1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-20 11:11:24 +00:00
freebsd/contrib/tcpdump
Pawel Jakub Dawidek 7008be5bd7 Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.

The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.

The structure definition looks like this:

	struct cap_rights {
		uint64_t	cr_rights[CAP_RIGHTS_VERSION + 2];
	};

The initial CAP_RIGHTS_VERSION is 0.

The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.

The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.

To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.

	#define	CAP_PDKILL	CAPRIGHT(1, 0x0000000000000800ULL)

We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:

	#define	CAP_LOOKUP	CAPRIGHT(0, 0x0000000000000400ULL)
	#define	CAP_FCHMOD	CAPRIGHT(0, 0x0000000000002000ULL)

	#define	CAP_FCHMODAT	(CAP_FCHMOD | CAP_LOOKUP)

There is new API to manage the new cap_rights_t structure:

	cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
	void cap_rights_set(cap_rights_t *rights, ...);
	void cap_rights_clear(cap_rights_t *rights, ...);
	bool cap_rights_is_set(const cap_rights_t *rights, ...);

	bool cap_rights_is_valid(const cap_rights_t *rights);
	void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
	void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
	bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);

Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:

	cap_rights_t rights;

	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);

There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:

	#define	cap_rights_set(rights, ...)				\
		__cap_rights_set((rights), __VA_ARGS__, 0ULL)
	void __cap_rights_set(cap_rights_t *rights, ...);

Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:

	cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);

Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.

This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.

Sponsored by:	The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
..
lbl
missing
.cvsignore
acconfig.h
addrtoname.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
addrtoname.h
af.c
af.h
ah.h
aodv.h
appletalk.h
arcnet.h
atime.awk
atm.h
atmuni31.h
bgp.h Clean some 'svn:executable' properties in the tree. 2013-01-26 22:08:21 +00:00
bootp.h
bpf_dump.c
CHANGES MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
chdlc.h
checksum.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
config.guess
config.h.in
config.sub
configure MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
configure.in MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
cpack.c
cpack.h
CREDITS MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
dccp.h
decnet.h
decode_prefix.h MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
enc.h
esp.h
ether.h
ethertype.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
extract.h
fddi.h
forces.h MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
gmpls.c
gmpls.h
gmt2local.c
gmt2local.h
icmp6.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
ieee802_11_radio.h
ieee802_11.h
igrp.h
in_cksum.c
install-sh
INSTALL.txt
interface.h Diff reduction against tcpdump revision 949a22064d3534eddeb8aa2b9c36a50e45fe16fa. 2013-05-30 21:25:55 +00:00
ip6.h
ip.h
ipfc.h
ipnet.h
ipproto.c Clean some 'svn:executable' properties in the tree. 2013-01-26 22:08:21 +00:00
ipproto.h
ipsec_doi.h
ipx.h
isakmp.h
l2tp.h
l2vpn.c Clean some 'svn:executable' properties in the tree. 2013-01-26 22:08:21 +00:00
l2vpn.h Clean some 'svn:executable' properties in the tree. 2013-01-26 22:08:21 +00:00
lane.h
LICENSE
llc.h
machdep.c
machdep.h
Makefile-devel-adds
Makefile.in MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
makemib
mib.h
mkdep
mpls.h
nameser.h
netbios.h
netdissect.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
nfs.h
nfsfh.h
nlpid.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
nlpid.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
ntp.h
oakley.h
ospf6.h
ospf.h
oui.c
oui.h
packetdat.awk
parsenfsfh.c
pcap_dump_ftell.c
pcap-missing.h
pmap_prot.h
ppi.h
ppp.h
print-802_11.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-802_15_4.c
print-ah.c
print-aodv.c
print-ap1394.c
print-arcnet.c
print-arp.c
print-ascii.c
print-atalk.c
print-atm.c
print-babel.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-beep.c
print-bfd.c
print-bgp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-bootp.c
print-bt.c
print-carp.c
print-cdp.c
print-cfm.c
print-chdlc.c
print-cip.c
print-cnfp.c
print-dccp.c
print-decnet.c
print-dhcp6.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-domain.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-dtp.c
print-dvmrp.c
print-eap.c
print-egp.c
print-eigrp.c
print-enc.c
print-esp.c
print-ether.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-fddi.c
print-forces.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-fr.c
print-frag6.c
print-gre.c
print-hsrp.c
print-icmp6.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-icmp.c
print-igmp.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-igrp.c
print-ip6.c
print-ip6opts.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-ip.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-ipcomp.c
print-ipfc.c
print-ipnet.c
print-ipx.c
print-isakmp.c
print-isoclns.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-juniper.c
print-krb.c
print-l2tp.c
print-lane.c
print-ldp.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-llc.c
print-lldp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-lmp.c
print-lspping.c
print-lwapp.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-lwres.c
print-mobile.c
print-mobility.c
print-mpcp.c
print-mpls.c
print-msdp.c
print-msnlb.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-netbios.c
print-nfs.c
print-ntp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-null.c
print-olsr.c
print-ospf6.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-ospf.c
print-otv.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-pflog.c
print-pfsync.c
print-pgm.c
print-pim.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-ppi.c
print-ppp.c
print-pppoe.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-pptp.c
print-radius.c
print-raw.c
print-rip.c MFV: Redo the fixup using the submitted version accepted by upstream. 2013-05-31 22:55:23 +00:00
print-ripng.c
print-rpki-rtr.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-rrcp.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-rsvp.c
print-rt6.c
print-rx.c
print-sctp.c
print-sflow.c
print-sip.c
print-sl.c
print-sll.c
print-slow.c
print-smb.c
print-snmp.c
print-stp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-sunatm.c
print-sunrpc.c
print-symantec.c
print-syslog.c Clean some 'svn:executable' properties in the tree. 2013-01-26 22:08:21 +00:00
print-tcp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-telnet.c
print-tftp.c
print-timed.c
print-tipc.c MFV: tcpdump 4.3.0. 2012-10-05 20:19:28 +00:00
print-token.c
print-udld.c
print-udp.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-usb.c
print-vjc.c
print-vqp.c
print-vrrp.c
print-vtp.c
print-vxlan.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
print-wb.c
print-zephyr.c
print-zeromq.c MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
README MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
route6d.h
rpc_auth.h
rpc_msg.h
rx.h
sctpConstants.h
sctpHeader.h
send-ack.awk
setsignal.c
setsignal.h
signature.c
signature.h
slcompress.h
slip.h
sll.h
smb.h
smbutil.c
stime.awk
strcasecmp.c
tcp.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
tcpdump-stdinc.h
tcpdump.1.in MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
tcpdump.c Change the cap_rights_t type from uint64_t to a structure that we can extend 2013-09-05 00:09:56 +00:00
telnet.h
tftp.h
timed.h
token.h
udp.h MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
util.c
VERSION MFV: tcpdump 4.4.0. 2013-05-30 20:51:22 +00:00
vfprintf.c

@(#) $Header: /tcpdump/master/tcpdump/README,v 1.68 2008-12-15 00:05:27 guy Exp $ (LBL)

TCPDUMP 4.x.y
Now maintained by "The Tcpdump Group"
See 		www.tcpdump.org

Please send inquiries/comments/reports to:
	tcpdump-workers@lists.tcpdump.org

Anonymous Git is available via:
	git clone git://bpf.tcpdump.org/tcpdump

Version 4.x.y of TCPDUMP can be retrieved with the CVS tag "tcpdump_4_xrely":
	cvs -d :pserver:cvs.tcpdump.org:/tcpdump/master checkout -r tcpdump_4_xrely tcpdump

Please submit patches by forking the branch on GitHub at

	http://github.com/mcr/tcpdump/tree/master

and issuing a pull request.

formerly from 	Lawrence Berkeley National Laboratory
		Network Research Group <tcpdump@ee.lbl.gov>
		ftp://ftp.ee.lbl.gov/tcpdump.tar.Z (3.4)

This directory contains source code for tcpdump, a tool for network
monitoring and data acquisition.  This software was originally
developed by the Network Research Group at the Lawrence Berkeley
National Laboratory.  The original distribution is available via
anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z.  More recent
development is performed at tcpdump.org, http://www.tcpdump.org/

Tcpdump uses libpcap, a system-independent interface for user-level
packet capture.  Before building tcpdump, you must first retrieve and
build libpcap, also originally from LBL and now being maintained by
tcpdump.org; see http://www.tcpdump.org/ .

Once libpcap is built (either install it or make sure it's in
../libpcap), you can build tcpdump using the procedure in the INSTALL
file.

The program is loosely based on SMI's "etherfind" although none of the
etherfind code remains.  It was originally written by Van Jacobson as
part of an ongoing research project to investigate and improve tcp and
internet gateway performance.  The parts of the program originally
taken from Sun's etherfind were later re-written by Steven McCanne of
LBL.  To insure that there would be no vestige of proprietary code in
tcpdump, Steve wrote these pieces from the specification given by the
manual entry, with no access to the source of tcpdump or etherfind.

Over the past few years, tcpdump has been steadily improved by the
excellent contributions from the Internet community (just browse
through the CHANGES file).  We are grateful for all the input.

Richard Stevens gives an excellent treatment of the Internet protocols
in his book ``TCP/IP Illustrated, Volume 1''. If you want to learn more
about tcpdump and how to interpret its output, pick up this book.

Some tools for viewing and analyzing tcpdump trace files are available
from the Internet Traffic Archive:

	http://www.acm.org/sigcomm/ITA/

Another tool that tcpdump users might find useful is tcpslice:

	ftp://ftp.ee.lbl.gov/tcpslice.tar.Z

It is a program that can be used to extract portions of tcpdump binary
trace files. See the above distribution for further details and
documentation.

Problems, bugs, questions, desirable enhancements, etc. should be sent
to the address "tcpdump-workers@lists.tcpdump.org".  Bugs, support
requests, and feature requests may also be submitted on the GitHub issue
tracker for tcpdump at

	https://github.com/mcr/tcpdump/issues

Source code contributions, etc. should be sent to the email address
above or submitted by forking the branch on GitHub at

	http://github.com/mcr/tcpdump/tree/master

and issuing a pull request.

Current versions can be found at www.tcpdump.org.

 - The TCPdump team

original text by: Steve McCanne, Craig Leres, Van Jacobson

-------------------------------------
This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609    3.20    17.24   3.40    5.82    4       11
	9       4097    6.02    6.58    6.20    6.80    2       5

	This says that 134 chunks were transferred (about 70K
	since the average packet size was 512 bytes).  It took
	536 packets to transfer the data (i.e., on the average
	each chunk was transmitted four times).  Looking at,
	say, chunk 4, we see it represents the 512 bytes of
	sequence space from 1561 to 2048.  It was first sent
	1.86 seconds into the conversation.  It was last
	sent 15 seconds into the conversation and was sent
	a total of 6 times (i.e., it was retransmitted every
	2 seconds on the average).  It was acked once, 140ms
	after it first arrived.

stime.awk
atime.awk
	Output one line per send or ack, respectively, in the form
		<time> <seq. number>
	where <time> is the time in seconds since the start of the
	transfer and <seq. number> is the sequence number being sent
	or acked.  I typically plot this data looking for suspicious
	patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".