Use EXTRACT_16BITS() in default_print() instead of handrolling it.
OK bluhm@

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing

Adjust default_print() to not run over snapend.

Kill default_print_unaligned() and adjust default_print() to also work
with unaligned buffers. There is no need for two functions doing the
same thing.

Pass the right length in nsh_print to default_print(). Fixes on place
that makes tcpdump crash.
Reported by Peter J. Philipp (pjp at delphinusdns dot org)
OK mbuhl@

show more ...

Explicitly set the default value for Bflag to BPF_FILDROP_PASS

Technically a nop since the value of the initial constant is 0 anyway
but we should not rely on that.

tcpdump: fix -Wunused-but-set-variable warning

All "infile" handling was moved into priv_exec() when tcpdump was
privilege separated. The options are scanned both in priv_exec()
and in main(), so t

tcpdump: fix -Wunused-but-set-variable warning

All "infile" handling was moved into priv_exec() when tcpdump was
privilege separated. The options are scanned both in priv_exec()
and in main(), so the empty case needs to remain in the latter.

ok deraadt@

show more ...

Don't link tcpdump(8) with libl and remove reference to `yydebug'.

From Martin Vahlensieck.

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (l

add initial support for handling geneve packets.

it's like vxlan, but different. the most interesting difference to
vxlan is that the protocol adds support for adding optional metadata
to packets (like nsh). this diff currently just skips that stuff
and just handles the payload. for now.

show more ...

wire the wireguard packet printer into tcpdump.

from Matt Dunwoodie and Jason A. Donenfeld

- (void)printf() -> printf(); the cast adds clutter for little value.
- fprintf(stdout, ...) -> printf()
- fputs(x, stdout) -> printf(); for consistency.
fputs is twice as fast on atom x5-Z8300@1.44G

- (void)printf() -> printf(); the cast adds clutter for little value.
- fprintf(stdout, ...) -> printf()
- fputs(x, stdout) -> printf(); for consistency.
fputs is twice as fast on atom x5-Z8300@1.44GHz but Amdahl sees a pure printf
tcpdump only 2% slower than a pure fputs (for constant strings) tcpdump
to /dev/null across a 20MB/~170k packet pcap file.

ok dlg@ for fputs and ok tedu@ krw@ deraadt@ a2k19 for the rest

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok

support -T erspan so arbitrary gre protocols can be seen as erspan

this lets me configure a custom gre protocol on a dell s4810 or
s5048 and see what's inside it when it lands on an openbsd box.

ok lteo@

show more ...

support configuring BIOCSFILDROP with tcpdump.

this allows tcpdump to be used a quick and dirty firewall. it also
looks like an amazing foot-gun, so be careful.

for example `tcpdump -B drop -i ix1

support configuring BIOCSFILDROP with tcpdump.

this allows tcpdump to be used a quick and dirty firewall. it also
looks like an amazing foot-gun, so be careful.

for example `tcpdump -B drop -i ix1 udp and port 7` lets you
completely drop discard packets in the hardware interrupt handler.

ok sthen@ mikeb@ claudio@ visa@

show more ...

Hoist opening pf.os(5) fingerprints '-o' earlier so that it doesn't
need to be unveiled at runtime in the monitor process.

Cleanup the unused internal privsep "getlines" code, we now explictly
fdpas

Hoist opening pf.os(5) fingerprints '-o' earlier so that it doesn't
need to be unveiled at runtime in the monitor process.

Cleanup the unused internal privsep "getlines" code, we now explictly
fdpass the OS fingerprints file instead.

ok mestre@ kn@

show more ...

add support for vxlan packets.

I personally think vxlan looks suspiciously like gre, so I put the
parser in print-gre.c

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by u

add "tftp" as a type to use with -T

This forces UDP packets to be parsed as tftp messages, which is useful
to see the DATA and ACK packets. They're usually on high ports which don't
get matched by udp_print, which by default only handled tftp packets on
port 69.

show more ...

Add "mpls" as a type to use with -T

This allows arbitrary UDP packets to be parsed as MPLS.

Add "gre" as a type to use with -T

This allows arbitrary UDP packets to be parsed as GRE packets.

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7:

rework ppp, pptp, and gre parsing.

this started cos i was looking at pptp, which came out like this:

23:52:00.197893 call 24 seq 7: gre-ppp-payload (gre encap)
23:52:00.198930 call 1 seq 7 ack 7: gre-ppp-payload (gre encap)

now it looks like this:

23:52:00.197893 20.0.0.2 > 20.0.0.1: pptp callid 24 seq 7: 17.1.1.122 > 40.0.0.2: icmp: echo request
23:52:00.198930 20.0.0.1 > 20.0.0.2: pptp callid 1 seq 7 ack 7: 40.0.0.2 > 17.1.1.122: icmp: echo reply

the big improvement in ppp parsing is it stops parsing based on
what the ppp headers say, rather than what bytes have been captured.
this also adds parsing of EAP packets.

DLT_PPP_SERIAL is now recognised and printed. gre now prints the
outer addresses always, not just when it's encapsulated by ipv6 or
-v is passed to tcpdump.

ok sthen@

show more ...

Simple USBPcap parser for tcpdump(8). Raw dumps can be nicely analysed
in wireshark.

ok deraadt@, dlg@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

fork+exec model for tcpdump(8); re-exec the privileged child after fork

While tcpdump isn't a daemon in the traditional sense, it's not uncommon
for people to have long running sessions. At least o

fork+exec model for tcpdump(8); re-exec the privileged child after fork

While tcpdump isn't a daemon in the traditional sense, it's not uncommon
for people to have long running sessions. At least on OpenBSD, this is
even safe thanks to the existing privsep design by otto@, canacar@ and
pledge(2) work done by deraadt.

ok deraadt@

show more ...

Add new DLT_OPENFLOW link-type to allow using tcpdump to debug switch(4),
eg. tcpdump -y openflow -i switch0

Includes a minor bump for libpcap.

Feedback and OK rzalamena@

assign pointers to NULL rather than 0

Remove remaining instances of the register keyword.

ok deraadt@

pcap_stat fields are unsigned, print them as such

Patch from Kevin Reay.

Remove conditional compilation and #defines around signal handling
Don't catch signals that were ignored on entry
Suppress SIGCHLD if our kid is stopped: we don't care and it's not an error

ok mille

Remove conditional compilation and #defines around signal handling
Don't catch signals that were ignored on entry
Suppress SIGCHLD if our kid is stopped: we don't care and it's not an error

ok millert@

show more ...