Go to file
Denis Ovsienko 289c672020 CVE-2017-13051/RSVP: fix bounds checks for UNI
Fixup the part of rsvp_obj_print() that decodes the GENERALIZED_UNI
object from RFC 3476 Section 3.1 to check the sub-objects inside that
object more thoroughly.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
.github add a GitHub issue template 2017-02-02 13:24:13 +00:00
lbl Do case-insensitive comparisons assuming ASCII strings. 2015-06-11 15:47:44 -07:00
missing Don't require IPv6 library support in order to support IPv6 addresses. 2015-09-17 14:56:44 -07:00
tests CVE-2017-13051/RSVP: fix bounds checks for UNI 2017-09-13 12:25:44 +01:00
win32 Update Visual Studio files. 2015-09-18 12:40:03 -07:00
.gitattributes add a GitHub issue template 2017-02-02 13:24:13 +00:00
.gitignore add libnetdissect.a to .gitignore 2014-01-03 01:16:49 +04:00
.travis-coverity-scan-build.sh Coverity: Build script: Update the upload URL for the framework change 2015-10-30 19:10:30 +01:00
.travis.yml Travis CI: enable fast_finish 2017-09-06 11:11:44 +01:00
aclocal.m4 Handle attributes for function pointers by checking the compiler version. 2017-08-19 11:25:24 -07:00
addrtoname.c That array only needs 16 elements. 2017-09-13 12:25:44 +01:00
addrtoname.h CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs. 2017-09-13 12:25:44 +01:00
addrtostr.c Clean up addrtostr6(). 2017-09-13 12:25:44 +01:00
addrtostr.h Don't require IPv6 library support in order to support IPv6 addresses. 2015-09-17 14:56:44 -07:00
af.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
af.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
ah.h More fixes for uint8_t being shorter than u_int8_t. 2014-04-23 11:53:22 -07:00
appletalk.h More fixes for uint8_t being shorter than u_int8_t. 2014-04-23 11:53:22 -07:00
ascii_strcasecmp.c Use hex constants so compilers don't whine about negative initializers. 2015-09-17 12:17:02 -07:00
ascii_strcasecmp.h Get rid of "tcpdump" in some libnetdissect codes 2015-09-08 18:01:26 +02:00
atime.awk Initial revision 1999-10-07 23:47:09 +00:00
atm.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
bpf_dump.c libnetdissect code must include 'netdissect.h', not 'interface.h' 2015-09-11 13:22:56 +02:00
CHANGES We also turn of *all* protocol name resolution with -n. 2017-09-03 12:12:23 -07:00
chdlc.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
checksum.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
config.guess Update config.{sub,guess}, timestamp='2015-02-2[23]' 2015-03-01 14:00:34 +01:00
config.h.in Make the ESP decryption not crash with OpenSSL 1.1. 2017-09-01 04:00:38 -07:00
config.sub Update config.{sub,guess}, timestamp='2015-02-2[23]' 2015-03-01 14:00:34 +01:00
configure Make the ESP decryption not crash with OpenSSL 1.1. 2017-09-01 04:00:38 -07:00
configure.in Make the ESP decryption not crash with OpenSSL 1.1. 2017-09-01 04:00:38 -07:00
CONTRIBUTING refine the feedback guidelines 2017-02-02 11:38:05 +00:00
cpack.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' 2015-09-10 08:50:40 +02:00
cpack.h Fix a bunch of de-constifications. 2015-04-26 17:24:42 -07:00
CREDITS Fix my email address 2017-08-23 21:39:15 +04:00
ether.h The last 2 bytes of an Ethernet header are the "length/type field". 2015-12-16 21:04:13 -08:00
ethertype.h add NSH ethertype 2017-04-02 09:08:17 +01:00
extract.h CVE-2017-13025/IPv6 mobility: Add a bounds check before fetching data 2017-09-13 12:25:44 +01:00
funcattrs.h MSVC doesn't allow __declspec(noreturn) to be applied to function pointers. 2017-09-06 11:02:15 -07:00
getopt_long.h delete trailing spaces/tabs 2014-05-12 10:20:58 +02:00
gmpls.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
gmpls.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
gmt2local.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' 2015-09-10 08:50:40 +02:00
gmt2local.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
in_cksum.c Use uintptr_t to look at the bits of a pointer. 2015-12-15 11:22:19 -08:00
install-sh delete trailing spaces/tabs 2014-05-12 10:20:58 +02:00
INSTALL.txt list CONTRIBUTING in INSTALL.txt 2017-03-06 11:58:12 +00:00
interface.h More use of PRINTFLIKE(). 2017-08-18 20:53:52 -07:00
ip6.h RT6: Fix alignment issue with Solaris Studio 12.3 on Solaris 10 SPARC 2017-09-13 12:25:44 +01:00
ip.h Use the nd_uintN_t types more. 2015-10-07 00:14:20 -07:00
ipproto.c Fixup the previous commit. 2017-08-27 21:11:43 +01:00
ipproto.h Use a table instead of getprotobynumber(). 2017-08-27 14:19:25 +01:00
l2vpn.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
l2vpn.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
LICENSE added license file 2000-10-09 22:38:24 +00:00
llc.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
machdep.c Handle attributes for function pointers by checking the compiler version. 2017-08-19 11:25:24 -07:00
machdep.h Get rid of "tcpdump" in some libnetdissect codes 2015-09-08 18:01:26 +02:00
Makefile-devel-adds The configure script depends on aclocal.m4. 2013-05-12 15:29:20 -07:00
Makefile.in Suppress UBSan warnings from EXTRACT_. 2017-08-18 20:11:43 -07:00
makemib delete trailing spaces/tabs 2014-05-12 10:20:58 +02:00
mib.h Declare some variables as static 2016-09-11 21:45:26 +02:00
mkdep mkdep: It uses now the build environment PATH 2015-01-18 12:22:47 +01:00
mpls.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
nameser.h spell ASCII in uppercase 2017-08-10 09:52:46 +01:00
netdissect-stdinc.h Suppress UBSan warnings from EXTRACT_. 2017-08-18 20:11:43 -07:00
netdissect.c Use strlcpy(), rather than snprintf(), to avoid null format string warnings. 2016-08-06 15:05:30 -07:00
netdissect.h CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
nfs.h More getting rid of old u_intN_t. 2014-04-23 00:45:13 -07:00
nfsfh.h Don't overflow the Opaque_Handle buffer. 2017-01-18 09:16:39 +01:00
nlpid.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
nlpid.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
openflow.h OpenFlow: add vendor name printing 2014-12-13 18:06:04 +00:00
ospf.h OSPF: refine unknown packet type handling 2017-02-02 20:55:03 +00:00
oui.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
oui.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
packetdat.awk Initial revision 1999-10-07 23:47:09 +00:00
parsenfsfh.c Make sure the Opaque_Handle string is null-terminated. 2017-01-18 09:16:40 +01:00
pcap_dump_ftell.c remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
pcap-missing.h Get rid of "tcpdump" in some libnetdissect codes 2015-09-08 18:01:26 +02:00
PLATFORMS update PLATFORMS 2017-03-15 11:35:56 +00:00
ppp.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
print-802_11.c CVE-2017-13008/IEEE 802.11: Fix TIM bitmap copy to copy from p + offset. 2017-09-13 12:25:44 +01:00
print-802_15_4.c CVE-2017-13000/IEEE 802.15.4: Fix bug introduced two fixes prior. 2017-09-13 12:25:44 +01:00
print-ah.c CVE-2016-7922/AH: Add a bounds check 2017-01-18 09:16:39 +01:00
print-ahcp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-aodv.c CVE-2017-13002/AODV: Add some missing bounds checks. 2017-09-13 12:25:44 +01:00
print-aoe.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-ap1394.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-arcnet.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-arp.c CVE-2017-13013/ARP: Fix printing of ARP protocol addresses. 2017-09-13 12:25:44 +01:00
print-ascii.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-atalk.c AppleTalk: Address a few cppcheck style notices. 2017-09-06 09:58:36 +01:00
print-atm.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-babel.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-beep.c CVE-2017-13010/BEEP: Do bounds checking when comparing strings. 2017-09-13 12:25:44 +01:00
print-bfd.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-bgp.c CVE-2017-13043/BGP: fix decoding of MVPN route types 6 and 7 2017-09-13 12:25:44 +01:00
print-bootp.c CVE-2017-13028/BOOTP: Add a bounds check before fetching data 2017-09-13 12:25:44 +01:00
print-bt.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-calm-fast.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-carp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-cdp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-cfm.c Remove some trailing spaces 2017-09-13 12:25:44 +01:00
print-chdlc.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-cip.c CVE-2016-7992/When comparing against an LLC+SNAP header, check only the bytes we have. 2017-01-18 09:16:35 +01:00
print-cnfp.c Use a table instead of getprotobynumber(). 2017-08-27 14:19:25 +01:00
print-dccp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-decnet.c CVE-2017-12899/DECnet: Fix bounds checking. 2017-09-13 12:25:44 +01:00
print-dhcp6.c CVE-2017-13017/DHCPv6: Add a missing option length check. 2017-09-13 12:25:44 +01:00
print-domain.c CVE-2017-12995/Check for DNS compression pointers that don't point backwards. 2017-09-13 12:25:44 +01:00
print-dtp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-dvmrp.c CVE-2016-7993/Clean up relative time stamp printing. 2017-01-18 09:16:38 +01:00
print-eap.c CVE-2017-13015/EAP: Add more bounds checks. 2017-09-13 12:25:44 +01:00
print-egp.c Fix bounds checks. 2017-01-18 09:16:40 +01:00
print-eigrp.c CVE-2017-12901/EIGRP: Do more length checks. 2017-09-13 12:25:44 +01:00
print-enc.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-esp.c Make the ESP decryption not crash with OpenSSL 1.1. 2017-09-01 04:00:38 -07:00
print-ether.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-fddi.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-forces.c ForCES: Fix undefined behaviour in op_valid(). 2017-09-06 00:52:57 +01:00
print-fr.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-frag6.c CVE-2017-13031/Check for the presence of the entire IPv6 fragment header. 2017-09-13 12:25:44 +01:00
print-ftp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-geneve.c pass correct caplen to other functions as well 2017-01-18 09:16:41 +01:00
print-geonet.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-gre.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-hncp.c CVE-2017-13044/HNCP: add DHCPv4-Data bounds checks 2017-09-13 12:25:44 +01:00
print-hsrp.c CVE-2016-7993/Clean up relative time stamp printing. 2017-01-18 09:16:38 +01:00
print-http.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-icmp6.c CVE-2017-13041/ICMP6: Add more bounds checks. 2017-09-13 12:25:44 +01:00
print-icmp.c CVE-2017-13012/ICMP: Add a missing bounds check. 2017-09-13 12:25:44 +01:00
print-igmp.c IGMP: Add a length check 2017-01-18 09:16:39 +01:00
print-igrp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-ip6.c CVE-2017-12985/IPv6: Check for print routines returning -1 when running past the end. 2017-09-13 12:25:44 +01:00
print-ip6opts.c Fix Linux/GCC build after the previous commit. 2017-09-13 12:25:44 +01:00
print-ip.c CVE-2017-13037/IP: Add bounds checks when printing time stamp options. 2017-09-13 12:25:44 +01:00
print-ipcomp.c Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP. 2017-01-18 09:16:37 +01:00
print-ipfc.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-ipnet.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-ipx.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-isakmp.c CVE-2017-13039/IKEv1: Do more bounds checking. 2017-09-13 12:25:44 +01:00
print-isoclns.c CVE-2017-13047/ES-IS: put an existing bounds check right 2017-09-13 12:25:44 +01:00
print-juniper.c CVE-2017-13004/Juniper: Add a bounds check. 2017-09-13 12:25:44 +01:00
print-krb.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-l2tp.c CVE-2017-13006/L2TP: Check whether an AVP's content exceeds the AVP length. 2017-09-13 12:25:44 +01:00
print-lane.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-ldp.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-lisp.c LISP: include local netdissect.h first 2017-03-12 10:07:42 +00:00
print-llc.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-lldp.c Remove some trailing spaces 2017-09-13 12:25:44 +01:00
print-lmp.c CVE-2017-13003/Clean up the LMP dissector. 2017-09-13 12:25:44 +01:00
print-loopback.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-lspping.c CVE-2017-12900/Properly terminate all struct tok arrays. 2017-09-13 12:25:44 +01:00
print-lwapp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-lwres.c CVE-2016-7993/Clean up relative time stamp printing. 2017-01-18 09:16:38 +01:00
print-m3ua.c M3UA: Fix a typo 2017-05-11 15:56:08 +02:00
print-medsa.c CVE-2016-7985,7986/fixup medsa_print() 2017-01-18 18:24:53 +00:00
print-mobile.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-mobility.c CVE-2017-13025/IPv6 mobility: Add a bounds check before fetching data 2017-09-13 12:25:44 +01:00
print-mpcp.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-mpls.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-mptcp.c CVE-2017-13040/MPTCP: Clean up printing DSS suboption. 2017-09-13 12:25:44 +01:00
print-msdp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-msnlb.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-nflog.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-nfs.c NFS: Check for all relevant RPC call body fields at the beginning. 2017-09-13 12:25:44 +01:00
print-nsh.c CVE-2017-5342/pass correct caplen value to ether_print() 2017-01-18 09:16:41 +01:00
print-ntp.c NTP: Add missing bounds checks. 2017-09-04 12:40:36 +01:00
print-null.c CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print(). 2017-09-13 12:25:44 +01:00
print-olsr.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-openflow-1.0.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-openflow.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-ospf6.c OSPFv3: More bounds checks. 2017-09-13 12:25:44 +01:00
print-ospf.c OSPF: refine unknown packet type handling 2017-02-02 20:55:03 +00:00
print-otv.c use constant macros for OTV and VXLAN-GPE 2017-02-02 22:42:50 +00:00
print-pflog.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-pgm.c CVE-2017-13034/PGM: Add a bounds check. 2017-09-13 12:25:44 +01:00
print-pim.c PIM: Iterate using the length, not the end pointer. 2017-09-13 12:25:44 +01:00
print-pktap.c CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector. 2017-09-13 12:25:44 +01:00
print-ppi.c PKTAP,PPI: Fix printing NULL string pointers 2016-10-13 22:18:21 +02:00
print-ppp.c CVE-2017-13038/PPP: Do bounds checking. 2017-09-13 12:25:44 +01:00
print-pppoe.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-pptp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-radius.c CVE-2017-13032/RADIUS: Check whether a byte exists before testing its value. 2017-09-13 12:25:44 +01:00
print-raw.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-resp.c RESP: Fix overflow check. 2017-09-13 12:25:44 +01:00
print-rip.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-ripng.c CVE-2017-12992/RIPng: Clean up bounds checking. 2017-09-13 12:25:44 +01:00
print-rpki-rtr.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-rrcp.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-rsvp.c CVE-2017-13051/RSVP: fix bounds checks for UNI 2017-09-13 12:25:44 +01:00
print-rt6.c ip6r0_reserved is an array of octets; extract the value from it. 2017-09-13 12:25:44 +01:00
print-rtsp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-rx.c Rx: add a missing bounds check for callbacks 2017-09-13 12:25:44 +01:00
print-sctp.c Remove parenthesis following immediately a #if 2016-09-01 14:16:52 +02:00
print-sflow.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-sip.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-sl.c CVE-2017-11543/Make sure the SLIP direction octet is valid. 2017-09-02 21:36:44 +01:00
print-sll.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-slow.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
print-smb.c Do bounds checks on NBNS resource types and resource data lengths. 2017-01-18 09:16:40 +01:00
print-smtp.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-snmp.c CVE-2017-5483/SNMP: improve ASN.1 bounds checks 2017-01-18 09:16:41 +01:00
print-stp.c CVE-2017-11108/Fix bounds checking for STP. 2017-07-22 23:57:42 +01:00
print-sunatm.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-sunrpc.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-symantec.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-syslog.c syslog: squelch a cppcheck warning (GH #568) 2017-09-05 23:03:21 +01:00
print-tcp.c Squelch some alignment warnings. 2017-07-22 13:25:46 -07:00
print-telnet.c CVE-2017-12988/TELNET: Add a missing bounds check. 2017-09-13 12:25:44 +01:00
print-tftp.c Just dissect the TFTP packet byte by byte. 2017-09-13 12:25:44 +01:00
print-timed.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-tipc.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-token.c CVE-2016-7985,7986/Change the way protocols print link-layer addresses. 2017-01-18 09:16:36 +01:00
print-udld.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-udp.c Use ND_TCHECK_32BITS() before EXTRACT_32BITS(). 2017-01-18 09:16:42 +01:00
print-usb.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-vjc.c Add a summary comment in all other printers 2016-08-15 22:42:38 +02:00
print-vqp.c CVE-2017-13045/VQP: add some bounds checks 2017-09-13 12:25:44 +01:00
print-vrrp.c Move the printer summaries from INSTALL.txt to each printer 2016-08-14 17:03:43 +02:00
print-vtp.c CVE-2017-13033/VTP: Add more bound and length checks. 2017-09-13 12:25:44 +01:00
print-vxlan-gpe.c use constant macros for OTV and VXLAN-GPE 2017-02-02 22:42:50 +00:00
print-vxlan.c CVE-2017-5342/pass correct caplen value to ether_print() 2017-01-18 09:16:41 +01:00
print-wb.c CVE-2017-13014/White Board: Do more bounds checks. 2017-09-13 12:25:44 +01:00
print-zephyr.c CVE-2017-12902/Zephyr: Fix bounds checking. 2017-09-13 12:25:44 +01:00
print-zeromq.c CVE-2016-7938/ZeroMQ: fix an infinite loop 2017-01-18 09:16:39 +01:00
print.c Handle attributes for function pointers by checking the compiler version. 2017-08-19 11:25:24 -07:00
print.h Eliminate some remaining uses of u_int32_t. 2015-09-18 15:11:43 -07:00
README add a convenience symlink for README 2014-01-02 16:27:19 +04:00
README.md refine the feedback guidelines 2017-02-02 11:38:05 +00:00
Readme.Win32 Added a readme that explains how to compile tcpdump under Win32. 2002-08-09 13:51:40 +00:00
rpc_auth.h More getting rid of old u_intN_t. 2014-04-23 00:45:13 -07:00
rpc_msg.h More getting rid of old u_intN_t. 2014-04-23 00:45:13 -07:00
rpl.h Fix warnings as "comma at end of enumerator list" 2015-08-19 16:44:52 +02:00
send-ack.awk Initial revision 1999-10-07 23:47:09 +00:00
setsignal.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' 2015-09-10 08:50:40 +02:00
setsignal.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
signature.c zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
signature.h zero change: update Hannes Gredler's email 2017-07-28 17:44:12 +02:00
slcompress.h remove tcpdump's own CVS keywords 2014-01-03 00:59:08 +04:00
smb.h Fix a bunch of de-constifications. 2015-04-26 17:24:42 -07:00
smbutil.c CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len(). 2017-09-13 12:25:44 +01:00
stime.awk Initial revision 1999-10-07 23:47:09 +00:00
strtoaddr.c Get rid of last uses of/mentions of u_intN_t. 2016-10-06 02:20:25 -07:00
strtoaddr.h Don't require IPv6 library support in order to support IPv6 addresses. 2015-09-17 14:56:44 -07:00
tcp.h TCP: put TCP-AO option decoding right 2017-01-18 09:16:41 +01:00
tcpdump.1.in Clean up the output format description somewhat. 2017-05-23 13:39:57 -07:00
tcpdump.c Clean up pcap_findalldevs() call to find the first interface. 2017-09-09 10:39:50 -07:00
timeval-operations.h Get rid of "tcpdump" in some libnetdissect codes 2015-09-08 18:01:26 +02:00
udp.h BFD: Update to print optional authentication field 2016-08-17 11:46:54 +02:00
util-print.c CVE-2017-13011/Properly check for buffer overflow in bittok2str_internal(). 2017-09-13 12:25:44 +01:00
VERSION Call it 4.10.0-PRE-GIT for now. 2017-02-04 19:12:46 -08:00
vfprintf.c libnetdissect code must include 'netdissect.h', not 'interface.h' 2015-09-11 13:22:56 +02:00

tcpdump

Build
Status

To report a security issue please send an e-mail to security@tcpdump.org.

To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file CONTRIBUTING in the tcpdump source tree root.

TCPDUMP 4.x.y Now maintained by "The Tcpdump Group" See www.tcpdump.org

Anonymous Git is available via:

git clone git://bpf.tcpdump.org/tcpdump

formerly from Lawrence Berkeley National Laboratory Network Research Group tcpdump@ee.lbl.gov
ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition. This software was originally developed by the Network Research Group at the Lawrence Berkeley National Laboratory. The original distribution is available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. More recent development is performed at tcpdump.org, http://www.tcpdump.org/

Tcpdump uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also originally from LBL and now being maintained by tcpdump.org; see http://www.tcpdump.org/ .

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the INSTALL.txt file.

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve tcp and internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the CHANGES file). We are grateful for all the input.

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Some tools for viewing and analyzing tcpdump trace files are available from the Internet Traffic Archive:

Another tool that tcpdump users might find useful is tcpslice:

It is a program that can be used to extract portions of tcpdump binary trace files. See the above distribution for further details and documentation.

Current versions can be found at www.tcpdump.org.

  • The TCPdump team

original text by: Steve McCanne, Craig Leres, Van Jacobson


This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609    3.20    17.24   3.40    5.82    4       11
	9       4097    6.02    6.58    6.20    6.80    2       5

	This says that 134 chunks were transferred (about 70K
	since the average packet size was 512 bytes).  It took
	536 packets to transfer the data (i.e., on the average
	each chunk was transmitted four times).  Looking at,
	say, chunk 4, we see it represents the 512 bytes of
	sequence space from 1561 to 2048.  It was first sent
	1.86 seconds into the conversation.  It was last
	sent 15 seconds into the conversation and was sent
	a total of 6 times (i.e., it was retransmitted every
	2 seconds on the average).  It was acked once, 140ms
	after it first arrived.

stime.awk
atime.awk
	Output one line per send or ack, respectively, in the form
		<time> <seq. number>
	where <time> is the time in seconds since the start of the
	transfer and <seq. number> is the sequence number being sent
	or acked.  I typically plot this data looking for suspicious
	patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".