Re: [tcpdump-workers] How to extract the source name field data of
> Yes I am doing live capturing, but all what I interested about is the 16 > byte "Source Name" field (Name to Add). I want to include the tcpdump > command in my perl program so that I can make further processing on the data > of that field. i would suggest you write a program using libpcap.a, rather than try to play with tcpdump output. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] How to extract the source name field data of
Yes I am doing live capturing, but all what I interested about is the 16 byte "Source Name" field (Name to Add). I want to include the tcpdump command in my perl program so that I can make further processing on the data of that field. I need your help in this matter Regards Bassam A. Al-Khaffaf R & D Engineer R & D Department Palette Multimedia Bhd www.palettemm.com www.yellowspots.com [EMAIL PROTECTED] Tel: +60 (3) 6253 3299 - Ext: 229 Fax: +60 (3) 6253 4399 MPhone: +60 (16) 493 1776 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jun-ichiro itojun Hagino Sent: Friday, May 28, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [tcpdump-workers] How to extract the source name field data of > Hi, >I am capturing the NetBeui (NBF) packets by using the following command: > > tcpdump -X netbuie > > I am getting a range of data, but, is there a way to determine which part of > the packet to extract? I am interested in the 16 byte "Source Name" field > (Name to add) as shown below. I want to extract the name SHEILA only. > > 15:12:21.446893 NetBeui Packet > 0x f0f0 032c 00ff ef01 ..., > 0x0010 0053...S > 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. if you are doing live capture on network, bigger capture size like "-s 2000" will help you. otherwise, binary capture file won't have enough data so you can do nothing about it. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] How to extract the source name field data of
> Hi, >I am capturing the NetBeui (NBF) packets by using the following command: > > tcpdump -X netbuie > > I am getting a range of data, but, is there a way to determine which part of > the packet to extract? I am interested in the 16 byte "Source Name" field > (Name to add) as shown below. I want to extract the name SHEILA only. > > 15:12:21.446893 NetBeui Packet > 0x f0f0 032c 00ff ef01 ..., > 0x0010 0053...S > 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. if you are doing live capture on network, bigger capture size like "-s 2000" will help you. otherwise, binary capture file won't have enough data so you can do nothing about it. itojun - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] How to extract the source name field data of the netbeui (NBF) protocol
Hi, I am capturing the NetBeui (NBF) packets by using the following command: tcpdump -X netbuie I am getting a range of data, but, is there a way to determine which part of the packet to extract? I am interested in the 16 byte "Source Name" field (Name to add) as shown below. I want to extract the name SHEILA only. 15:12:21.446893 NetBeui Packet 0x f0f0 032c 00ff ef01 ..., 0x0010 0053...S 0x0020 4845 494c 4120 2020 2020 2020 2020 03 HEILA.. Thanks for the help in Advance Bassam A. Al-Khaffaf R & D Engineer R & D Department Palette Multimedia Bhd www.palettemm.com www.yellowspots.com [EMAIL PROTECTED] Tel: +60 (3) 6253 3299 - Ext: 229 Fax: +60 (3) 6253 4399 MPhone: +60 (16) 493 1776 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/04 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] savefile.c patch
On May 27, 2004, at 5:22 AM, Gisle Vanem wrote: Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? If it's opened for capture or dumping more than once in sequence, that's not an issue; if it's opened for capture or dumping more than once in parallel, that's not going to work anyway. As such, the two globals would probably be the best idea. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Various diffs for more complete LDP decoding
On May 27, 2004, at 11:04 AM, [EMAIL PROTECTED] wrote: Below are patches to perform significantly more complete LDP decoding. Checked in, with an unused variable removed, and with declarations of "decode_prefix{4,6}()" put into a "decode_prefix.h" header included by "print-bgp.c" and "print-ldp.c". - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Various diffs for more complete LDP decoding
Below are patches to perform significantly more complete LDP decoding. Synposis: - Minor diff to print-tcp.c (actually call the LDP decoder) - Minor diff to print-bgp.c (unstaticize routines used by print-ldp.c) - Major diff to print-ldp.c Hannes: I'd be happy to decode even more if you can get me some LDP traces which utilize more of the LDP functionality. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] --- print-bgp.c.origMon May 17 14:10:05 2004 +++ print-bgp.c Thu May 27 17:49:19 2004 @@ -460,7 +460,7 @@ { 0, NULL}, }; -static int +int decode_prefix4(const u_char *pptr, char *buf, u_int buflen) { struct in_addr addr; @@ -688,7 +688,7 @@ } #ifdef INET6 -static int +int decode_prefix6(const u_char *pd, char *buf, u_int buflen) { struct in6_addr addr; --- print-tcp.c.origMon Apr 26 08:17:31 2004 +++ print-tcp.c Thu May 27 19:56:11 2004 @@ -650,8 +650,9 @@ } else if (sport == MSDP_PORT || dport == MSDP_PORT) { msdp_print(bp, length); } -else if (sport == LDP_PORT || dport == LDP_PORT) -printf(": LDP, length: %u", length); +else if (length > 0 && (sport == LDP_PORT || dport == LDP_PORT)) { +ldp_print(bp, length); + } } return; bad: --- print-ldp.c.origSun Nov 16 10:36:27 2003 +++ print-ldp.c Thu May 27 19:32:41 2004 @@ -11,6 +11,7 @@ * FOR A PARTICULAR PURPOSE. * * Original code by Hannes Gredler ([EMAIL PROTECTED]) + * and Steinar Haug ([EMAIL PROTECTED]) */ #ifndef lint @@ -142,6 +143,7 @@ #defineLDP_TLV_COMMON_SESSION 0x0500 #defineLDP_TLV_ATM_SESSION_PARM 0x0501 #defineLDP_TLV_FR_SESSION_PARM 0x0502 +#define LDP_TLV_FT_SESSION 0x0503 #defineLDP_TLV_LABEL_REQUEST_MSG_ID 0x0600 static const struct tok ldp_tlv_values[] = { @@ -163,10 +165,56 @@ { LDP_TLV_COMMON_SESSION,"Common Session Parameters" }, { LDP_TLV_ATM_SESSION_PARM, "ATM Session Parameters" }, { LDP_TLV_FR_SESSION_PARM, "Frame-Relay Session Parameters" }, +{ LDP_TLV_FT_SESSION,"Fault-Tolerant Session Parameters" }, { LDP_TLV_LABEL_REQUEST_MSG_ID, "Label Request Message ID" }, { 0, NULL} }; +#define LDP_FEC_WILDCARD 0x01 +#define LDP_FEC_PREFIX 0x02 +#define LDP_FEC_HOSTADDRESS0x03 +/* From draft-martini-l2circuit-trans-mpls-13.txt */ +#define LDP_FEC_MARTINI_VC 0x80 + +static const struct tok ldp_fec_values[] = { +{ LDP_FEC_WILDCARD,"Wildcard" }, +{ LDP_FEC_PREFIX, "Prefix" }, +{ LDP_FEC_HOSTADDRESS, "Host address" }, +{ LDP_FEC_MARTINI_VC, "Martini VC" }, +{ 0, NULL} +}; + +/* From draft-martini-l2circuit-trans-mpls-13.txt */ +#define LDP_MARTINI_VCTYPE_FR_DLCI 0x0001 +#define LDP_MARTINI_VCTYPE_ATM_AAL50x0002 +#define LDP_MARTINI_VCTYPE_ATM_CELL0x0003 +#define LDP_MARTINI_VCTYPE_ETH_VLAN0x0004 +#define LDP_MARTINI_VCTYPE_ETHERNET0x0005 +#define LDP_MARTINI_VCTYPE_HDLC0x0006 +#define LDP_MARTINI_VCTYPE_PPP 0x0007 +#define LDP_MARTINI_VCTYPE_CEM 0x0008 +#define LDP_MARTINI_VCTYPE_ATM_VCC 0x0009 +#define LDP_MARTINI_VCTYPE_ATM_VPC 0x000A + +/* Overlaps print-bgp.c bgp_l2vpn_encaps_values */ +static const struct tok ldp_vctype_values[] = { +{ LDP_MARTINI_VCTYPE_FR_DLCI, "Frame Relay DLCI" }, +{ LDP_MARTINI_VCTYPE_ATM_AAL5, "ATM AAL5 VCC transport" }, +{ LDP_MARTINI_VCTYPE_ATM_CELL, "ATM transparent cell transport" }, +{ LDP_MARTINI_VCTYPE_ETH_VLAN, "Ethernet VLAN" }, +{ LDP_MARTINI_VCTYPE_ETHERNET, "Ethernet" }, +{ LDP_MARTINI_VCTYPE_HDLC, "HDLC" }, +{ LDP_MARTINI_VCTYPE_PPP, "PPP" }, +{ LDP_MARTINI_VCTYPE_CEM, "SONET/SDH Circuit Emulation Service" }, +{ LDP_MARTINI_VCTYPE_ATM_VCC, "ATM VCC cell transport" }, +{ LDP_MARTINI_VCTYPE_ATM_VPC, "ATM VPC cell transport" }, +{ 0, NULL} +}; + +/* RFC1700 address family numbers, same definition in print-bgp.c */ +#define AFNUM_INET 1 +#define AFNUM_INET62 + #define FALSE 0 #define TRUE 1 @@ -198,7 +246,11 @@ }; const struct ldp_tlv_header *ldp_tlv_header; -u_short tlv_type,tlv_len,tlv_tlen; +u_short tlv_type,tlv_len,tlv_tlen,af,ft_flags; +u_char fec_type,prelen; +u_int ui; +char buf[100]; +int i; ldp_tlv_header = (const struct ldp_tlv_header *)tptr; tlv_len=EXTRACT_16BITS(ldp_tlv_header->length); @@ -238,23 +290,121 @@ printf("\n\t Sequence Number: %u", EXTRACT_32BITS(tptr)); break; +case LDP_TLV_ADDRESS_LIST: + af = EXTRACT_16BITS(tptr); + tptr+=2; + printf("\n\t Adress Family: "); + if (af == AFNUM_INET) { + printf("IPv4, addresses:"); + for (i=0; i<(tlv_tlen-2)/4; i++) { +
Re: [tcpdump-workers] savefile.c patch
> Since pcap_dump_close() doesn't have a pcap_t argument, where should > the oldmode come from? Can we have two module globals; oldmode_stdin, > oldmode_stdout, assuming stdin/stdout won't be opened for capture more > than once? I've added a 'long filemode' to 'struct pcap' (long since O_BINARY is 0x8000 on some targets and 16-bit DOS/Win is still used, *not*). Also some heuristics for restoring the mode in pcap_dump_close(). Updated patch attached. --gv--- libpcap-2004.05.20/pcap-int.h Wed Apr 07 20:41:00 2004 +++ pcap-int.h Thu May 27 16:51:35 2004 @@ -111,6 +111,7 @@ int offset; /* offset for proper alignment */ int break_loop; /* flag set to force break from packet-reading loop */ + long filemode; /* previous translation mode for stdin/stdout */ struct pcap_sf sf; struct pcap_md md; --- libpcap-2004.05.20/savefile.c Tue Mar 23 21:18:08 2004 +++ savefile.c Thu May 27 17:04:24 2004 @@ -52,6 +52,12 @@ #define TCPDUMP_MAGIC 0xa1b2c3d4 #define PATCHED_TCPDUMP_MAGIC 0xa1b2cd34 +#if defined(WIN32) || defined(MSDOS) +#define SETMODE(file,mode) setmode(file,mode) +#else +#define SETMODE(file,mode) (-1) +#endif + /* * We use the "receiver-makes-right" approach to byte order, * because time is at a premium when we are writing the file. @@ -515,6 +521,20 @@ return linktype; } +/* + * Close dump/save-file or restore old translation mode of stdin/stdout. + */ +static int +file_close(FILE *fil, long filemode) +{ + if (fil != stdin && fil != stdout) + return fclose (fil); + + (void) SETMODE (fileno(fil), filemode > -1L ? filemode : O_TEXT); + return (0); +} + + static int sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) { @@ -585,8 +605,7 @@ static void sf_close(pcap_t *p) { - if (p->sf.rfile != stdin) - (void)fclose(p->sf.rfile); + file_close(p->sf.rfile, p->filemode); if (p->sf.base != NULL) free(p->sf.base); } @@ -602,20 +621,18 @@ p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { - strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); + strlcpy(errbuf, "out of memory", PCAP_ERRBUF_SIZE); return (NULL); } memset((char *)p, 0, sizeof(*p)); - - if (fname[0] == '-' && fname[1] == '\0') + if (fname[0] == '-' && fname[1] == '\0') { fp = stdin; + p->filemode = SETMODE(fileno(fp), O_BINARY); + } else { -#ifndef WIN32 - fp = fopen(fname, "r"); -#else + p->filemode = -1L; /* Always binary, but we don't need this */ fp = fopen(fname, "rb"); -#endif if (fp == NULL) { snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, pcap_strerror(errno)); @@ -726,13 +743,15 @@ break; } -#ifndef WIN32 +#if !defined(WIN32) && !defined(MSDOS) /* * You can do "select()" and "poll()" on plain files on most * platforms, and should be able to do so on pipes. * * You can't do "select()" on anything other than sockets in * Windows, so, on Win32 systems, we don't have "selectable_fd". +* But one could use 'WaitForSingleObject()' on HANDLE obtained +* from '_get_osfhandle(p->selectable_fd)'. */ p->selectable_fd = fileno(fp); #endif @@ -749,7 +768,7 @@ return (p); bad: if(fp) - fclose(fp); + file_close(fp, p->filemode); free(p); return (NULL); } @@ -985,26 +1004,22 @@ if (fname[0] == '-' && fname[1] == '\0') { f = stdout; -#ifdef WIN32 - _setmode(_fileno(f), _O_BINARY); -#endif + p->filemode = SETMODE(fileno(f), O_BINARY); } else { -#ifndef WIN32 - f = fopen(fname, "w"); -#else + p->filemode = -1L; f = fopen(fname, "wb"); -#endif - if (f == NULL) { + /* setbuf(f, NULL); */ /* XXX - why? */ + } + + if (!f || sf_write_header(f, linktype, p->tzoff, p->snapshot) < 0) { snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, pcap_strerror(errno)); - return (NULL); - } -#ifdef WIN32 - setbuf(f, NULL);/* XXX - why? */ -#endif + if (f) + file_close(f, p->filemode); + p->filemode = -1L; + f = NULL; } - (void)sf_write_header(f, linktype, p->tzoff, p->snapshot); - return ((pcap_dumper_t *)f); + return (pcap_dumper_t*)f; } FILE * @@ -1026,11 +1041,13 @@ void pcap_dump_close(pcap_dumper_t *p) { + FILE *fil = (FILE*)p; #ifdef notyet - if (ferror((FILE *)p)) + if (ferror(fil))
Re: [tcpdump-workers] savefile.c patch
"Guy Harris" <[EMAIL PROTECTED]> said: > Also, should we save the mode returned by "setmode()" and restore it > when we close a "pcap_t" or "pcap_dumper_t" that refers to the standard > input or output? Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? Ideally it should be "pcap_dump_flush(pcap_t *p)", but too late to change that now. --gv - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Automatic report from sources (tcpdump libpcap htdocs) between 26.05.2004 - 27.05.2004 GMT
CVS log entries from 26.05.2004 (Wed) 09:04:04 - 27.05.2004 (Thu) 09:04:04 GMT = Summary by authors = Author: guy File: tcpdump/CREDITS; Revisions: 1.94 File: tcpdump/print-ipx.c; Revisions: 1.40 = Combined list of identical log entries = Description: >From Steinar Haug <[EMAIL PROTECTED]>: put declarations inside a function before all executable statements. Clean up white space. Modified files: File: tcpdump/CREDITS; Revision: 1.94; Date: 2004/05/26 19:57:57; Author: guy; Lines: (+1 -0) File: tcpdump/print-ipx.c; Revision: 1.40; Date: 2004/05/26 19:57:57; Author: guy; Lines: (+5 -5) = Log entries = = Summary of modified files = File: tcpdump/CREDITS Revisions: 1.94 Authors: guy (+1 -0) --- File: tcpdump/print-ipx.c Revisions: 1.40 Authors: guy (+5 -5) -- Automatic cron job from /tcpdump/bin/makelog - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.