For what it's worth, I like the idea. Mitja
> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Stuart Henderson > Sent: Saturday, January 28, 2012 10:54 AM > To: tech > Subject: tcpdump IKE dissector: print UDP_ENCAP_*_DRAFT > > cizcoeeee still use the IDs from the draft for nat-t, let tcpdump > print them, useful for diagnosis even if the isakmpd patches are too > messy. OK? > > Index: ike.h > =================================================================== > RCS file: /cvs/src/usr.sbin/tcpdump/ike.h,v > retrieving revision 1.23 > diff -u -p -r1.23 ike.h > --- ike.h 7 Jun 2010 16:20:58 -0000 1.23 > +++ ike.h 28 Jan 2012 09:52:30 -0000 > @@ -382,10 +382,6 @@ > #define IPSEC_ATTR_DURATION_INITIALIZER \ > { "NONE", "SECONDS", "KILOBYTES", \ > } > -#define IPSEC_ATTR_ENCAP_INITIALIZER \ > - { "NONE", "TUNNEL", "TRANSPORT", "UDP_ENCAP_TUNNEL", \ > - "UDP_ENCAP_TRANSPORT" \ > - } > #define IPSEC_ATTR_AUTH_INITIALIZER \ > { "NONE", "HMAC_MD5", "HMAC_SHA", "DES_MAC", "KPDK", \ > "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", \ > @@ -403,6 +399,15 @@ > #define IPCOMP_INITIALIZER \ > { "NONE", "OUI", "DEFLATE", "LZS", "V42BIS", \ > } > +static struct tok ipsec_attr_encap[] = { > + { 0, "NONE" }, > + { 1, "TUNNEL" }, > + { 2, "TRANSPORT" }, > + { 3, "UDP_ENCAP_TUNNEL" }, > + { 4, "UDP_ENCAP_TRANSPORT" }, > + { 61443, "UDP_ENCAP_TUNNEL_DRAFT" }, /* draft-ietf-ipsec-nat-t-ike */ > + { 61444, "UDP_ENCAP_TRANSPORT_DRAFT" } /* draft-ietf-ipsec-nat-t-ike */ > +}; > > /* > * IKE mode config. > Index: print-ike.c > =================================================================== > RCS file: /cvs/src/usr.sbin/tcpdump/print-ike.c,v > retrieving revision 1.35 > diff -u -p -r1.35 print-ike.c > --- print-ike.c 7 Jun 2010 16:20:58 -0000 1.35 > +++ print-ike.c 28 Jan 2012 09:52:30 -0000 > @@ -303,7 +303,6 @@ ike_attribute_print (u_int8_t *buf, u_in > static char *attr_gtype[] = IKE_ATTR_GROUP_INITIALIZER; > static char *attr_ltype[] = IKE_ATTR_SA_DURATION_INITIALIZER; > static char *ipsec_attrs[] = IPSEC_ATTR_INITIALIZER; > - static char *ipsec_attr_encap[] = IPSEC_ATTR_ENCAP_INITIALIZER; > static char *ipsec_attr_auth[] = IPSEC_ATTR_AUTH_INITIALIZER; > static char *ipsec_attr_ltype[] = IPSEC_ATTR_DURATION_INITIALIZER; > > @@ -357,10 +356,12 @@ ike_attribute_print (u_int8_t *buf, u_in > else > switch(type) { > CASE_PRINT(IPSEC_ATTR_SA_LIFE_TYPE, ipsec_attr_ltype); > - CASE_PRINT(IPSEC_ATTR_ENCAPSULATION_MODE, > - ipsec_attr_encap); > CASE_PRINT(IPSEC_ATTR_AUTHENTICATION_ALGORITHM, > ipsec_attr_auth); > + case IPSEC_ATTR_ENCAPSULATION_MODE: > + printf("%s", tok2str(ipsec_attr_encap, > + "%d", val)); > + break; > default: > printf("%d", val); > }
