Re: [tcpdump-workers] Hide SSH session patch
On Sun, 14 Aug 2005, dean gaudet wrote: > this is a cool idea... a couple comments: oh also -- ipv6 addresses can appear as the first value in SSH_CLIENT... which can exceed your length tests and probably need slightly different handling in the expression. -dean - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Hide SSH session patch
this is a cool idea... a couple comments: - it would be cool if this were available to other libpcap users... perhaps as a new verb "ssh_client" so we could use "not ssh_client" and/or "(blahblah) and not ssh_client". more typing than just -H though. - the values returned by getenv are actually still in the environment... and technically should be "const char *" but there are various reasons the prototype hasn't ever been changed. for example try this: #include #include int main(int argc, char **argv) { char *e1, *e2; e1 = getenv("SSH_CLIENT"); e2 = getenv("SSH_CLIENT"); printf("%p %p\n", e1, e2); return 0; } you should find it prints the same pointer location for both. so if you modify the string with strtok it'll affect anything else which might use SSH_CLIENT in this process... strdup() first. - i have an allergic reaction to strtok because it's not thread-safe. if you were to redo this as part of libpcap you would need to get rid of the strtok... -dean - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Hide SSH session patch
Dear tcpdump workers, I dont know if this is the right place to post, but the sourceforge patch list seemed too inactive. If this is not the right place, please let me know where I should post this. I have done a little patch to add a feature in tcpdump. Often people use tcpdump on a remote host while connected using ssh. my option (-H (hide)) automaticly removes packets from the user ssh session (information taken via the environement variable SSH_CLIENT). if no filter is set, a new the filter is applied: not ( host %ssh_remote_host% and port %ssh_remote_port% and tcp ) if a filter is set, the new filter is: ( existing_filter ) and ( filter_as_above ) The patch is available here: http://www.spale.com/tcpdump-2005.08.08-Hflag-patch note: the patch should respect C89 syntax and functions. if you find anything that doesnt look very C89, please let me know so I can fix it. Regards, Pascal Gloor smime.p7s Description: S/MIME cryptographic signature