6 years agoFix the pointer tests in the non-ndoified TTEST2() macro as well. tcpdump-4.2
Guy Harris [Mon, 2 Mar 2015 21:46:29 +0000 (13:46 -0800)] 
Fix the pointer tests in the non-ndoified TTEST2() macro as well.

6 years agoAC_TYPE_UINTPTR_T requires a newer autoconf.
Guy Harris [Mon, 2 Mar 2015 21:37:18 +0000 (13:37 -0800)] 
AC_TYPE_UINTPTR_T requires a newer autoconf.

6 years agoC compilers can, and some do, optimize away pointer underflow checks.
Guy Harris [Mon, 2 Mar 2015 21:25:12 +0000 (13:25 -0800)] 
C compilers can, and some do, optimize away pointer underflow checks.

Cast the pointers to uintptr_t; use AC_TYPE_UINTPTR_T to get uintptr_t
defined on older platforms that don't define it themselves.

6 years agoDon't run past the snaplength when printing a packet with a too-short LI.
Guy Harris [Sun, 1 Mar 2015 19:00:21 +0000 (11:00 -0800)] 
Don't run past the snaplength when printing a packet with a too-short LI.

Fixes GitHub issue #437.

7 years agoCheck not just the capture length but the on-the-network length.
Guy Harris [Tue, 6 Jan 2015 08:44:11 +0000 (00:44 -0800)] 
Check not just the capture length but the on-the-network length.

7 years agoDon't run past the snapshot length when doing hex/ASCII dumps.
Guy Harris [Thu, 23 Oct 2014 07:06:32 +0000 (00:06 -0700)] 
Don't run past the snapshot length when doing hex/ASCII dumps.

7 years agoDo bounds checking when unescaping PPP.
Guy Harris [Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)] 
Do bounds checking when unescaping PPP.

Clean up a const issue while we're at it.

7 years agoDon't subtract the UDP header size from the length twice.
Guy Harris [Mon, 20 Oct 2014 18:34:24 +0000 (11:34 -0700)] 
Don't subtract the UDP header size from the length twice.

7 years agoUse the length field in the UDP header.
Guy Harris [Sun, 19 Oct 2014 20:42:00 +0000 (13:42 -0700)] 
Use the length field in the UDP header.

If it's less than the length of the IP payload, use it as the size of
the UDP packet.  If it's greater than the length of the IP payload,
and we're not dissecting the payload, report the length as bad.

7 years agoReport a too-long unreachable destination list.
Guy Harris [Wed, 12 Nov 2014 09:09:27 +0000 (01:09 -0800)] 
Report a too-long unreachable destination list.

Running out of packet length before running out of unreachable
destinations is an error; report it as such.

Don't worry about leftover data past the end of the list of unreachable

7 years agoNot using offsetof() any more, so no need for <stddef.h>.
Guy Harris [Wed, 12 Nov 2014 03:18:12 +0000 (19:18 -0800)] 
Not using offsetof() any more, so no need for <stddef.h>.

7 years agoFurther cleanups.
Guy Harris [Wed, 12 Nov 2014 03:05:48 +0000 (19:05 -0800)] 
Further cleanups.

Use ND_TCHECK() rather than home-brew bounds checks.  Do simpler length

Let i be the length of the actual remaining packet data; use ND_TCHECK()
inside loops that iterate over the remaining data.

Let the printers for particular message types cast the raw data pointer
to a pointer of the appropriate type, rather than passing two pointers,
with different types, to the same data.

7 years agoClean up error message printing.
Guy Harris [Wed, 12 Nov 2014 02:37:35 +0000 (18:37 -0800)] 
Clean up error message printing.

Have "struct aodv_rerr" just be the header, not including the actual

Simplify the logic somewhat, and make it similar in the print routines
for the three types of error messages.

7 years agoAdd initial bounds check, get rid of union aodv.
Guy Harris [Wed, 12 Nov 2014 01:24:12 +0000 (17:24 -0800)] 
Add initial bounds check, get rid of union aodv.

Fetch the type field without using a structure, and check to make sure
it's not past the end of the packet.

Pass to each dissection routine a pointer to the appropriate message
type structure, rather than a pointer to a union of all the message type

7 years agoDo more bounds checking and length checking.
Guy Harris [Wed, 12 Nov 2014 00:49:39 +0000 (16:49 -0800)] 
Do more bounds checking and length checking.

Don't run past the end of the captured data, and don't run past the end
of the packet (i.e., don't make the length variable go negative).

Also, stop dissecting if the message length isn't valid.

7 years agoThe interval in an AODV HELLO extension is not aligned on a 4-byte boundary.
Guy Harris [Mon, 20 Jan 2014 03:19:22 +0000 (19:19 -0800)] 
The interval in an AODV HELLO extension is not aligned on a 4-byte boundary.

9 years agoGive more information on -l, and note that -U works without -w.
Guy Harris [Sat, 10 Mar 2012 23:23:50 +0000 (15:23 -0800)] 
Give more information on -l, and note that -U works without -w.

Note that -l, on Windows (i.e., in WinDump), is unbuffered, not
line-buffered, and describe -U as an alternative (that doesn't have that
problem on Windows).

Note that -U does packet-buffering without -w.

Fix up the formatting of the example command lines with -l.

9 years agoDiscuss buffering when describing the -w flag.
Guy Harris [Sat, 10 Mar 2012 22:57:00 +0000 (14:57 -0800)] 
Discuss buffering when describing the -w flag.

Mention that the output of tcpdump -w is buffered, and note that this
means packets won't necessarily show up in the output as soon as they're
received, so programs reading that output won't see them immediately,
and note that the -U flag forces "packet buffering" so that a reader
will see the packets as soon as they're received.

9 years agoFix the other typo, so setting CPPFLAGS in the environment works correctly.
Guy Harris [Mon, 5 Mar 2012 16:12:32 +0000 (08:12 -0800)] 
Fix the other typo, so setting CPPFLAGS in the environment works correctly.

Based-On-Patch-From: Simon Ruderich <>

9 years agoAsk for the libpcap Makefile while we're at it.
Guy Harris [Sun, 4 Mar 2012 00:10:42 +0000 (16:10 -0800)] 
Ask for the libpcap Makefile while we're at it. that we can see what's being used to turn grammar.y into

While we're at it, say "config.log file from the libpcap source
directory", in the hopes of making it more likely that we'll get it in
addition to the tcpdump config.log.

9 years agoFix typo, so setting CPPFLAGS in the environment works correctly.
Guy Harris [Sat, 3 Mar 2012 21:36:17 +0000 (13:36 -0800)] 
Fix typo, so setting CPPFLAGS in the environment works correctly.

Based-On-Patch-From: Simon Ruderich <>

9 years agoAsk for more information if we don't find pcap_loop.
Guy Harris [Sat, 3 Mar 2012 21:32:11 +0000 (13:32 -0800)] 
Ask for more information if we don't find pcap_loop.

I give up.

People keep reporting that the configure process for tcpdump fails to
find pcap_loop, and the config.log file they send us says there's no
pcap_parse in libpcap, which suggests that something went wrong in the
build process for libpcap; perhaps they don't have Bison and the
configure script got confused and failed to cause the parser to be named
"pcap_parse", or something such as that, or perhaps Bison was recently
"improved" in a fashion that breaks that, but I've never been able to
reproduce this on any of the Linux distribution installations to which
*I* have access.

I therefore ask them to send the config.log output and make output for
libpcap; *not one of the reporters of this problem* has bothered to send
that information, so we're stuck.  Perhaps they don't care enough (in
which case, why did they bother asking us about it?), or perhaps they're
annoyed that we asked them a further question rather than Just Fixing
The Problem(TM) (in which case, all I have to say is "welcome to the
Wonderful World Of Computer Software(TM) - get used to it").

So let's just ask for all that information.  (I would not be surprised
if this doesn't suffice and that they *still* just send us the tcpdump
config.log output, but at least I'll be able to tell them that they
should have Read The Fine Error Message(TM).)

9 years agoPrint a space after the options if there are any options.
Guy Harris [Tue, 28 Feb 2012 23:45:48 +0000 (15:45 -0800)] 
Print a space after the options if there are any options.

9 years agoGet rid of extra blank after unknown options.
Matthew Luckie [Tue, 28 Feb 2012 23:41:12 +0000 (15:41 -0800)] 
Get rid of extra blank after unknown options.

Reviewed-By: Guy Harris <>
9 years agoUse expr instead of bashisms.
Dagobert Michelsen [Tue, 28 Feb 2012 23:31:38 +0000 (15:31 -0800)] 
Use expr instead of bashisms.

Reviewed-By: Guy Harris <>
10 years agobumped version in case we another point release
Michael Richardson [Mon, 2 Jan 2012 02:10:22 +0000 (21:10 -0500)] 
bumped version in case we another point release

10 years agobittypes.h is no longer required include for windows tcpdump-4.2.1
Michael Richardson [Mon, 2 Jan 2012 00:55:22 +0000 (19:55 -0500)] 
bittypes.h is no longer required include for windows

10 years agoSet version to 4.2.1 for release
Michael Richardson [Mon, 2 Jan 2012 00:53:48 +0000 (19:53 -0500)] 
Set version to 4.2.1 for release

10 years agofor some reason, ip-proto-72 was decoded as "cpnx" at some point
Michael Richardson [Mon, 2 Jan 2012 00:53:29 +0000 (19:53 -0500)] 
for some reason, ip-proto-72 was decoded as "cpnx" at some point

10 years agoNote the length checks in the Babel printer.
Guy Harris [Mon, 19 Dec 2011 00:06:05 +0000 (16:06 -0800)] 
Note the length checks in the Babel printer.

10 years agoAdd length checks, use EXTRACT_16BITS().
Guy Harris [Mon, 19 Dec 2011 00:05:05 +0000 (16:05 -0800)] 
Add length checks, use EXTRACT_16BITS().

Use EXTRACT_16BITS() rather than a hand-rolled macro to extract
big-endian 16-bit quantities from the packet.

When processing the message, check against the body length *and* the UDP
payload length, as well as against the raw frame length.

10 years agoAdd changes in 4.2.1.
Guy Harris [Sat, 10 Dec 2011 01:31:08 +0000 (17:31 -0800)] 
Add changes in 4.2.1.

10 years agoMake this 4.2.1-PRE-GIT for now, in preparation for a release.
Guy Harris [Sat, 10 Dec 2011 01:08:19 +0000 (17:08 -0800)] 
Make this 4.2.1-PRE-GIT for now, in preparation for a release.

10 years agoFix a typo (from the Red Hat tcpdump package) and use .LP.
Guy Harris [Fri, 9 Dec 2011 09:35:55 +0000 (01:35 -0800)] 
Fix a typo (from the Red Hat tcpdump package) and use .LP.

10 years agoGet rid of an unused variable.
Guy Harris [Fri, 9 Dec 2011 07:06:00 +0000 (23:06 -0800)] 
Get rid of an unused variable.

10 years agoFix a bunch of "sizeof(sizeof(XXX))".
Sascha Wildner [Wed, 7 Dec 2011 18:42:12 +0000 (10:42 -0800)] 
Fix a bunch of "sizeof(sizeof(XXX))".

In some places, there was one too many levels of sizeof() -
sizeof(sizeof(XXX)) is sizeof(size_t), but we wanted the size of type

Reviewed-By: Guy Harris <>
10 years agoAdd a CARP dissector and a command-line option to dissect proto 112 as CARP.
George Neville-Neil [Wed, 23 Nov 2011 19:53:13 +0000 (11:53 -0800)] 
Add a CARP dissector and a command-line option to dissect proto 112 as CARP.

CARP and VRRP both use IP protocol number 112, so there needs to be a -T
flag to specify that protocol 112 be dissected as CARP rather than VRRP.

Also update the man page.

10 years agoConstify some arguments.
Guy Harris [Fri, 14 Oct 2011 04:49:18 +0000 (21:49 -0700)] 
Constify some arguments.

10 years agoPut in missing break.
Michal Sekletar [Fri, 14 Oct 2011 03:13:03 +0000 (20:13 -0700)] 
Put in missing break.

Reviewed-by: Guy Harris <>
10 years agoRemove unnecessary test.
Michal Sekletar [Fri, 14 Oct 2011 03:10:11 +0000 (20:10 -0700)] 
Remove unnecessary test.

Also, from me: add a comment explaining why the test isn't being done.

Reviewed-by: Guy Harris <>
10 years agoClean up option-walking code.
Guy Harris [Fri, 14 Oct 2011 03:03:29 +0000 (20:03 -0700)] 
Clean up option-walking code.

Loop as long as the remaining option list length is not zero, even if
that means we try to process the remaining options if the remaining
length is 1, so that if the option length is bogus, we'll report it.

Check for a valid ESIS_OPTION_ES_CONF_TIME length - it's supposed to be

10 years agoFix test output - IP protocol 72 is in /etc/services on at least some UN*Xes.
zilog80a [Fri, 14 Oct 2011 02:44:07 +0000 (19:44 -0700)] 
Fix test output - IP protocol 72 is in /etc/services on at least some UN*Xes.

Reviewed-By: Guy Harris <>
10 years agoChange name of Hilscher link types to say NETANALYER.
Guy Harris [Fri, 16 Sep 2011 00:39:56 +0000 (17:39 -0700)] 
Change name of Hilscher link types to say NETANALYER.

That makes the names a bit shorter, and mentions the specific Hilscher
product to which they apply.

10 years agoAdd printers for the Hilscher Ethernet link-layer types.
Guy Harris [Thu, 15 Sep 2011 19:56:17 +0000 (12:56 -0700)] 
Add printers for the Hilscher Ethernet link-layer types.

10 years agoHandle systems with getrpcbynumber() but no header file for it.
Guy Harris [Sat, 3 Sep 2011 04:31:09 +0000 (21:31 -0700)] 
Handle systems with getrpcbynumber() but no header file for it.

Glibc 2.14 doesn't install the ONC RPC headers, but it installs the ONC
RPC routines, presumably for binary compatibility.  Don't use
getrpcbynumber() unless we have it *and* the header file to declare it.

10 years agoFor Babel, recognise both UDP/6696 and UDP/6697.
Juliusz Chroboczek [Sat, 27 Aug 2011 14:36:10 +0000 (16:36 +0200)] 
For Babel, recognise both UDP/6696 and UDP/6697.

IANA has reallocated the Babel port; it is now 6696.  This patch makes
tcpdump recognise both the old and the new Babel ports.

10 years agoGet rid of another zero-length array.
Guy Harris [Mon, 15 Aug 2011 00:28:02 +0000 (17:28 -0700)] 
Get rid of another zero-length array.

10 years agoDon't compile print-babel.c if we don't have IPv6 support.
Guy Harris [Sun, 14 Aug 2011 23:26:32 +0000 (16:26 -0700)] 
Don't compile print-babel.c if we don't have IPv6 support.

10 years agoGet rid of GCCisms.
Guy Harris [Sun, 14 Aug 2011 22:42:31 +0000 (15:42 -0700)] 
Get rid of GCCisms.

Not all C compilers support anonymous unions in structures, zero-length
array members of structures, or __attribute__.

10 years agoDon't assume we have IPv6 support.
Guy Harris [Sun, 14 Aug 2011 22:32:06 +0000 (15:32 -0700)] 
Don't assume we have IPv6 support.

10 years agoDeclare all local variables before any executable statements.
Guy Harris [Sun, 14 Aug 2011 22:29:49 +0000 (15:29 -0700)] 
Declare all local variables before any executable statements.

Some C compilers let you get away with that C++-ism; not all do.

10 years agoMake sure ppi.h is in the release tarball.
Romain Francoise [Sun, 14 Aug 2011 21:43:23 +0000 (14:43 -0700)] 
Make sure ppi.h is in the release tarball.

Reviewed-By: Guy Harris <>
10 years agoAlso get rid of
Guy Harris [Tue, 26 Jul 2011 17:25:49 +0000 (10:25 -0700)] 
Also get rid of

10 years agoUpdate the EXTRA_DIST list to reflect what's now in the tests directory.
Guy Harris [Tue, 26 Jul 2011 17:24:31 +0000 (10:24 -0700)] 
Update the EXTRA_DIST list to reflect what's now in the tests directory.

10 years agoFixed version value
Michael Richardson [Mon, 25 Jul 2011 00:20:28 +0000 (20:20 -0400)] 
Fixed version value

10 years agoChanges for 4.2 of tcpdump
Michael Richardson [Mon, 25 Jul 2011 00:15:39 +0000 (20:15 -0400)] 
Changes for 4.2 of tcpdump

10 years agoFwd: pcap files
Jamal Hadi Salim [Tue, 28 Jun 2011 20:23:35 +0000 (16:23 -0400)] 
Fwd: pcap files

On Tue, Jun 28, 2011 at 3:52 PM, Michael Richardson <> wrote:

> I'm not aware of a new file.

The email i responded to had 4 attachments sent by Evangelos.
Those were supposed to replace the files with those exact names.

> Please send github tree, ideally.

You mentioned github to me last time and offered to get me to
learn it in 5 minutes;->  I havent had time and the old school stuff i do
still works.
How about i send you patch #1 to delete the old files (as attached)
and another to re-add with new ones.
Alternatively: I could send one that overrides the existing ones.

> --
> ]       He who is tired of Weird Al is tired of life!           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
> ] |device driver[
>   Kyoto Plus: watch the video <>
>                       then sign the petition.

commit d93443f24bfb5fd982ff33deb66979bae811db57
Author: Jamal Hadi Salim <>
Date:   Tue Jun 28 16:15:49 2011 -0400

    [PATCH] Remove test files using old ForCES ports

Signed-off-by: Jamal Hadi Salim <>
10 years agoignore more cruft
Michael Richardson [Sun, 3 Jul 2011 20:14:31 +0000 (16:14 -0400)] 
ignore more cruft

10 years agoremoved unneeded pcap file
Michael Richardson [Sun, 3 Jul 2011 20:14:19 +0000 (16:14 -0400)] 
removed unneeded pcap file

10 years agoNote that ndo_error doesn't, and *ndo_error shouldn't, return.
Guy Harris [Sat, 25 Jun 2011 01:24:11 +0000 (18:24 -0700)] 
Note that ndo_error doesn't, and *ndo_error shouldn't, return.

Tcpdump's ndo_error() doesn't return.  Any other ndo_error routine
supplied to netdissect shouldn't, either, as printers expect it not to.

10 years agoUse "-H", not "-h", for the 802.11s option, and improve error reporting.
Guy Harris [Wed, 22 Jun 2011 01:15:50 +0000 (18:15 -0700)] 
Use "-H", not "-h", for the 802.11s option, and improve error reporting.

I was rudely surprised to find that "tcpdump -h" wasn't printing a usage
message, and I'm the person who *added* the "-h" option.  Make it "-H",
and add an explicit "-h" option to print a usage message, so nobody else
makes the same mistake.  Also, don't clear opterr, so that if you give
an illegal command-line option, you get an explanatory error message.

10 years agofrom Weesan Lee <>: display pim bidir support
Hannes Gredler [Tue, 21 Jun 2011 14:17:34 +0000 (16:17 +0200)] 
from Weesan Lee <>: display pim bidir support

10 years agoHandle ICMP6 checksums more like TCP checksums.
Guy Harris [Fri, 17 Jun 2011 08:17:47 +0000 (01:17 -0700)] 
Handle ICMP6 checksums more like TCP checksums.

Instead of printing the result of icmp6_cksum() if it's non-zero, print
the checksum field value and the value it should have had.  That means
that what we print is the same regardless of whether we're running on a
big-endian or little-endian machine.

10 years agoFix some warnings.
Guy Harris [Fri, 17 Jun 2011 08:11:17 +0000 (01:11 -0700)] 
Fix some warnings.

10 years agoAdd a routine to do the "checksum with pseudo-header" stuff for IPv4.
Guy Harris [Fri, 17 Jun 2011 08:09:16 +0000 (01:09 -0700)] 
Add a routine to do the "checksum with pseudo-header" stuff for IPv4.

Clean up some other stuff while we're at it.

10 years agoUse nextproto6_cksum() for XXX-over-IPv6 checksums.
Guy Harris [Fri, 17 Jun 2011 07:51:47 +0000 (00:51 -0700)] 
Use nextproto6_cksum() for XXX-over-IPv6 checksums.

Get rid of duplicated checksums with IPv6 pseudo-headers.

10 years agoHandle UDP checksums more like TCP checksums.
Guy Harris [Fri, 17 Jun 2011 05:10:36 +0000 (22:10 -0700)] 
Handle UDP checksums more like TCP checksums.

Instead of printing the result of udp_cksum() if it's non-zero, print
the checksum field value and the value it should have had.  That means
that what we print is the same regardless of whether we're running on a
big-endian or little-endian machine.

Also, just as we did with TCP:

Check -v and -K, and the fragmented flag, up front; then check the IP
version etc..  Don't check for IPv6 if we already know it's IPv4.  Fetch
the checksum field only once.

Update some test files for the new output format.

10 years agoGet rid of $Id$ - you can't get that with Git.
Guy Harris [Fri, 17 Jun 2011 04:52:31 +0000 (21:52 -0700)] 
Get rid of $Id$ - you can't get that with Git.

10 years agoClean up the checksum checking.
Guy Harris [Fri, 17 Jun 2011 04:50:26 +0000 (21:50 -0700)] 
Clean up the checksum checking.

Check -v and -K, and the fragmented flag, up front; then check the IP
version etc..  Don't check for IPv6 if we already know it's IPv4.  Fetch
the checksum field only once.

10 years agoadd support for the RPKI/Router Protocol as per draft-ietf-sidr-rpki-rtr-12
Hannes Gredler [Thu, 16 Jun 2011 15:17:20 +0000 (17:17 +0200)] 
add support for the RPKI/Router Protocol as per draft-ietf-sidr-rpki-rtr-12

10 years agoGo with Wireshark's Internet checksum routine.
Guy Harris [Mon, 13 Jun 2011 21:08:51 +0000 (14:08 -0700)] 
Go with Wireshark's Internet checksum routine.

The Wireshark routine is based on the BSD in-kernel portable checksum
routine (thus BSD-licensed); it takes a vector of pointers and lengths
and checksums the concatenation of the buffers in question (just as the
BSD in-kernel routine checksums a chain of mbufs).

This simplifies the "with a pseudo-header" checksums; hopefully it'll
fix up the problems being seen on some big-endian platforms, which might
be due to hand-calculating some or all of the checksum and doing so
incorrectly.  It also gets rid of some code that might be dereferencing
unaligned pointers.

10 years agoUpdate sflow test output to reflect recent changes to print-sflow.c.
Guy Harris [Mon, 13 Jun 2011 01:39:11 +0000 (18:39 -0700)] 
Update sflow test output to reflect recent changes to print-sflow.c.

10 years agoFix some problems with the tests.
Guy Harris [Mon, 13 Jun 2011 01:08:55 +0000 (18:08 -0700)] 
Fix some problems with the tests.

Get rid of some no-longer-necessary uudecodes (Git can store binary
files such as pcap files, so we no longer need to uuencode them, and the
uuencoded files are no longer around), and handle the "-X" and "-XX"
flag tests (where we had to rename the "should be" output files to avoid
collisions on case-insensitive file systems such as the default local
file system on the desktop UN*X with the biggest market share).

10 years agoThe ifSpeed field of a generic interface counter in sFlow is 64 bits.
Rick Jones [Thu, 2 Jun 2011 17:56:08 +0000 (10:56 -0700)] 
The ifSpeed field of a generic interface counter in sFlow is 64 bits.

The "overlay" definition in print-sflow.c is correct, but the actual
extract for printing is using EXTRACT_32BITS rather than EXTRACT_64BITS,
which leads to an incorrect report for speed.

Reviewed-By: Guy Harris <>
10 years agoDon't use "struct netdissect_options" in interface.h.
Guy Harris [Thu, 5 May 2011 09:25:42 +0000 (02:25 -0700)] 
Don't use "struct netdissect_options" in interface.h.

Use it in netdissect.h, where it's defined; otherwise, we get a bunch of
warnings when compiling modules that include interface.h but don't yet
include netdissect.h.

10 years agoFrom: Darren Reed <>
Michael Richardson [Tue, 3 May 2011 22:58:32 +0000 (18:58 -0400)] 
From: Darren Reed <>
Date: Sat, 09 Apr 2011 12:51:14 +1000
Subject: [tcpdump-workers] Printing PPI packets

Printing PPI packets with tcpdump does not turn out
to be that hard.

My simple tests have produced the output as below.

It would be worthwhile having some changes made into
the tcpdump code base that were similar to the attached
that print them out.

10 years agoremoved need for uudecode
Michael Richardson [Sat, 30 Apr 2011 22:51:51 +0000 (18:51 -0400)] 
removed need for uudecode

10 years agoadded babal test cases
Michael Richardson [Thu, 28 Apr 2011 22:51:09 +0000 (18:51 -0400)] 
added babal test cases

10 years agoMerge branch 'master' of git+ssh://
Michael Richardson [Thu, 28 Apr 2011 22:27:59 +0000 (18:27 -0400)] 
Merge branch 'master' of git+ssh://

10 years agoupdated forces test cases
Michael Richardson [Thu, 28 Apr 2011 22:27:24 +0000 (18:27 -0400)] 
updated forces test cases

10 years agoFix endianness of some parameters.
Andrew Nording [Thu, 28 Apr 2011 19:38:55 +0000 (12:38 -0700)] 
Fix endianness of some parameters.

Reviewed-By: Guy Harris <>
10 years agoAdd error checking and support for DCB Exchange protocol (DCBX) version 1.01.
Guy Harris [Thu, 28 Apr 2011 18:24:12 +0000 (11:24 -0700)] 
Add error checking and support for DCB Exchange protocol (DCBX) version 1.01.

From Kaladhar Musunuru <>:

Added support for DCB Exchange protocol (DCBX) version 1.01.

DCBX protocol exchanges control state machine and generic feature state
machine parameters as Organizationally specific TLVs.  The OUI used for
the DCBX TLV 1.01 is 0x001B21.  Following TLVs are decoded:

- Control state
- Priority Groups (PG)
- Priority-based Flow Control (PFC)
- Application Protocol (APP)

From me:

Add a bunch of additional error checking, and sort the main switch
statement by TLV code (and thus by the order in the specification).
Also update/add indications of what standards document what items.

10 years agoBabel dissector, from Juliusz Chroboczek and Grégoire Henry.
Juliusz Chroboczek [Wed, 27 Apr 2011 23:14:43 +0000 (16:14 -0700)] 
Babel dissector, from Juliusz Chroboczek and Grégoire Henry.

Reviewed-By: Guy Harris <>
10 years agoTry to handle radiotap Rate values > 127 better.
Guy Harris [Wed, 27 Apr 2011 22:15:09 +0000 (15:15 -0700)] 
Try to handle radiotap Rate values > 127 better.

Use the same heuristic Wireshark uses, i.e. assume that FreeBSD only
reports MCS indices between 0 and 15, and that any other values with the
0x80 bit set are rate values.  (Yes, those do exist.)

Also note, as I did in Wireshark, that it might be possible to extract
from the XChannel and Flags field the additional information to convert
an MCS index from the Rate field into a rate.  (Whether that's possible
depends on what platforms using the FreeBSD convention do with the
channel width and guard interval information.)

10 years agoMerge branch 'master' of git+ssh://
Michael Richardson [Wed, 27 Apr 2011 21:47:50 +0000 (17:47 -0400)] 
Merge branch 'master' of git+ssh://

10 years agoAdd printer for the Babel routing protocol (RFC 6126).
Juliusz Chroboczek [Sun, 24 Apr 2011 00:53:08 +0000 (02:53 +0200)] 
Add printer for the Babel routing protocol (RFC 6126).

This version includes a couple of fixes from Wireshark.

10 years agoadded sflow test cases
Michael Richardson [Wed, 27 Apr 2011 19:21:21 +0000 (15:21 -0400)] 
added sflow test cases

10 years agoSupport RX flags, MCS and the vendor namespace, and fix Rate.
Guy Harris [Wed, 27 Apr 2011 19:08:27 +0000 (12:08 -0700)] 
Support RX flags, MCS and the vendor namespace, and fix Rate.

Based on patches from an anonymous donor, support the radiotap RX flags and
MCS fields, and the vendor namespace, and, if Channel and XChannel are
both present, use XChannel, not Channel.

Do not try to look up a rate for an MCS value from the Rate field; you
cannot map an MCS value to a rate without also knowing the channel width
and guard interval length.

10 years agoHandle the enterprise field of the sflow flow and counter record format.
Rick Jones [Fri, 15 Apr 2011 17:01:02 +0000 (10:01 -0700)] 
Handle the enterprise field of the sflow flow and counter record format.

Thanks to some traces sent my way by Gavin McCullagh, and a comparison
against the output of inMon's sflowtool, I can confidently say "Yes
Virginia, there is an enterprise other than zero."  Which means lest we
start trying to decode something as what it is not, we best actually
look at the enterprise field and make sure it is one we recognize.

10 years agoTo enable printing of non-expanded samples I've shuffled a bunch of code
Rick Jones [Thu, 14 Apr 2011 18:32:08 +0000 (11:32 -0700)] 
To enable printing of non-expanded samples I've shuffled a bunch of code
around and created a bunch of smaller routines to more easily support
printing of both expanded and non-expanded counter and flow samples.
I've done simple testing of non-expanded counter and flow, and expanded
counter, but I don't have expanded flow at present with which to test.
So, that part of the change is only compile/eyeball tested.

Reviewed-and-tweaked-by: Guy Harris <>
10 years agoFix the handling of unknown tagged parameters in management frames.
Guy Harris [Tue, 5 Apr 2011 16:53:57 +0000 (09:53 -0700)] 
Fix the handling of unknown tagged parameters in management frames.

Fetch the element length early in the process, rather than fetching it
each time we need it - even after we've advanced the pointer we are
using to fetch it (doing the latter means we fetch the wrong value when
we subtract it from the remaining length).

10 years agoProcess the flags even if parsing the full radiotap header fails.
Guy Harris [Tue, 5 Apr 2011 04:32:58 +0000 (21:32 -0700)] 
Process the flags even if parsing the full radiotap header fails.

If we were able to get the flags, we should process them, so we know
whether there's Atheros padding after the 802.11 header or if there's an
FCS at the end of the packet, and properly process them; if we weren't
able to get the flags, they're 0, so we're not doing anything
differently, and that's the best we can do.

10 years agoDon't return value from a filed cpack_uint8() call.
Guy Harris [Tue, 5 Apr 2011 04:30:22 +0000 (21:30 -0700)] 
Don't return value from a filed cpack_uint8() call.

If the cpack_uint8() call to fetch the flags for
IEEE80211_RADIOTAP_FLAGS fails, don't return u.u8, as we didn't fetch
anything into it.

10 years agoCheck the sample, flow, and counter lengths.
Guy Harris [Tue, 5 Apr 2011 02:03:56 +0000 (19:03 -0700)] 
Check the sample, flow, and counter lengths.

When dissecting a sample, or a flow or counter within the sample, make
sure we don't run past the length in the sample/flow/counter header.

This also means we count the sample length down as we process the
contents of the sample, so we only add what, if anything, remains of the
sample to the pointer into the packet, and subtract that from the
remaining data length in the packet, which means we properly handle
packets with multiple samples.

10 years agoInclude <tcpdump-stdinc.h> when checking for headers.
Guy Harris [Mon, 4 Apr 2011 19:07:11 +0000 (12:07 -0700)] 
Include <tcpdump-stdinc.h> when checking for headers.

Now that we're setting V_INCLS correctly, we don't need to include
"tcpdump-stdinc.h" - including <tcpdump-stdinc.h> works.

This also picks up configure changes from the previous

10 years agoProperly define {u_}intN_t types when testing pcap/*.h headers.
Guy Harris [Mon, 4 Apr 2011 19:02:02 +0000 (12:02 -0700)] 
Properly define {u_}intN_t types when testing pcap/*.h headers.

pcap/bluetooth.h and pcap/usb.h require those types, so we check for
those types before checking those headers, and we include
"tcpdump-stdinc.h" in the tests, so the appropriate headers to define
those types get pulled in.

10 years agoExpand srcdir in V_INCLS at configure time, not make time.
Guy Harris [Mon, 4 Apr 2011 18:49:41 +0000 (11:49 -0700)] 
Expand srcdir in V_INCLS at configure time, not make time.

That way, if we temporarily set CPPFLAGS to include V_INCLS, it'll work

10 years agoFix one place where we didn't save and restore CPPFLAGS when modifying it.
Guy Harris [Mon, 4 Apr 2011 18:34:14 +0000 (11:34 -0700)] 
Fix one place where we didn't save and restore CPPFLAGS when modifying it.

10 years agoHave empty.uu explicitly be a uuencoding of /dev/null.
Guy Harris [Mon, 4 Apr 2011 08:18:04 +0000 (01:18 -0700)] 
Have empty.uu explicitly be a uuencoding of /dev/null.

That way, uudecode will write the decoded output there, rather than to a
file named "empty" that gets left around.  That also means we don't need
to redirect the output of uudecode to /dev/null, so don't do that.

10 years agoCheck for uudecode at make time by uudecoding a uuencoded empty file.
Guy Harris [Mon, 4 Apr 2011 07:44:41 +0000 (00:44 -0700)] 
Check for uudecode at make time by uudecoding a uuencoded empty file.

Doing it at make time means you don't have to re-run the configure
script if you add uudecode to your system, and doing it by uudecoding a
uuencoded empty file means we don't depend on uudecode supporting