1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
--- display.c.orig Sun Aug 23 21:51:48 1998
+++ display.c Fri Dec 6 12:17:55 2002
@@ -54,6 +54,7 @@
static int l_nflag, l_eflag;
static int n_entries;
static int err_pos;
+extern struct t_entry t_mask; /* traffic mask */
void
init_display(reinit)
@@ -282,6 +284,13 @@
packets_total++;
bytes_total += e->bytes;
j = page * page_size;
+
+ e->src.s_addr &= t_mask.src.s_addr;
+ e->dst.s_addr &= t_mask.dst.s_addr;
+ e->sport &= t_mask.sport;
+ e->dport &= t_mask.dport;
+ e->proto &= t_mask.proto;
+
for (i = 0; i < n_entry; i++) {
if (memcmp(&e->eh, &entries[i].eh, sizeof(e->eh)) == 0 &&
e->src.s_addr == entries[i].src.s_addr &&
--- trafshow.c.orig Fri Aug 28 00:15:57 1998
+++ trafshow.c Fri Dec 6 12:34:09 2002
@@ -48,6 +48,7 @@
int pflag = 0; /* don't put the interface into promiscuous mode */
int kflag = 1; /* disable keyboard input checking */
int eflag = 0; /* show ethernet traffic rather than ip */
+struct t_entry t_mask; /* traffic mask */
/* global variables */
char *program_name; /* myself */
@@ -78,6 +79,12 @@
extern int abort_on_misalignment();
extern pcap_handler lookup_if();
+ t_mask.src.s_addr = 0xffffffff; /* all bits valid */
+ t_mask.dst.s_addr = 0xffffffff; /* all bits valid */
+ t_mask.sport = 0xffff; /* all bits valid */
+ t_mask.dport = 0xffff; /* all bits valid */
+ t_mask.proto = 0xffff; /* all bits valid */
+
cnt = -1;
device_name = NULL;
infile = NULL;
@@ -94,7 +87,7 @@
if (abort_on_misalignment(ebuf) < 0) error(0, ebuf);
- while ((op = getopt(argc, argv, "c:CefF:i:knNOpr:t:vh?")) != EOF)
+ while ((op = getopt(argc, argv, "c:CefF:i:kmnNOpr:t:vh?")) != EOF)
switch (op) {
case 'C':
#ifdef HAVE_SLCURSES
@@ -114,6 +121,40 @@
break;
case 'k':
kflag = 0;
+ break;
+ case 'm':
+ t_mask.src.s_addr = 0;
+ t_mask.dst.s_addr = 0;
+ t_mask.sport = 0;
+ t_mask.dport = 0;
+ t_mask.proto = 0;
+ for (;optind + 1 <= argc;) {
+ char *s = argv[optind];
+ u_int32_t arg = 0xffffffff;
+ int save=optind;
+
+ optind++;
+ if (optind + 1 <= argc &&
+ isdigit(*(argv[optind])) ) {
+ arg = strtoul(argv[optind], NULL, 0);
+ optind++;
+ }
+
+ if (!strcmp(s, "src-ip"))
+ t_mask.src.s_addr = htonl(arg);
+ else if (!strcmp(s, "dst-ip"))
+ t_mask.dst.s_addr = htonl(arg);
+ else if (!strcmp(s, "src-port"))
+ t_mask.sport = htons((u_short)(arg));
+ else if (!strcmp(s, "dst-port"))
+ t_mask.dport = htons((u_short)(arg));
+ else if (!strcmp(s, "proto"))
+ t_mask.proto = arg;
+ else {
+ optind = save;
+ break;
+ }
+ }
break;
case 'n':
++nflag;
--- trafshow.1.orig Fri Aug 28 09:37:38 1998
+++ trafshow.1 Tue Apr 15 22:32:21 2003
@@ -42,6 +42,16 @@
.B \-k
Disable input keyboard checking. It is intended to avoid loss of packets.
.TP
+.B \-m
+[src-ip M] [dst-ip M] [src-port M] [dst-port M] [proto M]
+.br
+Mask the specified field with mask M (which should be specified
+as an hex number e.g. 0xffff0000) before further processing
+of the packet. This allows to aggregate traffic in the display
+to ease analysis.
+.br
+.The masks for all field not specified will be set to 0.
+.TP
.B \-n
Don't convert host addresses and port numbers to names.
.TP
|
