Re: [tcpdump-workers] How to extract the source name field data of
> Yes I am doing live capturing, but all what I interested about is the 16 > byte "Source Name" field (Name to Add). I want to include the tcpdump > command in my perl program so that I can make further processing on the data > of that field. i would suggest you write a program using libpcap.a, rather than try to play with tcpdump output. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] How to extract the source name field data of
Yes I am doing live capturing, but all what I interested about is the 16 byte "Source Name" field (Name to Add). I want to include the tcpdump command in my perl program so that I can make further processing on the data of that field. I need your help in this matter Regards Bassam A. Al-Khaffaf R & D Engineer R & D Department Palette Multimedia Bhd www.palettemm.com www.yellowspots.com [EMAIL PROTECTED] Tel: +60 (3) 6253 3299 - Ext: 229 Fax: +60 (3) 6253 4399 MPhone: +60 (16) 493 1776 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jun-ichiro itojun Hagino Sent: Friday, May 28, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [tcpdump-workers] How to extract the source name field data of > Hi, >I am capturing the NetBeui (NBF) packets by using the following command: > > tcpdump -X netbuie > > I am getting a range of data, but, is there a way to determine which part of > the packet to extract? I am interested in the 16 byte "Source Name" field > (Name to add) as shown below. I want to extract the name SHEILA only. > > 15:12:21.446893 NetBeui Packet > 0x f0f0 032c 00ff ef01 ..., > 0x0010 0053...S > 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. if you are doing live capture on network, bigger capture size like "-s 2000" will help you. otherwise, binary capture file won't have enough data so you can do nothing about it. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] How to extract the source name field data of
> Hi, >I am capturing the NetBeui (NBF) packets by using the following command: > > tcpdump -X netbuie > > I am getting a range of data, but, is there a way to determine which part of > the packet to extract? I am interested in the 16 byte "Source Name" field > (Name to add) as shown below. I want to extract the name SHEILA only. > > 15:12:21.446893 NetBeui Packet > 0x f0f0 032c 00ff ef01 ..., > 0x0010 0053...S > 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. if you are doing live capture on network, bigger capture size like "-s 2000" will help you. otherwise, binary capture file won't have enough data so you can do nothing about it. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] How to extract the source name field data of the netbeui (NBF) protocol
Hi, I am capturing the NetBeui (NBF) packets by using the following command: tcpdump -X netbuie I am getting a range of data, but, is there a way to determine which part of the packet to extract? I am interested in the 16 byte "Source Name" field (Name to add) as shown below. I want to extract the name SHEILA only. 15:12:21.446893 NetBeui Packet 0x f0f0 032c 00ff ef01 ..., 0x0010 0053...S 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. Thanks for the help in Advance Bassam A. Al-Khaffaf R & D Engineer R & D Department Palette Multimedia Bhd www.palettemm.com www.yellowspots.com [EMAIL PROTECTED] Tel: +60 (3) 6253 3299 - Ext: 229 Fax: +60 (3) 6253 4399 MPhone: +60 (16) 493 1776 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] savefile.c patch
On May 27, 2004, at 5:22 AM, Gisle Vanem wrote: Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? If it's opened for capture or dumping more than once in sequence, that's not an issue; if it's opened for capture or dumping more than once in parallel, that's not going to work anyway. As such, the two globals would probably be the best idea. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Various diffs for more complete LDP decoding
On May 27, 2004, at 11:04 AM, [EMAIL PROTECTED] wrote:
Below are patches to perform significantly more complete LDP decoding.
Checked in, with an unused variable removed, and with declarations of
"decode_prefix{4,6}()" put into a "decode_prefix.h" header included by
"print-bgp.c" and "print-ldp.c".
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Various diffs for more complete LDP decoding
Below are patches to perform significantly more complete LDP decoding.
Synposis:
- Minor diff to print-tcp.c (actually call the LDP decoder)
- Minor diff to print-bgp.c (unstaticize routines used by print-ldp.c)
- Major diff to print-ldp.c
Hannes: I'd be happy to decode even more if you can get me some LDP
traces which utilize more of the LDP functionality.
Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
--- print-bgp.c.origMon May 17 14:10:05 2004
+++ print-bgp.c Thu May 27 17:49:19 2004
@@ -460,7 +460,7 @@
{ 0, NULL},
};
-static int
+int
decode_prefix4(const u_char *pptr, char *buf, u_int buflen)
{
struct in_addr addr;
@@ -688,7 +688,7 @@
}
#ifdef INET6
-static int
+int
decode_prefix6(const u_char *pd, char *buf, u_int buflen)
{
struct in6_addr addr;
--- print-tcp.c.origMon Apr 26 08:17:31 2004
+++ print-tcp.c Thu May 27 19:56:11 2004
@@ -650,8 +650,9 @@
} else if (sport == MSDP_PORT || dport == MSDP_PORT) {
msdp_print(bp, length);
}
-else if (sport == LDP_PORT || dport == LDP_PORT)
-printf(": LDP, length: %u", length);
+else if (length > 0 && (sport == LDP_PORT || dport == LDP_PORT)) {
+ldp_print(bp, length);
+ }
}
return;
bad:
--- print-ldp.c.origSun Nov 16 10:36:27 2003
+++ print-ldp.c Thu May 27 19:32:41 2004
@@ -11,6 +11,7 @@
* FOR A PARTICULAR PURPOSE.
*
* Original code by Hannes Gredler ([EMAIL PROTECTED])
+ * and Steinar Haug ([EMAIL PROTECTED])
*/
#ifndef lint
@@ -142,6 +143,7 @@
#defineLDP_TLV_COMMON_SESSION 0x0500
#defineLDP_TLV_ATM_SESSION_PARM 0x0501
#defineLDP_TLV_FR_SESSION_PARM 0x0502
+#define LDP_TLV_FT_SESSION 0x0503
#defineLDP_TLV_LABEL_REQUEST_MSG_ID 0x0600
static const struct tok ldp_tlv_values[] = {
@@ -163,10 +165,56 @@
{ LDP_TLV_COMMON_SESSION,"Common Session Parameters" },
{ LDP_TLV_ATM_SESSION_PARM, "ATM Session Parameters" },
{ LDP_TLV_FR_SESSION_PARM, "Frame-Relay Session Parameters" },
+{ LDP_TLV_FT_SESSION,"Fault-Tolerant Session Parameters" },
{ LDP_TLV_LABEL_REQUEST_MSG_ID, "Label Request Message ID" },
{ 0, NULL}
};
+#define LDP_FEC_WILDCARD 0x01
+#define LDP_FEC_PREFIX 0x02
+#define LDP_FEC_HOSTADDRESS0x03
+/* From draft-martini-l2circuit-trans-mpls-13.txt */
+#define LDP_FEC_MARTINI_VC 0x80
+
+static const struct tok ldp_fec_values[] = {
+{ LDP_FEC_WILDCARD,"Wildcard" },
+{ LDP_FEC_PREFIX, "Prefix" },
+{ LDP_FEC_HOSTADDRESS, "Host address" },
+{ LDP_FEC_MARTINI_VC, "Martini VC" },
+{ 0, NULL}
+};
+
+/* From draft-martini-l2circuit-trans-mpls-13.txt */
+#define LDP_MARTINI_VCTYPE_FR_DLCI 0x0001
+#define LDP_MARTINI_VCTYPE_ATM_AAL50x0002
+#define LDP_MARTINI_VCTYPE_ATM_CELL0x0003
+#define LDP_MARTINI_VCTYPE_ETH_VLAN0x0004
+#define LDP_MARTINI_VCTYPE_ETHERNET0x0005
+#define LDP_MARTINI_VCTYPE_HDLC0x0006
+#define LDP_MARTINI_VCTYPE_PPP 0x0007
+#define LDP_MARTINI_VCTYPE_CEM 0x0008
+#define LDP_MARTINI_VCTYPE_ATM_VCC 0x0009
+#define LDP_MARTINI_VCTYPE_ATM_VPC 0x000A
+
+/* Overlaps print-bgp.c bgp_l2vpn_encaps_values */
+static const struct tok ldp_vctype_values[] = {
+{ LDP_MARTINI_VCTYPE_FR_DLCI, "Frame Relay DLCI" },
+{ LDP_MARTINI_VCTYPE_ATM_AAL5, "ATM AAL5 VCC transport" },
+{ LDP_MARTINI_VCTYPE_ATM_CELL, "ATM transparent cell transport" },
+{ LDP_MARTINI_VCTYPE_ETH_VLAN, "Ethernet VLAN" },
+{ LDP_MARTINI_VCTYPE_ETHERNET, "Ethernet" },
+{ LDP_MARTINI_VCTYPE_HDLC, "HDLC" },
+{ LDP_MARTINI_VCTYPE_PPP, "PPP" },
+{ LDP_MARTINI_VCTYPE_CEM, "SONET/SDH Circuit Emulation Service" },
+{ LDP_MARTINI_VCTYPE_ATM_VCC, "ATM VCC cell transport" },
+{ LDP_MARTINI_VCTYPE_ATM_VPC, "ATM VPC cell transport" },
+{ 0, NULL}
+};
+
+/* RFC1700 address family numbers, same definition in print-bgp.c */
+#define AFNUM_INET 1
+#define AFNUM_INET62
+
#define FALSE 0
#define TRUE 1
@@ -198,7 +246,11 @@
};
const struct ldp_tlv_header *ldp_tlv_header;
-u_short tlv_type,tlv_len,tlv_tlen;
+u_short tlv_type,tlv_len,tlv_tlen,af,ft_flags;
+u_char fec_type,prelen;
+u_int ui;
+char buf[100];
+int i;
ldp_tlv_header = (const struct ldp_tlv_header *)tptr;
tlv_len=EXTRACT_16BITS(ldp_tlv_header->length);
@@ -238,23 +290,121 @@
printf("\n\t Sequence Number: %u", EXTRACT_32BITS(tptr));
break;
+case LDP_TLV_ADDRESS_LIST:
+ af = EXTRACT_16BITS(tptr);
+ tptr+=2;
+ printf("\n\t Adress Family: ");
+ if (af == AFNUM_INET) {
+ printf("IPv4, addresses:");
+ for (i=0; i<(tlv_tlen-2)/4; i++) {
+
Re: [tcpdump-workers] savefile.c patch
> Since pcap_dump_close() doesn't have a pcap_t argument, where should
> the oldmode come from? Can we have two module globals; oldmode_stdin,
> oldmode_stdout, assuming stdin/stdout won't be opened for capture more
> than once?
I've added a 'long filemode' to 'struct pcap' (long since O_BINARY is 0x8000
on some targets and 16-bit DOS/Win is still used, *not*). Also some heuristics
for restoring the mode in pcap_dump_close(). Updated patch attached.
--gv--- libpcap-2004.05.20/pcap-int.h Wed Apr 07 20:41:00 2004
+++ pcap-int.h Thu May 27 16:51:35 2004
@@ -111,6 +111,7 @@
int offset; /* offset for proper alignment */
int break_loop; /* flag set to force break from packet-reading loop */
+ long filemode; /* previous translation mode for stdin/stdout */
struct pcap_sf sf;
struct pcap_md md;
--- libpcap-2004.05.20/savefile.c Tue Mar 23 21:18:08 2004
+++ savefile.c Thu May 27 17:04:24 2004
@@ -52,6 +52,12 @@
#define TCPDUMP_MAGIC 0xa1b2c3d4
#define PATCHED_TCPDUMP_MAGIC 0xa1b2cd34
+#if defined(WIN32) || defined(MSDOS)
+#define SETMODE(file,mode) setmode(file,mode)
+#else
+#define SETMODE(file,mode) (-1)
+#endif
+
/*
* We use the "receiver-makes-right" approach to byte order,
* because time is at a premium when we are writing the file.
@@ -515,6 +521,20 @@
return linktype;
}
+/*
+ * Close dump/save-file or restore old translation mode of stdin/stdout.
+ */
+static int
+file_close(FILE *fil, long filemode)
+{
+ if (fil != stdin && fil != stdout)
+ return fclose (fil);
+
+ (void) SETMODE (fileno(fil), filemode > -1L ? filemode : O_TEXT);
+ return (0);
+}
+
+
static int
sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen)
{
@@ -585,8 +605,7 @@
static void
sf_close(pcap_t *p)
{
- if (p->sf.rfile != stdin)
- (void)fclose(p->sf.rfile);
+ file_close(p->sf.rfile, p->filemode);
if (p->sf.base != NULL)
free(p->sf.base);
}
@@ -602,20 +621,18 @@
p = (pcap_t *)malloc(sizeof(*p));
if (p == NULL) {
- strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
+ strlcpy(errbuf, "out of memory", PCAP_ERRBUF_SIZE);
return (NULL);
}
memset((char *)p, 0, sizeof(*p));
-
- if (fname[0] == '-' && fname[1] == '\0')
+ if (fname[0] == '-' && fname[1] == '\0') {
fp = stdin;
+ p->filemode = SETMODE(fileno(fp), O_BINARY);
+ }
else {
-#ifndef WIN32
- fp = fopen(fname, "r");
-#else
+ p->filemode = -1L; /* Always binary, but we don't need this */
fp = fopen(fname, "rb");
-#endif
if (fp == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname,
pcap_strerror(errno));
@@ -726,13 +743,15 @@
break;
}
-#ifndef WIN32
+#if !defined(WIN32) && !defined(MSDOS)
/*
* You can do "select()" and "poll()" on plain files on most
* platforms, and should be able to do so on pipes.
*
* You can't do "select()" on anything other than sockets in
* Windows, so, on Win32 systems, we don't have "selectable_fd".
+* But one could use 'WaitForSingleObject()' on HANDLE obtained
+* from '_get_osfhandle(p->selectable_fd)'.
*/
p->selectable_fd = fileno(fp);
#endif
@@ -749,7 +768,7 @@
return (p);
bad:
if(fp)
- fclose(fp);
+ file_close(fp, p->filemode);
free(p);
return (NULL);
}
@@ -985,26 +1004,22 @@
if (fname[0] == '-' && fname[1] == '\0') {
f = stdout;
-#ifdef WIN32
- _setmode(_fileno(f), _O_BINARY);
-#endif
+ p->filemode = SETMODE(fileno(f), O_BINARY);
} else {
-#ifndef WIN32
- f = fopen(fname, "w");
-#else
+ p->filemode = -1L;
f = fopen(fname, "wb");
-#endif
- if (f == NULL) {
+ /* setbuf(f, NULL); */ /* XXX - why? */
+ }
+
+ if (!f || sf_write_header(f, linktype, p->tzoff, p->snapshot) < 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
fname, pcap_strerror(errno));
- return (NULL);
- }
-#ifdef WIN32
- setbuf(f, NULL);/* XXX - why? */
-#endif
+ if (f)
+ file_close(f, p->filemode);
+ p->filemode = -1L;
+ f = NULL;
}
- (void)sf_write_header(f, linktype, p->tzoff, p->snapshot);
- return ((pcap_dumper_t *)f);
+ return (pcap_dumper_t*)f;
}
FILE *
@@ -1026,11 +1041,13 @@
void
pcap_dump_close(pcap_dumper_t *p)
{
+ FILE *fil = (FILE*)p;
#ifdef notyet
- if (ferror((FILE *)p))
+ if (ferror(fil))
Re: [tcpdump-workers] savefile.c patch
"Guy Harris" <[EMAIL PROTECTED]> said: > Also, should we save the mode returned by "setmode()" and restore it > when we close a "pcap_t" or "pcap_dumper_t" that refers to the standard > input or output? Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? Ideally it should be "pcap_dump_flush(pcap_t *p)", but too late to change that now. --gv - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Automatic report from sources (tcpdump libpcap htdocs) between 26.05.2004 - 27.05.2004 GMT
CVS log entries from 26.05.2004 (Wed) 09:04:04 - 27.05.2004 (Thu) 09:04:04 GMT = Summary by authors = Author: guy File: tcpdump/CREDITS; Revisions: 1.94 File: tcpdump/print-ipx.c; Revisions: 1.40 = Combined list of identical log entries = Description: >From Steinar Haug <[EMAIL PROTECTED]>: put declarations inside a function before all executable statements. Clean up white space. Modified files: File: tcpdump/CREDITS; Revision: 1.94; Date: 2004/05/26 19:57:57; Author: guy; Lines: (+1 -0) File: tcpdump/print-ipx.c; Revision: 1.40; Date: 2004/05/26 19:57:57; Author: guy; Lines: (+5 -5) = Log entries = = Summary of modified files = File: tcpdump/CREDITS Revisions: 1.94 Authors: guy (+1 -0) --- File: tcpdump/print-ipx.c Revisions: 1.40 Authors: guy (+5 -5) -- Automatic cron job from /tcpdump/bin/makelog - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
