tcpdump-133

Imported from tcpdump-133.tar.gz
apple-oss-distributions · Sep 22, 2023 · 06ed001 · 06ed001
1 parent 1a8ca8a
commit 06ed001
Show file tree

Hide file tree

Showing 16 changed files with 277 additions and 150 deletions.
diff --git a/tcpdump/netdissect.h b/tcpdump/netdissect.h
@@ -335,6 +335,7 @@ extern void nd_pop_all_packet_info(netdissect_options *);
 #define PRMD_FLAGS      0x1000
 #define PRMD_FLOWID     0x2000
 #define PRMD_TRACETAG   0x4000
+#define PRMD_DLT        0x8000
 #define PRMD_DEFAULT    (PRMD_IF|PRMD_PNAME|PRMD_PID|PRMD_SVC|PRMD_DIR|PRMD_COMMENT|PRMD_FLAGS)
 #define PRMD_ALL		0xffff
 #endif /* __APPLE__ */
@@ -431,6 +432,9 @@ extern void ts_print(netdissect_options *, const struct timeval *);
 extern void signed_relts_print(netdissect_options *, int32_t);
 extern void unsigned_relts_print(netdissect_options *, uint32_t);
 
+extern const char *nd_format_time(char *buf, size_t bufsize,
+    const char *format, const struct tm *timeptr);
+
 extern void fn_print_char(netdissect_options *, u_char);
 extern void fn_print_str(netdissect_options *, const u_char *);
 extern u_int nd_printztn(netdissect_options *, const u_char *, u_int, const u_char *);

diff --git a/tcpdump/ntp.c b/tcpdump/ntp.c
@@ -48,38 +48,27 @@ p_ntp_time(netdissect_options *ndo,
 	f = (uint32_t)(ff * 1000000000.0);	/* treat fraction as parts per billion */
 	ND_PRINT("%u.%09u", i, f);
 
-#ifdef HAVE_STRFTIME
 	/*
 	 * print the UTC time in human-readable format.
 	 */
 	if (i) {
 	    int64_t seconds_64bit = (int64_t)i - JAN_1970;
 	    time_t seconds;
-	    struct tm *tm;
 	    char time_buf[128];
+	    const char *time_string;
 
 	    seconds = (time_t)seconds_64bit;
 	    if (seconds != seconds_64bit) {
 		/*
 		 * It doesn't fit into a time_t, so we can't hand it
 		 * to gmtime.
 		 */
-		ND_PRINT(" (unrepresentable)");
+		time_string = "[Time is too large to fit into a time_t]";
 	    } else {
-		tm = gmtime(&seconds);
-		if (tm == NULL) {
-		    /*
-		     * gmtime() can't handle it.
-		     * (Yes, that might happen with some version of
-		     * Microsoft's C library.)
-		     */
-		    ND_PRINT(" (unrepresentable)");
-		} else {
-		    /* use ISO 8601 (RFC3339) format */
-		    strftime(time_buf, sizeof (time_buf), "%Y-%m-%dT%H:%M:%SZ", tm);
-		    ND_PRINT(" (%s)", time_buf);
-		}
+		/* use ISO 8601 (RFC3339) format */
+		time_string = nd_format_time(time_buf, sizeof (time_buf),
+		  "%Y-%m-%dT%H:%M:%SZ", gmtime(&seconds));
 	    }
+	    ND_PRINT(" (%s)", time_string);
 	}
-#endif
 }
diff --git a/tcpdump/pktaputil.c b/tcpdump/pktaputil.c
@@ -83,7 +83,31 @@ pktap_filter_packet(netdissect_options *ndo, struct pcap_if_info *if_info,
 		pktp_hdr->pth_length > h->caplen) {
 		return (-1);
 	}
-
+	/*
+	 * Filter on packet metadata
+	 */
+	if (pkt_meta_data_expression != NULL) {
+		struct pkt_meta_data pmd = {};
+
+		pmd.itf = &pktp_hdr->pth_ifname[0];
+		pmd.dlt = pktp_hdr->pth_dlt;
+		pmd.proc = &pktp_hdr->pth_comm[0];
+		pmd.eproc = &pktp_hdr->pth_ecomm[0];
+		pmd.pid = pktp_hdr->pth_pid;
+		pmd.epid = pktp_hdr->pth_epid;
+		pmd.svc = svc2str(pktp_hdr->pth_svc);
+		pmd.dir = (pktp_hdr->pth_flags & PTH_FLAG_DIR_IN) ? "in" :
+			(pktp_hdr->pth_flags & PTH_FLAG_DIR_OUT) ? "out" : "";
+		pmd.flowid = pktp_hdr->pth_flowid;
+
+		match = evaluate_expression(pkt_meta_data_expression, &pmd);
+		if (match == 0) {
+			packets_mtdt_fltr_drop++;
+
+			return 0;
+		}
+	}
+
 	if (if_info == NULL) {
 		if_info = pcap_find_if_info_by_name(pcap, pktp_hdr->pth_ifname);
 		/*
@@ -118,27 +142,6 @@ pktap_filter_packet(netdissect_options *ndo, struct pcap_if_info *if_info,
 
 		match = pcap_offline_filter(&if_info->if_filter_program, &tmp_hdr, pkt_data);
 	}
-	/*
-	 * Filter on packet metadata
-	 */
-	if (match && pkt_meta_data_expression != NULL) {
-		struct pkt_meta_data pmd = {};
-
-		pmd.itf = &pktp_hdr->pth_ifname[0];
-		pmd.proc = &pktp_hdr->pth_comm[0];
-		pmd.eproc = &pktp_hdr->pth_ecomm[0];
-		pmd.pid = pktp_hdr->pth_pid;
-		pmd.epid = pktp_hdr->pth_epid;
-		pmd.svc = svc2str(pktp_hdr->pth_svc);
-		pmd.dir = (pktp_hdr->pth_flags & PTH_FLAG_DIR_IN) ? "in" :
-			(pktp_hdr->pth_flags & PTH_FLAG_DIR_OUT) ? "out" : "";
-		pmd.flowid = pktp_hdr->pth_flowid;
-
-		match = evaluate_expression(pkt_meta_data_expression, &pmd);
-		if (match == 0) {
-			packets_mtdt_fltr_drop++;
-		}
-	}
 
 	return (match);
 }
@@ -180,6 +183,31 @@ pktapv2_filter_packet(netdissect_options *ndo, struct pcap_if_info *if_info,
 	if (pktap_v2_hdr->pth_e_comm_offset != 0)
 		e_comm = ((char *) pktap_v2_hdr) + pktap_v2_hdr->pth_e_comm_offset;
 
+	/*
+	 * Filter on packet metadata
+	 */
+	if (match && pkt_meta_data_expression != NULL) {
+		struct pkt_meta_data pmd = {};
+
+		pmd.itf = ifname;
+		pmd.dlt = pktap_v2_hdr->pth_dlt;
+		pmd.proc = comm;
+		pmd.eproc = e_comm;
+		pmd.pid = pktap_v2_hdr->pth_pid;
+		pmd.epid = pktap_v2_hdr->pth_e_pid;
+		pmd.svc = svc2str(pktap_v2_hdr->pth_svc);
+		pmd.dir = (pktap_v2_hdr->pth_flags & PTH_FLAG_DIR_IN) ? "in" :
+			(pktap_v2_hdr->pth_flags & PTH_FLAG_DIR_OUT) ? "out" : "";
+		pmd.flowid = pktap_v2_hdr->pth_flowid;
+
+		match = evaluate_expression(pkt_meta_data_expression, &pmd);
+		if (match == 0) {
+			packets_mtdt_fltr_drop++;
+
+			return 0;
+		}
+	}
+
 	if (if_info == NULL) {
 		if_info = pcap_find_if_info_by_name(pcap, ifname);
 		/*
@@ -214,27 +242,6 @@ pktapv2_filter_packet(netdissect_options *ndo, struct pcap_if_info *if_info,
 
 		match = pcap_offline_filter(&if_info->if_filter_program, &tmp_hdr, pkt_data);
 	}
-	/*
-	 * Filter on packet metadata
-	 */
-	if (match && pkt_meta_data_expression != NULL) {
-		struct pkt_meta_data pmd = {};
-
-		pmd.itf = ifname;
-		pmd.proc = comm;
-		pmd.eproc = e_comm;
-		pmd.pid = pktap_v2_hdr->pth_pid;
-		pmd.epid = pktap_v2_hdr->pth_e_pid;
-		pmd.svc = svc2str(pktap_v2_hdr->pth_svc);
-		pmd.dir = (pktap_v2_hdr->pth_flags & PTH_FLAG_DIR_IN) ? "in" :
-			(pktap_v2_hdr->pth_flags & PTH_FLAG_DIR_OUT) ? "out" : "";
-		pmd.flowid = pktap_v2_hdr->pth_flowid;
-
-		match = evaluate_expression(pkt_meta_data_expression, &pmd);
-		if (match == 0) {
-			packets_mtdt_fltr_drop++;
-		}
-	}
 
 	return (match);
 }

diff --git a/tcpdump/pktmetadatafilter.c b/tcpdump/pktmetadatafilter.c
@@ -59,8 +59,11 @@
 #include <sysexits.h>
 #include <unistd.h>
 
+#include <pcap.h>
+
 #include "pktmetadatafilter.h"
 
+
 #define TOKEN_ID_LIST	\
 	X(TOK_NONE)		\
 	X(TOK_OR)		\
@@ -69,6 +72,7 @@
 	X(TOK_LP)		\
 	X(TOK_RP)		\
 	X(TOK_IF)		\
+	X(TOK_DLT)		\
 	X(TOK_PROC)		\
 	X(TOK_EPROC)	\
 	X(TOK_PID)		\
@@ -100,14 +104,17 @@ struct token tokens[] = {
 	{ TOK_NOT, "not", 0 } ,
 	{ TOK_LP, "(", 0 },
 	{ TOK_RP, ")", 0 },
+
 	{ TOK_IF, "if", 0  },
+	{ TOK_DLT, "dlt", 0  },
 	{ TOK_PROC, "proc", 0 },
 	{ TOK_EPROC, "eproc", 0 },
 	{ TOK_PID, "pid", 0 },
 	{ TOK_EPID, "epid", 0 },
 	{ TOK_SVC, "svc", 0 },
 	{ TOK_DIR, "dir", 0 },
 	{ TOK_FLOWID, "flowid", 0 },
+
 	{ TOK_EQ, "=", 0 },
     { TOK_NEQ, "!=", 0 },
 
@@ -119,9 +126,29 @@ struct token tokens[] = {
 	{ TOK_NONE, NULL, 0 }
 };
 
+#define DLT_LIST	\
+	X(NULL)		\
+	X(EN10MB)	\
+	X(PPP)		\
+	X(RAW)		\
+
+struct dlt_type_str {
+	int num;
+	const char *str;
+};
+
+struct dlt_type_str dlt_type_strs[] = {
+#define X(name, ...) { .num = DLT_##name, .str = #name },
+	DLT_LIST
+#undef X
+	{ .num = DLT_EN10MB, .str = "ether" },
+	{ .num = 0, .str = NULL }
+};
+
 struct node {
 	int	id;
 	char *str;
+	size_t prfx_len; // used match begining of label
 	uint32_t num;
 	int op;
 	struct node *left_node;
@@ -228,7 +255,7 @@ get_token(const char **ptr)
 
 #ifdef DEBUG
 	if (parse_verbose)
-		printf("%s\n", __func__);
+		printf("%s %s\n", __func__, *ptr);
 #endif /* DEBUG */
 
 	/* Skip white spaces */
@@ -249,9 +276,9 @@ get_token(const char **ptr)
 		if (strncmp(*ptr, tok->tok_label, tok->tok_len) == 0) {
 #ifdef DEBUG
 			if (parse_verbose)
-				printf("tok id: %s label: %s\n", get_token_id_str(tok->tok_id), tok->tok_label);
+				printf("tok id: %d label: %s len: %lu\n", tok->tok_id, tok->tok_label, tok->tok_len);
 #endif /* DEBUG */
-
+			
 			lex_token.tok_id = tok->tok_id;
 			lex_token.tok_label = strdup(tok->tok_label);
 			lex_token.tok_len = tok->tok_len;
@@ -260,7 +287,7 @@ get_token(const char **ptr)
 			return;
 		}
 	}
-	
+
 	lex_token.tok_id = TOK_STR;
 
 	if (strncmp(*ptr, "''", 2) == 0 || strncmp(*ptr, "\"\"", 2) == 0) {
@@ -302,14 +329,10 @@ get_token(const char **ptr)
 				}
 		}
 	}
-
 #ifdef DEBUG
 	if (parse_verbose) {
-		char fmt[50];
-
-		bzero(fmt, sizeof(fmt));
-		snprintf(fmt, sizeof(fmt), "tok id: %%s len: %%lu str: %%.%lus *ptr: %%s\n", len);
-		printf(fmt, get_token_id_str(lex_token.tok_id) , lex_token.tok_len, lex_token.tok_label, *ptr);
+		printf("tok id: %d len: %lu label: %s *ptr: %s\n",
+			   lex_token.tok_id , lex_token.tok_len, lex_token.tok_label, *ptr);
 	}
 #endif /* DEBUG */
 	return;
@@ -322,11 +345,12 @@ parse_term_expression(const char **ptr)
 
 #ifdef DEBUG
 	if (parse_verbose)
-		printf("%s\n", __func__);
+		printf("%s lex_token.tok_id %d *ptr %s\n", __func__, lex_token.tok_id, *ptr);
 #endif /* DEBUG */
 
 	switch (lex_token.tok_id) {
 		case TOK_IF:
+		case TOK_DLT:
 		case TOK_PROC:
 		case TOK_EPROC:
 		case TOK_PID:
@@ -336,7 +360,7 @@ parse_term_expression(const char **ptr)
 		case TOK_FLOWID:
 			term_node = alloc_node(lex_token.tok_id);
 			get_token(ptr);
-			
+
 			if (lex_token.tok_id == TOK_EQ || lex_token.tok_id == TOK_NEQ)
 				term_node->op = lex_token.tok_id;
 			else {
@@ -352,14 +376,30 @@ parse_term_expression(const char **ptr)
 			 * TBD
 			 * For TOK_SVC and TOK_DIR restrict to meaningful values
 			 */
-
 			term_node->str = strdup(lex_token.tok_label);
-
+			if (term_node->id == TOK_IF) {
+				size_t len = strlen(term_node->str);
+
+				if (len > 0 && (term_node->str[len - 1] < '0' || term_node->str[len - 1] > '9')) {
+					term_node->prfx_len = len;
+				}
+			}
+			if (term_node->id == TOK_DLT) {
+				struct dlt_type_str *dts;
+
+				term_node->num = (uint32_t)strtoul(term_node->str, NULL, 0);
+
+				for (dts = dlt_type_strs; dts->str != NULL; dts++) {
+					if (strcasecmp(term_node->str, dts->str) == 0) {
+						term_node->num = dts->num;
+					}
+				}
+				fprintf(stderr, "num %d str %s\n", term_node->num, term_node->str);
+			}
 			if (term_node->id == TOK_PID || term_node->id == TOK_EPID || term_node->id == TOK_FLOWID) {
 				term_node->num = (uint32_t)strtoul(term_node->str, NULL, 0);
 			}
 			break;
-
 		default:
 			warnx("cannot parse term at: %s", *ptr);
 			break;
@@ -551,7 +591,16 @@ evaluate_expression(node_t *expression, struct pkt_meta_data *p)
 			break;
 
 		case TOK_IF:
-			match = !strcmp(p->itf, expression->str);
+			if (expression->prfx_len == 0) {
+				match = !strcmp(p->itf, expression->str);
+			} else {
+				match = !strncmp(p->itf, expression->str, expression->prfx_len);
+			}
+			if (expression->op == TOK_NEQ)
+				match = !match;
+			break;
+		case TOK_DLT:
+			match = (p->dlt == expression->num);
 			if (expression->op == TOK_NEQ)
 				match = !match;
 			break;
@@ -625,6 +674,7 @@ print_expression(node_t *expression)
 			break;
 
 		case TOK_IF:
+		case TOK_DLT:
 		case TOK_PROC:
 		case TOK_EPROC:
 		case TOK_PID:
@@ -636,6 +686,9 @@ print_expression(node_t *expression)
 				case TOK_IF:
 					printf("if");
 					break;
+				case TOK_DLT:
+					printf("dlt");
+					break;
 				case TOK_PID:
 					printf("pid");
 					break;

diff --git a/tcpdump/pktmetadatafilter.h b/tcpdump/pktmetadatafilter.h
@@ -34,6 +34,7 @@ typedef struct node node_t;
 
 struct pkt_meta_data {
 	const char *itf;
+	uint32_t dlt;
 	const char *proc;
 	const char *eproc;
 	pid_t pid;