpenFlow instance with 8 ports. A short
exchange covers features not seen in previous OF1.0 captures. It
installs 8 flows that hit 3 of the 11 tables present on the device:
"normal 1", "expanded" and "emergency". This is correctly reflected in
subsequent flow/table stats reply messages. The queue
stats/configuration messages (typically absent from most other
implementations) cover 2 ports with 8 queues each. After the exchange
completes the controller shuts down.
The capture was produced using a Dell Force10 S4810 switch running FTOS
9.1 and configured for two OpenFlow instances. Both instances try to
connect to a Trema controller. Instance 1 connects and proceeds to a
protocol exchange driven by a test script. Besides other messages
instance 1 produces a malformed OFPT_STATS_REPLY message (there are
multiple table descriptors with table_id set to 0) and an OFPT_PACKET_IN
message with xid set to 0. Instance 5 tries to connect, but its
OFPT_FEATURES_REPLY contains a malformed bitmap and the controller
closes the connection. The controller is shut down soon thereafter.
The new file openflow-1.0.h is a verbatim copy of the file openflow.h
from the openflow-1.0.0.tar.gz distribution. The new file
print-openflow-1.0.c contains a set of functions for OpenFlow 1.0 (wire
protocol 0x01) decoding. Of these functions only
of10_header_body_print() is exported and used by the minimal OpenFlow
decoder.
It is intended that future (1.1, 1.2, 1.3.0) OpenFlow version decoders
are implemented the same way (in modules of their own), since different
versions of OpenFlow specification reuse the same symbols for different
numeric values. This way, print-openflow-1.1.c would include
openflow-1.1.h and so on.
The new test case "of10_p3295-vv" was produced using a Pica8 P-3295
switch and Trema controller running a purpose-built sample application.
Babel sub-TLVs are a work in progress, a backward-compatible extension
to Babel version 2 protocol encoding. This update implements encoding
explained by Juliusz Chroboczek to decode ChanInfo sub-TLV of the Update
TLV.
The Pad1 TLV consists only of the Type field (RFC6126 Section 4.4.1),
thus the check for Pad1 type must be done before the Length field is
consumed, if ever. This change brings tcpdump decoder into line with the
spec and Babel implementation's own TLV iterator.
The packet capture consists of two datagrams produced with a modified
version of Quagga-RE babeld, such that each TLV of the datagrams is
followed with one Pad1 TLV. This encoding is not what a Babel speaker
would typically send, but it is otherwise valid and up to the spec
(RFC6126 Sections 4.2 onwards).
The current version of the decoder has a bug iterating over Pad1.
This bug was discovered and pinned down by Wim Torfs.
The code in question handles DLT_IEEE802_11_RADIO datalink type, which
consists of a variable-sized header, a variable number of fields and the
actual 802.11 frame. The integers contained in the fields are aligned,
properly extracting them is exactly the purpose of the existing "cpack"
module. The issue with the current code is that it sets alignment base
for cpack at the end of the variable-sized header, in other words,
64-bit integers would be properly extracted only so long as the header
is 64-bit long, which only happens when the total number of bitmaps in
it is odd (the minimum number of bitmaps is one). Once this condition
isn't met, as is with two bitmaps, decoding becomes incorrect. The
reporter's point that the alignment base must be the beginning of the
variable-sized header is accurate.
This commit adds a new cpack_advance() function to fast-forward the
"c_next" pointer of a cpack_state context by an arbitrary number of
octets. The ieee802_11_radio_print() function now uses it to skip the
header and all its bitmaps, and the alignment base is now the header
start.
I modified the mac80211 and ath9k kernel module such that extra
information regarding rssi, etc are available, which is why I needed the
extra bitmap. Capturing the packets is simply a matter of using tcpdump
-i wlan0 -w dumpfile.
This commit adds the support of Multipath TCP (MPTCP). MPTCP is a new
extension to TCP standardized at the IETF. MPTCP allows to use several IP
addresses at the same time by distributing data across several subflows (TCP
connections) while still presenting the standard TCP socket API to the
application. Its benefits are better resource utilization, better throughput
and smoother reaction to failures.
This change adds new code to decode ZeroMQ datagrams, couples it with
the PGM decoder and extends the -T option to make all this work.
There are two new test cases based on existing captures of ZMTP/1.0
inside [E]PGM to decode the ZMTP/1.0 part of these.
This functionality enables decoding of the traffic zeromq library
produces for "pgm://" and "epgm://" protocol schemas.
The original PGM uses its own IP protocol number. "EPGM" or "PGM/UDP"
stands for UDP-encapsulated PGM, which has no assigned UDP port number
and can be decoded only by means of -T option, which now accepts "pgm"
protocol type for this purpose. There is also a sample capture of EPGM
now (similar to the one of native PGM, but produced using the "epgm://"
protocol schema) and a respective test case.
This commit adds a capture of a few PGM (IP protocol 113) packets
produced with version 2.2.0 of zeromq library built with PGM support
(using the "pgm://" protocol schema). Each of the three ODATA packets in
the capture contains a ZeroMQ datagram in the "Data" (application data)
field. There is a new test case covering the PGM part of the capture.
msnlb1.pcap contains two heartbeat packets from a single cluster (two
nodes). msnlb2.pcap is the same capture with a lower snaplen to exercice
the truncation code path.
This change adds support for ZMTP/1.0 (ZeroMQ Message Transport Protocol
1.0) framing in TCP packets, as defined in http://rfc.zeromq.org/spec:13
and implemented in zeromq library.
Since there is no assigned port number for ZeroMQ, the user is left
responsible for making only the related TCP packets captured and
enforcing ZMTP/1.0 decoding through the "-T zmtp1" option.
Each ZMTP/1.0 frame of a packet will produce a single additional line of
output. The "-v" flag will add up to 8 lines (128 bytes) worth of
hex+ASCII dump of the frame body, and "-vv" and higher will dump the
full frame body, however long.
Beware that this code handles neither IP fragmentation nor TCP
segmentation and will incorrectly decode segments not starting at a
frame boundary.
The included sample capture stands for a short ZeroMQ session between a
REQ/REP socket pair doing 3 anonymous 2-way exchanges. It was produced
using version 2.1.9 of zeromq library patched to fix its bug #293, so
that all MBZ bits of the flags field are set to 0.
This change updates Babel decoder output format to match terminology of
draft-ovsienko-babel-hmac-authentication-00 and reverts recent addition
of DLen field to TLV type 12.
This change reflects a new Digest Length field added to Hash Digest TLV
in the current draft of Babel authentication spec. babel_print_v2() is
updated to fetch and validate the new field. Test files too.
This change addresses a few issues in rip_entry_print_v2() and
rip_print():
1. In the case of Simple Password (RFC2453) authentication the last
(16th) character of a password was never printed. Other password
characters were printed regardless of existing isprint() test.
2. In the case of Cryptographic (RFC4822) authentication there were no
details available for fixed-size auth header and variable-size auth
trailer.
3. Depending on particular hash function used, a normal authentication
trailer "RTE" may be 20 or more bytes long. Iteration over packet RTEs
should stop once a trailer is decoded. Exact number of RTEs in a message
cannot be told from message size any more.
Test cases are added for Request and Response messages with Simple
Password, Keyed-MD5, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and
HMAC-SHA-512 authentication modes. Earlier test case is updated to match
new "number of routes" output format.
RIP Request and Response messages have the same structure. Update a
switch block in rip_print() to proceed with decoding of both.
A Request message may contain an AFI 0 RTE standing for a full table
request, normally sent on a router start. Update rip_entry_print_v1()
and rip_entry_print_v2() to treat IPv4 and AFI 0 as two valid,
distinguishable cases.
This change extends existing Babel protocol decoder to recognise
experimental authentication TLVs (types 11 and 12) and includes
a respective test case for the new code.
The most notable difference between RFC5006 and RFC6106 is the addition
of DNSSL RA option. This commit adds DNSSL handling code to make tcpdump
fully RFC6106-aware. This code has been tested against RA packets
generated by Quagga and radvd.
Multiple nexthops in MP-BGP were not getting separated, so you are
left wondering "what kind of address is dead:beef::1fe80::1ff:fe01:0"?
Separate them with ", " so that it is more clear that they are
multiple nexthops.
On Tue, Jun 28, 2011 at 3:52 PM, Michael Richardson <mcr@sandelman.ca> wrote:
> I'm not aware of a new file.
The email i responded to had 4 attachments sent by Evangelos.
Those were supposed to replace the files with those exact names.
> Please send github tree, ideally.
You mentioned github to me last time and offered to get me to
learn it in 5 minutes;-> I havent had time and the old school stuff i do
still works.
How about i send you patch #1 to delete the old files (as attached)
and another to re-add with new ones.
Alternatively: I could send one that overrides the existing ones.
cheers,
jamal
> --
> ] He who is tired of Weird Al is tired of life! | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
> ] mcr@sandelman.ottawa.on.cahttp://www.sandelman.ottawa.on.ca/ |device driver[
> Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
> then sign the petition.
>
commit d93443f24bfb5fd982ff33deb66979bae811db57
Author: Jamal Hadi Salim <jhs@mojatatu.com>
Date: Tue Jun 28 16:15:49 2011 -0400
[PATCH] Remove test files using old ForCES ports
Signed-off-by: Jamal Hadi Salim <hadi@mojatatu.com>
Instead of printing the result of udp_cksum() if it's non-zero, print
the checksum field value and the value it should have had. That means
that what we print is the same regardless of whether we're running on a
big-endian or little-endian machine.
Also, just as we did with TCP:
Check -v and -K, and the fragmented flag, up front; then check the IP
version etc.. Don't check for IPv6 if we already know it's IPv4. Fetch
the checksum field only once.
Update some test files for the new output format.
Get rid of some no-longer-necessary uudecodes (Git can store binary
files such as pcap files, so we no longer need to uuencode them, and the
uuencoded files are no longer around), and handle the "-X" and "-XX"
flag tests (where we had to rename the "should be" output files to avoid
collisions on case-insensitive file systems such as the default local
file system on the desktop UN*X with the biggest market share).
That way, uudecode will write the decoded output there, rather than to a
file named "empty" that gets left around. That also means we don't need
to redirect the output of uudecode to /dev/null, so don't do that.
Doing it at make time means you don't have to re-run the configure
script if you add uudecode to your system, and doing it by uudecoding a
uuencoded empty file means we don't depend on uudecode supporting
"--help".
commit 0a029bab08
Author: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sat Nov 14 20:51:44 2009 -0500
updated print-flags test case to have new TCP flags
to print-capXX.out, prior to removing print-XX.out (again - see previous
commits; it collides with print-xx.out on systems with case-insensitive
file systems).
commit 0a029bab08
Author: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sat Nov 14 20:51:44 2009 -0500
updated print-flags test case to have new TCP flags
to print-capXX.out, prior to removing print-XX.out (again - see previous
commits; it collides with print-xx.out on systems with case-insensitive
file systems).
