Re: [tcpdump-workers] Hide SSH session patch

2005-08-14 Thread dean gaudet 
On Sun, 14 Aug 2005, dean gaudet wrote:

> this is a cool idea... a couple comments:

oh also -- ipv6 addresses can appear as the first value in SSH_CLIENT... 
which can exceed your length tests and probably need slightly different 
handling in the expression.

-dean
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Hide SSH session patch

2005-08-14 Thread dean gaudet 
this is a cool idea... a couple comments:

- it would be cool if this were available to other libpcap users...
  perhaps as a new verb "ssh_client" so we could use "not ssh_client"
  and/or "(blahblah) and not ssh_client".  more typing than just -H
  though.

- the values returned by getenv are actually still in the environment... 
  and technically should be "const char *" but there are various reasons
  the prototype hasn't ever been changed.  for example try this:

#include 
#include 

int main(int argc, char **argv)
{
char *e1, *e2;

e1 = getenv("SSH_CLIENT");
e2 = getenv("SSH_CLIENT");

printf("%p %p\n", e1, e2);
return 0;
}

  you should find it prints the same pointer location for both.

  so if you modify the string with strtok it'll affect anything else
  which might use SSH_CLIENT in this process... strdup() first.

- i have an allergic reaction to strtok because it's not thread-safe.  if 
  you were to redo this as part of libpcap you would need to get rid of
  the strtok...

-dean
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

[tcpdump-workers] Hide SSH session patch

2005-08-11 Thread Pascal Gloor 
Dear tcpdump workers,


I dont know if this is the right place to post, but the sourceforge
patch list seemed too inactive. If this is not the right place, please
let me know where I should post this.


I have done a little patch to add a feature in tcpdump.

Often people use tcpdump on a remote host while connected using ssh. my
option (-H (hide)) automaticly removes packets from the user ssh session
(information taken via the environement variable SSH_CLIENT).

if no filter is set, a new the filter is applied:
not ( host %ssh_remote_host% and port %ssh_remote_port% and tcp )

if a filter is set, the new filter is:
( existing_filter ) and ( filter_as_above )


The patch is available here:
http://www.spale.com/tcpdump-2005.08.08-Hflag-patch

note: the patch should respect C89 syntax and functions. if you find
anything that doesnt look very C89, please let me know so I can fix it.

Regards,
Pascal Gloor


smime.p7s
Description: S/MIME cryptographic signature