I'm not sure the direction this goes.
Today atalk, and over the next month delete 20 protocols, then anything
before ARP?
What's the plan here. This code is heavily privsep, pledge, etc. Is
there a problem with it?
If such a packet showed up on a network I'd prefer it is *identified*
in some minimal way, rather than a set of HEX digits that I have to
google for to do that myself. It seems this code provides exactly
that service.
> Remove atalk support. Significantly shortens the manpage. libpcap still
> supports it. This diff doesn't include the removal of two files:
> appletalk.h and print-atalk.c.
>
> Index: usr.sbin/tcpdump/INSTALL
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/INSTALL,v
> retrieving revision 1.6
> diff -u -p -r1.6 INSTALL
> --- usr.sbin/tcpdump/INSTALL 5 Dec 2015 21:43:51 -0000 1.6
> +++ usr.sbin/tcpdump/INSTALL 28 May 2017 13:46:58 -0000
> @@ -8,7 +8,6 @@ README - description of distribution
> VERSION - version of this release
> addrtoname.c - address to hostname routines
> addrtoname.h - address to hostname definitions
> -appletalk.h - AppleTalk definitions
> atime.awk - TCP ack awk script
> bootp.h - BOOTP definitions
> bpf_dump.c - bpf instruction pretty-printer routine
> @@ -35,7 +34,6 @@ ospf.h - Open Shortest Path First defin
> packetdat.awk - TCP chunk summary awk script
> parsenfsfh.c - Network File System file parser routines
> print-arp.c - Address Resolution Protocol printer routines
> -print-atalk.c - AppleTalk printer routines
> print-atm.c - atm printer routines
> print-bootp.c - BOOTP printer routines
> print-cnfp.c - Cisco NetFlow printer routines
> Index: usr.sbin/tcpdump/Makefile
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/Makefile,v
> retrieving revision 1.61
> diff -u -p -r1.61 Makefile
> --- usr.sbin/tcpdump/Makefile 18 Nov 2016 17:37:03 -0000 1.61
> +++ usr.sbin/tcpdump/Makefile 28 May 2017 13:46:58 -0000
> @@ -35,7 +35,7 @@ DPADD+= ${LIBL} ${LIBPCAP} ${LIBCRYPTO}
>
> SRCS= tcpdump.c addrtoname.c privsep.c privsep_fdpass.c
> privsep_pcap.c \
> print-ether.c print-ip.c print-arp.c print-tcp.c print-udp.c \
> - print-atalk.c print-domain.c print-tftp.c print-bootp.c print-nfs.c \
> + print-domain.c print-tftp.c print-bootp.c print-nfs.c \
> print-icmp.c print-sl.c print-ppp.c print-rip.c print-timed.c \
> print-snmp.c print-ntp.c print-null.c print-ospf.c print-gtp.c \
> print-fddi.c print-llc.c print-sunrpc.c print-hsrp.c print-vqp.c \
> Index: usr.sbin/tcpdump/ethertype.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/ethertype.h,v
> retrieving revision 1.14
> diff -u -p -r1.14 ethertype.h
> --- usr.sbin/tcpdump/ethertype.h 5 Dec 2008 01:25:24 -0000 1.14
> +++ usr.sbin/tcpdump/ethertype.h 28 May 2017 13:46:58 -0000
> @@ -93,12 +93,6 @@
> #ifndef ETHERTYPE_VPROD
> #define ETHERTYPE_VPROD 0x805c
> #endif
> -#ifndef ETHERTYPE_ATALK
> -#define ETHERTYPE_ATALK 0x809b
> -#endif
> -#ifndef ETHERTYPE_AARP
> -#define ETHERTYPE_AARP 0x80f3
> -#endif
> #ifndef ETHERTYPE_8021Q
> #define ETHERTYPE_8021Q 0x8100
> #endif
> Index: usr.sbin/tcpdump/interface.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
> retrieving revision 1.69
> diff -u -p -r1.69 interface.h
> --- usr.sbin/tcpdump/interface.h 16 Nov 2016 13:47:27 -0000 1.69
> +++ usr.sbin/tcpdump/interface.h 28 May 2017 13:46:58 -0000
> @@ -183,10 +183,7 @@ extern int ether_encap_print(u_short, co
> extern int llc_print(const u_char *, u_int, u_int, const u_char *,
> const u_char *);
> extern int pppoe_if_print(u_short, const u_char *, u_int, u_int);
> -extern void aarp_print(const u_char *, u_int);
> extern void arp_print(const u_char *, u_int, u_int);
> -extern void atalk_print(const u_char *, u_int);
> -extern void atalk_print_llap(const u_char *, u_int);
> extern void atm_if_print(u_char *, const struct pcap_pkthdr *, const u_char
> *);
> extern void bootp_print(const u_char *, u_int, u_short, u_short);
> extern void bgp_print(const u_char *, int);
> Index: usr.sbin/tcpdump/print-ether.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
> retrieving revision 1.31
> diff -u -p -r1.31 print-ether.c
> --- usr.sbin/tcpdump/print-ether.c 11 Jul 2016 00:27:50 -0000 1.31
> +++ usr.sbin/tcpdump/print-ether.c 28 May 2017 13:46:58 -0000
> @@ -206,16 +206,6 @@ recurse:
> decnet_print(p, length, caplen);
> return (1);
>
> - case ETHERTYPE_ATALK:
> - if (vflag)
> - fputs("et1 ", stdout);
> - atalk_print_llap(p, length);
> - return (1);
> -
> - case ETHERTYPE_AARP:
> - aarp_print(p, length);
> - return (1);
> -
> case ETHERTYPE_8021Q:
> printf("802.1Q ");
> case ETHERTYPE_QINQ:
> Index: usr.sbin/tcpdump/print-llc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/print-llc.c,v
> retrieving revision 1.20
> diff -u -p -r1.20 print-llc.c
> --- usr.sbin/tcpdump/print-llc.c 16 Nov 2015 00:16:39 -0000 1.20
> +++ usr.sbin/tcpdump/print-llc.c 28 May 2017 13:46:58 -0000
> @@ -118,24 +118,7 @@ llc_print(const u_char *p, u_int length,
>
> /* This is an encapsulated Ethernet packet */
> et = EXTRACT_16BITS(&llc.ethertype[0]);
> -
> - /*
> - * Some protocols have special handling if they are 802.3
> - * SNAP encapsulated vs vers II encapsulated. Handle
> - * those special protocols here, and hand the rest to
> - * print-ether.c so we don't have to duplicate
> - * all that code here.
> - */
> - switch (et) {
> - case ETHERTYPE_ATALK:
> - atalk_print(p, length);
> - ret = 1;
> - break;
> - default:
> - ret = ether_encap_print(et, p, length, caplen);
> - break;
> - }
> -
> + ret = ether_encap_print(et, p, length, caplen);
> if (ret)
> return (ret);
> }
> Index: usr.sbin/tcpdump/print-udp.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/print-udp.c,v
> retrieving revision 1.40
> diff -u -p -r1.40 print-udp.c
> --- usr.sbin/tcpdump/print-udp.c 22 Dec 2015 21:01:07 -0000 1.40
> +++ usr.sbin/tcpdump/print-udp.c 28 May 2017 13:46:59 -0000
> @@ -56,7 +56,6 @@
> #include "interface.h"
> #include "addrtoname.h"
> #include "extract.h"
> -#include "appletalk.h"
>
> #include "nfsv2.h"
> #include "bootp.h"
> @@ -521,14 +520,6 @@ udp_print(const u_char *bp, u_int length
> return;
> }
> #endif
> - }
> - if (TTEST(((struct LAP *)cp)->type) &&
> - ((struct LAP *)cp)->type == lapDDP &&
> - (atalk_port(sport) || atalk_port(dport))) {
> - if (vflag)
> - fputs("kip ", stdout);
> - atalk_print_llap(cp, length);
> - return;
> }
> }
> #if 0
> Index: usr.sbin/tcpdump/privsep.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
> retrieving revision 1.44
> diff -u -p -r1.44 privsep.c
> --- usr.sbin/tcpdump/privsep.c 23 Jan 2017 04:25:05 -0000 1.44
> +++ usr.sbin/tcpdump/privsep.c 28 May 2017 13:46:59 -0000
> @@ -101,8 +101,7 @@ struct ftab {
> int count;
> };
>
> -static struct ftab file_table[] = {{"/etc/appletalk.names", 1, 0},
> - {PF_OSFP_FILE, 1, 0}};
> +static struct ftab file_table[] = {{PF_OSFP_FILE, 1, 0}};
>
> #define NUM_FILETAB (sizeof(file_table) / sizeof(struct ftab))
>
> Index: usr.sbin/tcpdump/privsep.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/privsep.h,v
> retrieving revision 1.8
> diff -u -p -r1.8 privsep.h
> --- usr.sbin/tcpdump/privsep.h 14 Jul 2015 20:23:40 -0000 1.8
> +++ usr.sbin/tcpdump/privsep.h 28 May 2017 13:46:59 -0000
> @@ -22,8 +22,7 @@
> #define TCPDUMP_MAGIC 0xa1b2c3d4
>
> /* file ids used by priv_getlines */
> -#define FTAB_APPLETALK 0
> -#define FTAB_PFOSFP 1
> +#define FTAB_PFOSFP 0
>
> enum cmd_types {
> PRIV_OPEN_BPF, /* open a bpf descriptor */
> Index: usr.sbin/tcpdump/tcpdump.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
> retrieving revision 1.92
> diff -u -p -r1.92 tcpdump.8
> --- usr.sbin/tcpdump/tcpdump.8 19 Apr 2017 05:36:13 -0000 1.92
> +++ usr.sbin/tcpdump/tcpdump.8 28 May 2017 13:47:00 -0000
> @@ -1604,142 +1604,6 @@ requests, and matches them to the replie
> .Pq transaction ID .
> If a reply does not closely follow the corresponding request,
> it might not be parsable.
> -.Ss KIP AppleTalk (DDP in UDP)
> -AppleTalk DDP packets encapsulated in UDP datagrams
> -are de-encapsulated and dumped as DDP packets
> -.Pq i.e., all the UDP header information is discarded .
> -The file
> -.Pa /etc/atalk.names
> -is used to translate AppleTalk net and node numbers to names.
> -Lines in this file have the form
> -.Bl -column "number" "name" -offset indent
> -.It Sy "number" Ta Ta Sy "name"
> -.It "1.254" Ta Ta "ether"
> -.It "16.1" Ta Ta "icsd-net"
> -.It "1.254.110" Ta Ta "ace"
> -.El
> -.Pp
> -The first two lines give the names of AppleTalk networks.
> -The third line gives the name of a particular host
> -(a host is distinguished from a net by the 3rd octet in the number;
> -a net number
> -.Em must
> -have two octets and a host number
> -.Em must
> -have three octets).
> -The number and name should be separated by whitespace (blanks or tabs).
> -The
> -.Pa /etc/atalk.names
> -file may contain blank lines or comment lines
> -(lines starting with a
> -.Ql # ) .
> -.Pp
> -AppleTalk addresses are printed in the form
> -.Pp
> -.D1 Ar net . Ns Ar host . Ns Ar port
> -.Pp
> -For example:
> -.Bd -unfilled -offset indent
> -144.1.209.2 > icsd-net.112.220
> -office.2 > icsd-net.112.220
> -jssmag.149.235 > icsd-net.2
> -.Ed
> -.Pp
> -If
> -.Pa /etc/atalk.names
> -doesn't exist or doesn't contain an entry for some AppleTalk
> -host/net number, addresses are printed in numeric form.
> -In the first example, NBP
> -.Pq DDP port 2
> -on net 144.1 node 209
> -is sending to whatever is listening on port 220 of net icsd-net node 112.
> -The second line is the same except the full name of the source node is known
> -.Pq Dq office .
> -The third line is a send from port 235 on
> -net jssmag node 149 to broadcast on the icsd-net NBP port.
> -The broadcast address
> -.Pq 255
> -is indicated by a net name with no host number;
> -for this reason it is a good idea to keep node names and net names distinct
> in
> -.Pa /etc/atalk.names .
> -.Pp
> -NBP
> -.Pq name binding protocol
> -and ATP
> -.Pq AppleTalk transaction protocol
> -packets have their contents interpreted.
> -Other protocols just dump the protocol name
> -.Po
> -or number if no name is registered for the protocol
> -.Pc
> -and packet size.
> -.Pp
> -NBP packets are formatted like the following examples:
> -.Bd -unfilled
> -icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
> -jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
> -techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
> -.Ed
> -.Pp
> -The first line is a name lookup request for laserwriters sent by
> -net icsdi-net host
> -112 and broadcast on net jssmag.
> -The nbp ID for the lookup is 190.
> -The second line shows a reply for this request
> -.Pq note that it has the same ID
> -from host jssmag.209 saying that it has a laserwriter
> -resource named RM1140 registered on port 250.
> -The third line is another reply to the same request
> -saying host techpit has laserwriter techpit registered on port 186.
> -.Pp
> -ATP packet formatting is demonstrated by the following example:
> -.Bd -unfilled -offset indent
> -jssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
> -jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
> -jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
> -jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002
> -.Ed
> -.Pp
> -Jssmag.209 initiates transaction ID 12266 with host helios by requesting
> -up to 8 packets
> -.Sm off
> -.Pq the Dq <0\-7> .
> -.Sm on
> -The hex number at the end of the line is the value of the
> -.Ar userdata
> -field in the request.
> -.Pp
> -Helios responds with 8 512-byte packets.
> -The
> -.Dq : Ns Ar n
> -following the
> -transaction ID gives the packet sequence number in the transaction
> -and the number in parentheses is the amount of data in the packet,
> -excluding the ATP header.
> -The
> -.Ql *
> -on packet 7 indicates that the EOM bit was set.
> -.Pp
> -Jssmag.209 then requests that packets 3 & 5 be retransmitted.
> -Helios resends them then jssmag.209 releases the transaction.
> -Finally, jssmag.209 initiates the next request.
> -The
> -.Ql *
> -on the request indicates that XO
> -.Pq exactly once
> -was
> -.Em not
> -set.
> .Ss IP Fragmentation
> Fragmented Internet datagrams are printed as
> .Bd -ragged -offset indent
> @@ -1901,12 +1765,6 @@ question section is printed rather than
> Some believe that inverse queries are themselves a bug and
> prefer to fix the program generating them rather than
> .Nm tcpdump .
> -.Pp
> -Apple Ethertalk DDP packets could be dumped as easily as KIP DDP packets
> -but aren't.
> -Even if we were inclined to do anything to promote the use of Ethertalk
> -(we aren't, LBL doesn't allow Ethertalk on any of its
> -networks so we'd have no way of testing this code).
> .Pp
> A packet trace that crosses a daylight saving time change will give
> skewed time stamps
>
> --
> Michal Mazurek
>
