1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
--- tcpshow.c.orig Tue Jun 12 17:51:10 2007
+++ tcpshow.c Tue Jun 12 18:27:37 2007
@@ -189,6 +189,7 @@
/****==========------------------------------------------------==========****/
#endif
+/* tm020221: modification of Tomo.M on 2002/02/21 */
#include <sys/types.h> // mr971021 Next four includes
#include <sys/socket.h>
@@ -204,6 +205,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
+#include <locale.h>
/* Some general defines. */
@@ -362,18 +364,20 @@
#if !defined(NOETHERNAMES)
// mr980118 ether_ntohost() and related functions aren't prototyped in the
// standard include directory.
+#ifndef __FreeBSD__
extern struct ether_addr *ether_aton(char *);
extern int ether_ntohost(char *, struct ether_addr *);
#endif
+#endif
-void main(int, char **);
+int main(int, char **);
static boolean noBflag = FALSE;
static char *cookArgs[MAXCOOKARGS+1];
static boolean cookedFlag = FALSE;
-static uint2 dataLen = 0;
+static int2 dataLen = 0; // tm020221 must be 'signed'.
static char *dfltCookArgs[] = {
COOKER, "-enx", "-s10240", "-r-", (char *)NULL
};
@@ -512,7 +516,9 @@
return "";
}
- delta = currTime - *prevTime;
+ // tm020221 delta should be positive value, but ...
+ delta = currTime >= *prevTime ? currTime - *prevTime
+ : multiplier * 86400 + currTime - *prevTime;
*prevTime = currTime;
// Convert the delta time to daytime representation.
@@ -790,25 +796,38 @@
static boolean beenHereAlready = FALSE;
static char pktBuf[MAXPKT+1];
-
+ nextline:
if (fgets(pktBuf, MAXPKT+1, stdin) == (char *)NULL) {
if (nPktsShown > 0) prSep();
exit(0);
}
- /* Line without leading <tab> means start of new packet. */
- if (*pktBuf == '\t')
- return pkt = rmWSpace(pktBuf);
- elif (!beenHereAlready) { /* setjmp() won't have been called */
- beenHereAlready = TRUE; /* before reading 1st packet */
- return pkt = pktBuf;
- }
- else {
- if (dataLen > 0)
- printf("\n\t<*** Rest of data missing from packet dump ***>\n");
- pkt = pktBuf;
- longjmp(jmpBuf, 1);
+ // tm020221
+ // In these days, tcpdump produces much of irregular outputs.
+ // I had a work around by making logical change to original.
+ // + check lines in its pattern.
+ // + HEADER pattern triggers next showPkt();
+
+#define PTN_HEAD(buf) (buf[2] == ':' && buf[5] == ':' && buf[8] == '.')
+#define PTN_DATA(buf) (buf[0] == '\t')
+
+ if (PTN_HEAD(pktBuf)) {
+ if (beenHereAlready == FALSE) {
+ beenHereAlready = TRUE;
+ return pkt = pktBuf;
+ } else {
+ putchar('\n');
+ if (dataLen > 0)
+ printf("\n\t<*** Rest of data missing from packet dump ***>\n");
+ pkt = pktBuf;
+ longjmp(jmpBuf, 1);
+ }
+ }
+ elif (PTN_DATA(pktBuf)) {
+ if (nPktsShown > 0)
+ return pkt = rmWSpace(pktBuf);
}
+ goto nextline;
}
@@ -1125,7 +1144,9 @@
static char *icmpType (uint1 type) {
char *descr;
+ static char unknowntype[80];
+ snprintf(unknowntype, 80, "%s (%d)", unknown, type);
switch (type) {
case ECHO_REPLY: descr = "echo-reply"; break;
@@ -1143,7 +1164,7 @@
case INFO_REPLY: descr = "information-reply"; break;
case MASK_REQ: descr = "address-mask-request"; break;
case MASK_REPLY: descr = "address-mask-reply"; break;
- default: descr = unknown; break;
+ default: descr = unknowntype; break;
}
return descr;
@@ -1241,6 +1262,15 @@
}
+void checklocale(void) {
+
+ char *lc;
+
+ if ((lc = getenv("LC_CTYPE")) != NULL) setlocale(LC_CTYPE,lc);
+ else if ((lc = getenv("LC_ALL")) != NULL) setlocale(LC_ALL,lc);
+
+ return;
+}
/****==========------------------------------------------------==========****/
/* */
@@ -1248,7 +1278,7 @@
/* */
/****==========------------------------------------------------==========****/
-void main (int argc, char **argv) {
+int main (int argc, char **argv) {
/* Command line options. */
while (--argc > 0 && **++argv == '-')
@@ -1281,15 +1311,23 @@
}
else error("Unknown command line flag");
+ checklocale();
+
if (!cookedFlag)
forkTcpdump(argc, argv);
elif (argc != 0)
fprintf(stderr, "input is cooked -- ignoring tcpdump expressions\n");
- pkt = getPkt();
- for ( ; ; ) if (!setjmp(jmpBuf)) showPkt(pkt);
+ // tm020221
+ // changed setjmp/longjmp logic to trigger the showPkt()
+ for ( ; ; ) {
+ pkt = getPkt();
+ if (setjmp(jmpBuf) || nPktsShown <= 0)
+ showPkt(pkt);
+ }
exit(0);
+ return 0;
}
@@ -1336,7 +1374,7 @@
name = number;
}
/* The crappy manpage doesn't say the port must be in net byte order. */
- elif (service = getservbyport((int)htons(port), proto))
+ elif ( (service = getservbyport((int)htons(port), proto)) )
name = service->s_name;
elif (!wantNumber)
name = unknown;
@@ -1371,6 +1409,9 @@
}
*cleanBuf = '\0';
+ if ((*cleanPkt == '0') && (*(cleanPkt+1) == 'x'))
+ return cleanPkt+7;
+
return cleanPkt;
}
@@ -1572,7 +1613,7 @@
char eFromName[MAX_HOSTNAMELEN+1]; // Sender Ethernet name
char eTo[ETHER_ADDRLEN+1]; /* Destination Ethernet address */
char eToName[MAX_HOSTNAMELEN+1]; // Target Ethernet name
- char eType[20]; /* Ethernet type (decoded to ASCII) */
+ char eType[40]; /* Ethernet type (decoded to ASCII) */
static double prevTime; // Timestamp of previous packet
char time[16]; /* Packet timestamp */
@@ -1580,25 +1621,50 @@
if (ppFlag) {
(void)sscanf(p, "%s", time);
etherType = ETHER_PROTO_IP; /* tcpdump doesn't supply link type */
- if (!noLinkFlag)
+ if (!noLinkFlag) {
if (terseFlag)
printf("TIME:\t%s%s\n", time, deltaTime(&prevTime, time));
else
printf(
"\tTimestamp:\t\t\t%s%s\n", time, deltaTime(&prevTime, time)
);
+ }
return getPkt();
}
(void)sscanf(p, "%s %s %s %s", time, eFrom, eTo, eType);
- (void)etherProto(eType, ðerType);
+
+ /* decode output from tcpdump-3.8.x and later */
+ /* format: TIME MACSRC > MACDST, ethertype TYPE (0xCODE), ... */
+ if (*eTo == '>') {
+ char *s;
+ (void)sscanf(p, "%s %s > %s", time, eFrom, eTo);
+ if ((s = strstr(p, "ethertype ")) != NULL) {
+ strlcpy(eType, s+10, sizeof(eType));
+ if ((s = strchr(eType, ' ')) != NULL) {
+ *s = '\0';
+ *(s+8)='\0';
+ (void)etherProto(s+4, ðerType);
+ }
+ else {
+ etherType = 0;
+ }
+ }
+ else {
+ strlcpy(eType, unknown, sizeof(eType));
+ etherType = 0;
+ }
+ }
+ /* decode output from tcpdump-3.7.4 and earlier */
+ else
+ (void)etherProto(eType, ðerType);
(void)strcpy(eFrom, etherAddr(eFrom, 0));
(void)strcpy(eFromName, etherName(eFrom, TRUE));
(void)strcpy(eTo, etherAddr(eTo, 0));
(void)strcpy(eToName, etherName(eTo, TRUE));
- if (!noLinkFlag)
+ if (!noLinkFlag) {
if (terseFlag) {
printf("TIME:\t%s%s\n", time, deltaTime(&prevTime, time));
printf(
@@ -1614,6 +1680,7 @@
if (!noEtherNames) printf(" (%s)", etherName(eTo, FALSE));
printf("\n\tEncapsulated Protocol:\t\t%s\n", etherProto(eType, 0));
}
+ }
return getPkt();
@@ -1778,7 +1845,7 @@
static void showPkt (reg char *p) {
char *warnMsg = "<*** No decode support for encapsulated protocol ***>";
-
+ char *warnMsg2 = "<*** No decode support for encap protocol in IPIP packet ***>";
prSep();
printf("Packet %d\n", ++nPktsShown);
@@ -1807,6 +1874,31 @@
p = showIcmp(p);
p = showData(p);
break;
+
+ // IPIP decode support by M. Nowlin (mike@argos.org) 20000321
+ case IPIP:
+ p = showIp(p);
+ switch(proto) {
+ case TCP:
+ p = showTcp(p);
+ p = showData(p);
+ break;
+ case UDP:
+ p = showUdp(p);
+ p = showData(p);
+ break;
+ case ICMP:
+ p = showIcmp(p);
+ p = showData(p);
+ break;
+ default:
+ printf("\t%s\n", warnMsg2);
+ nextPkt();
+ break;
+ }
+
+ break;
+
default:
printf("\t%s\n", warnMsg);
nextPkt(); /* Doesn't return */
@@ -1826,7 +1918,7 @@
}
/* Note that if getPkt() returns here, then the line read isn't the */
/* start of a new packet, i.e. there's spurious data. */
- if (p = getPkt()) {
+ if ( (p = getPkt()) ) {
if (sFlag) printf("\t<*** Spurious data at end: \"%s\" ***>\n", p);
nextPkt();
}
@@ -1996,10 +2088,10 @@
if (terseFlag) {
printf(
- " TCP:\tport %s -> %s seq=%010lu", sPortName, dPortName, seq
+ " TCP:\tport %s -> %s seq=%010lu", sPortName, dPortName, (u_long)seq
);
- if (trackFlag) printf(" (expect=%010lu)", expect);
- printf(" ack=%010lu\n", ack);
+ if (trackFlag) printf(" (expect=%010lu)", (u_long)expect);
+ printf(" ack=%010lu\n", (u_long)ack);
printf(
"\thlen=%d (data=%u) UAPRSF=%s%s%s%s%s%s",
hLen, dataLen,
@@ -2016,9 +2108,9 @@
if (!noPortNames) printf(" (%s)", portName(sPort, "tcp", FALSE));
printf("\n\tDestination Port:\t\t%d", dPort);
if (!noPortNames) printf(" (%s)", portName(dPort, "tcp", FALSE));
- printf("\n\tSequence Number:\t\t%010lu\n", seq);
- if (trackFlag) printf("\tExpect peer ACK:\t\t%010lu\n", expect);
- printf("\tAcknowledgement Number:\t\t%010lu\n", ack);
+ printf("\n\tSequence Number:\t\t%010lu\n", (u_long)seq);
+ if (trackFlag) printf("\tExpect peer ACK:\t\t%010lu\n", (u_long)expect);
+ printf("\tAcknowledgement Number:\t\t%010lu\n", (u_long)ack);
printf("\tHeader Length:\t\t\t%d bytes (data=%u)\n", hLen, dataLen);
printf(
"\tFlags:%s%s%s%s%s%s\n%s%s%s%s%s%s\n",
|
