tcpdump mailing list archives

Printing PPI packets

From: Darren Reed <darren.reed () oracle com>
Date: Sat, 09 Apr 2011 12:51:14 +1000

Printing PPI packets with tcpdump does not turn out
to be that hard.

My simple tests have produced the output as below.

It would be worthwhile having some changes made into
the tcpdump code base that were similar to the attached
that print them out.

Darren

19:20:51.470264 , DLT IPV4 (228) len 0, length 76: ip: (tos 0x0, ttl 255, id 509, offset 0, flags [+, DF], proto ICMP 
(1), length 68)
   1.1.1.1 > 1.1.1.2: ICMP echo request, id 35462, seq 3, length 48
       0x0000:  0000 0000 0000 00e4 4500 0044 01fd 6000
       0x0010:  ff01 55b7 0101 0101 0101 0102 0800 45bd
       0x0020:  8a86 0003 4d9f c283 0007 2c8c 0809 0a0b
       0x0030:  0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
       0x0040:  1c1d 1e1f 2021 2223 2425 2627
19:20:52.470238 , DLT IPV4 (228) len 0, length 76: ip: (tos 0x0, ttl 255, id 510, offset 0, flags [+, DF], proto ICMP 
(1), length 68)
   1.1.1.1 > 1.1.1.2: ICMP echo request, id 35462, seq 4, length 48
       0x0000:  0000 0000 0000 00e4 4500 0044 01fe 6000
       0x0010:  ff01 55b6 0101 0101 0101 0102 0800 45cc
       0x0020:  8a86 0004 4d9f c284 0007 2c7b 0809 0a0b
       0x0030:  0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
       0x0040:  1c1d 1e1f 2021 2223 2425 2627

diff -N -c tcpdump-4.1.1/Makefile.in tcpdump-4.1.1.new/Makefile.in
*** tcpdump-4.1.1/Makefile.in   Mon Apr  5 18:18:35 2010
--- tcpdump-4.1.1.new/Makefile.in       Fri Apr  8 19:22:37 2011
***************
*** 83,89 ****
          print-lmp.c print-lspping.c print-lwapp.c \
        print-lwres.c print-mobile.c print-mpcp.c print-mpls.c print-msdp.c \
        print-nfs.c print-ntp.c print-null.c print-olsr.c print-ospf.c \
!       print-pgm.c print-pim.c print-ppp.c print-pppoe.c print-pptp.c \
        print-radius.c print-raw.c print-rip.c print-rrcp.c print-rsvp.c \
        print-rx.c print-sctp.c print-sflow.c print-sip.c print-sl.c print-sll.c \
        print-slow.c print-snmp.c print-stp.c print-sunatm.c print-sunrpc.c \
--- 83,90 ----
          print-lmp.c print-lspping.c print-lwapp.c \
        print-lwres.c print-mobile.c print-mpcp.c print-mpls.c print-msdp.c \
        print-nfs.c print-ntp.c print-null.c print-olsr.c print-ospf.c \
!       print-pgm.c print-pim.c \
!       print-ppi.c print-ppp.c print-pppoe.c print-pptp.c \
        print-radius.c print-raw.c print-rip.c print-rrcp.c print-rsvp.c \
        print-rx.c print-sctp.c print-sflow.c print-sip.c print-sl.c print-sll.c \
        print-slow.c print-snmp.c print-stp.c print-sunatm.c print-sunrpc.c \
diff -N -c tcpdump-4.1.1/interface.h tcpdump-4.1.1.new/interface.h
*** tcpdump-4.1.1/interface.h   Thu Mar 11 17:56:44 2010
--- tcpdump-4.1.1.new/interface.h       Fri Apr  8 19:07:59 2011
***************
*** 101,106 ****
--- 101,114 ----
  
  extern int32_t thiszone;      /* seconds offset from gmt to local time */
  
+ typedef u_int (*if_ndo_printer)(struct netdissect_options *ndo,
+                               const struct pcap_pkthdr *, const u_char *);
+ typedef u_int (*if_printer)(const struct pcap_pkthdr *, const u_char *);
+ 
+ extern if_ndo_printer lookup_ndo_printer(int);
+ extern if_printer lookup_printer(int);
+ 
+ 
  /*
   * True if  "l" bytes of "var" were captured.
   *
***************
*** 322,327 ****
--- 330,336 ----
  extern u_int usb_linux_48_byte_print(const struct pcap_pkthdr *, const u_char *);
  extern u_int usb_linux_64_byte_print(const struct pcap_pkthdr *, const u_char *);
  
+ 
  #ifdef INET6
  extern void ip6_print(const u_char *, u_int);
  extern void ip6_opt_print(const u_char *, int);
diff -N -c tcpdump-4.1.1/netdissect.h tcpdump-4.1.1.new/netdissect.h
*** tcpdump-4.1.1/netdissect.h  Thu Mar 11 17:56:44 2010
--- tcpdump-4.1.1.new/netdissect.h      Fri Apr  8 19:09:05 2011
***************
*** 433,438 ****
--- 433,439 ----
  #endif
  
  extern u_int ipnet_if_print(netdissect_options *,const struct pcap_pkthdr *, const u_char *);
+ extern u_int ppi_if_print(netdissect_options *,const struct pcap_pkthdr *, const u_char *);
  
  #if 0
  #ifdef INET6
diff -N -c tcpdump-4.1.1/ppi.h tcpdump-4.1.1.new/ppi.h
*** tcpdump-4.1.1/ppi.h Wed Dec 31 16:00:00 1969
--- tcpdump-4.1.1.new/ppi.h     Fri Apr  8 18:26:33 2011
***************
*** 0 ****
--- 1,9 ----
+ typedef struct ppi_header {
+       uint8_t         ppi_ver;
+       uint8_t         ppi_flags;
+       uint16_t        ppi_len;
+       uint32_t        ppi_dlt;
+ } ppi_header_t;
+ 
+ #define       PPI_HDRLEN      8
+ 
diff -N -c tcpdump-4.1.1/print-ppi.c tcpdump-4.1.1.new/print-ppi.c
*** tcpdump-4.1.1/print-ppi.c   Wed Dec 31 16:00:00 1969
--- tcpdump-4.1.1.new/print-ppi.c       Fri Apr  8 19:19:46 2011
***************
*** 0 ****
--- 1,103 ----
+ /*
+  * Oracle
+  */
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+ #endif
+ 
+ #include <tcpdump-stdinc.h>
+ 
+ #include <stdio.h>
+ #include <pcap.h>
+ 
+ #include "netdissect.h"
+ #include "interface.h"
+ #include "extract.h"
+ #include "ppi.h"
+ 
+ #ifdef DLT_PPI
+ 
+ static inline void
+ ppi_header_print(struct netdissect_options *ndo, const u_char *bp, u_int length)
+ {
+       const ppi_header_t *hdr;
+       hdr = (const ppi_header_t *)bp;
+       u_int32_t dlt;
+       u_int16_t len;
+ 
+       len = EXTRACT_16BITS(&hdr->ppi_len);
+       dlt = EXTRACT_32BITS(&hdr->ppi_dlt);
+ 
+       if (!ndo->ndo_qflag) {
+               ND_PRINT((ndo,", V.%d DLT %s (%d) len %d", hdr->ppi_ver,
+                         pcap_datalink_val_to_name(dlt), dlt,
+                           len));
+         } else {
+               ND_PRINT((ndo,", %s", pcap_datalink_val_to_name(dlt)));
+         }
+ 
+       ND_PRINT((ndo, ", length %u: ", length));
+ }
+ 
+ static void
+ ppi_print(struct netdissect_options *ndo,
+                const struct pcap_pkthdr *h, const u_char *p)
+ {
+       if_ndo_printer ndo_printer;
+         if_printer printer;
+       ppi_header_t *hdr;
+       u_int caplen = h->caplen;
+       u_int length = h->len;
+       u_int32_t dlt;
+ 
+       if (caplen < sizeof(ppi_header_t)) {
+               ND_PRINT((ndo, "[|ppi]"));
+               return;
+       }
+       hdr = (ppi_header_t *)p;
+       dlt = EXTRACT_32BITS(&hdr->ppi_dlt);
+ 
+       if (ndo->ndo_eflag)
+               ppi_header_print(ndo, p, length);
+ 
+       length -= sizeof(ppi_header_t);
+       caplen -= sizeof(ppi_header_t);
+       p += sizeof(ppi_header_t);
+ 
+       if ((printer = lookup_printer(dlt)) != NULL) {
+               printer(h, p);
+       } else if ((ndo_printer = lookup_ndo_printer(dlt)) != NULL) {
+               ndo_printer(ndo, h, p);
+       } else {
+               if (!ndo->ndo_eflag)
+                       ppi_header_print(ndo, (u_char *)hdr,
+                                       length + sizeof(ppi_header_t));
+ 
+               if (!ndo->ndo_suppress_default_print)
+                       ndo->ndo_default_print(ndo, p, caplen);
+       }
+ }
+ 
+ /*
+  * This is the top level routine of the printer.  'p' points
+  * to the ether header of the packet, 'h->ts' is the timestamp,
+  * 'h->len' is the length of the packet off the wire, and 'h->caplen'
+  * is the number of bytes actually captured.
+  */
+ u_int
+ ppi_if_print(struct netdissect_options *ndo,
+                const struct pcap_pkthdr *h, const u_char *p)
+ {
+       ppi_print(ndo, h, p);
+ 
+       return (sizeof(ppi_header_t));
+ }
+ 
+ /*
+  * Local Variables:
+  * c-style: whitesmith
+  * c-basic-offset: 8
+  * End:
+  */
+ 
+ #endif /* DLT_PPI */
diff -N -c tcpdump-4.1.1/tcpdump.c tcpdump-4.1.1.new/tcpdump.c
*** tcpdump-4.1.1/tcpdump.c     Thu Mar 11 17:56:44 2010
--- tcpdump-4.1.1.new/tcpdump.c Fri Apr  8 19:07:32 2011
***************
*** 130,139 ****
  static void info(int);
  static u_int packets_captured;
  
- typedef u_int (*if_printer)(const struct pcap_pkthdr *, const u_char *);
- typedef u_int (*if_ndo_printer)(struct netdissect_options *ndo,
-                                 const struct pcap_pkthdr *, const u_char *);
- 
  struct printer {
          if_printer f;
        int type;
--- 130,135 ----
***************
*** 306,315 ****
  #ifdef DLT_IPNET
        { ipnet_if_print,       DLT_IPNET },
  #endif
        { NULL,                 0 },
  };
  
! static if_printer
  lookup_printer(int type)
  {
        struct printer *p;
--- 302,314 ----
  #ifdef DLT_IPNET
        { ipnet_if_print,       DLT_IPNET },
  #endif
+ #ifdef DLT_PPI
+       { ppi_if_print,         DLT_PPI },
+ #endif
        { NULL,                 0 },
  };
  
! if_printer
  lookup_printer(int type)
  {
        struct printer *p;
***************
*** 322,328 ****
        /* NOTREACHED */
  }
  
! static if_ndo_printer
  lookup_ndo_printer(int type)
  {
        struct ndo_printer *p;
--- 321,327 ----
        /* NOTREACHED */
  }
  
! if_ndo_printer
  lookup_ndo_printer(int type)
  {
        struct ndo_printer *p;

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Printing PPI packets Darren Reed (Apr 08)
- Re: Printing PPI packets Michael Richardson (May 04)
  - Re: Printing PPI packets Darren Reed (May 05)
    - Re: Printing PPI packets Guy Harris (May 05)
    - Re: Printing PPI packets Darren Reed (May 05)
    - Re: Printing PPI packets Guy Harris (May 05)
    - Re: Printing PPI packets Darren Reed (May 05)
    - Re: Printing PPI packets Guy Harris (May 05)
    - Re: Printing PPI packets Darren Reed (May 05)
    - Re: Printing PPI packets Guy Harris (May 05)
    - Re: Printing PPI packets Guy Harris (May 05)

(Thread continues...)