From 75e59686639c05c62f819ed5b4a6e9f1515702c8 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Mon, 1 Sep 2014 14:13:27 +0200 Subject: [PATCH 01/14] Close PCAPs after dumper_close() to have statistics still available during dumper_close(). Otherwise we get a segfault on shutdown. --- src/dnscap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/dnscap.c b/src/dnscap.c index dbb6800..59fa2d6 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -427,9 +427,10 @@ main(int argc, char *argv[]) { daemonize(); while (!main_exit) poll_pcaps(); - close_pcaps(); + /* close PCAPs after dumper_close() to have statistics still available during dumper_close() */ if (dumper_opened == dump_state) (void) dumper_close(last_ts); + close_pcaps(); for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { if (p->stop) (*p->stop)(); From 097a3b4d15dc983c85f8716ae24b1ac18aa71e40 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Mon, 1 Sep 2014 14:16:00 +0200 Subject: [PATCH 02/14] Count every packet which is sent to output(), not only the normal ones. --- src/dnscap.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/dnscap.c b/src/dnscap.c index 59fa2d6..3d075de 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -2309,7 +2309,6 @@ network_pkt(const char *descr, my_bpftimeval ts, unsigned pf, abort(); } } - msgcount++; output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, dnspkt, dnslen); } @@ -2324,6 +2323,9 @@ output(const char *descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, const u_char *payload, const unsigned payloadlen) { struct plugin *p; + + msgcount++; + /* Output stage. */ if (preso) { fputs(descr, stderr); From 341abdfbf07620b5f1aee3c9470fd5de48125d29 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Mon, 1 Sep 2014 14:22:21 +0200 Subject: [PATCH 03/14] Add -W feature: allow to specify a suffix for the pcap dump file, e. g.: '.pcap' --- src/dnscap.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index 3d075de..abf94f3 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -342,6 +342,7 @@ static myregex_list myregexes; static mypcap_list mypcaps; static mypcap_ptr pcap_offline = NULL; static const char *dump_base = NULL; +static const char *dump_suffix = NULL; static char *extra_bpf = NULL; static enum {nowhere, to_stdout, to_file} dump_type = nowhere; static enum {dumper_opened, dumper_closed} dump_state = dumper_closed; @@ -688,7 +689,7 @@ help_1(void) { "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+\n" - "\t[-w [-k ]] [-t ] [-c ]\n" + "\t[-w [-W suffix] [-k ]] [-t ] [-c ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ]+ [-E ]+\n" "\t[-P plugin.so] [-U ]\n", @@ -735,6 +736,7 @@ help_2(void) { "\t-Z want messages NOT to/from these responder(s)\n" "\t-Y drop responses from these responder(s)\n" "\t-w dump to ..\n" + "\t-W add suffix to dump file name, e.g. '.pcap'\n" "\t-k kick off when each dump closes\n" "\t-t close dump or exit every/after secs\n" "\t-c close dump or exit every/after pkts\n" @@ -781,7 +783,7 @@ parse_args(int argc, char *argv[]) { #ifdef USE_SECCOMP "y" #endif - "z:A:B:E:IL:P:STU:X:Y:Z:16?MC") + "z:A:B:E:IL:P:STU:W:X:Y:Z:16?MC") ) != EOF) { switch (ch) { @@ -941,6 +943,9 @@ parse_args(int argc, char *argv[]) { else dump_type = to_file; break; + case 'W': + dump_suffix = optarg; + break; case 'k': if (dump_type != to_file) usage("-k depends on -w" @@ -2376,9 +2381,9 @@ dumper_open(my_bpftimeval ts) { char sbuf[64]; strftime(sbuf, 64, "%Y%m%d.%H%M%S", gmtime((time_t *) &ts.tv_sec)); - if (asprintf(&dumpname, "%s.%s.%06lu", + if (asprintf(&dumpname, "%s.%s.%06lu%s", dump_base, sbuf, - (u_long) ts.tv_usec) < 0 || + (u_long) ts.tv_usec, dump_suffix) < 0 || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) { logerr("asprintf: %s", strerror(errno)); From b567befc60766ee9a6cfe5d8e218fca665b437f0 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Mon, 1 Sep 2014 14:49:13 +0200 Subject: [PATCH 04/14] New option -C: limit/rotate capture after a certain amount of bytes --- src/dnscap.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index abf94f3..0006ed0 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -350,12 +350,14 @@ static const char *kick_cmd = NULL; static unsigned limit_seconds = 0U; static time_t next_interval = 0; static unsigned limit_packets = 0U; +static size_t limit_pcapfilesize = 0U; static fd_set mypcap_fdset; static int pcap_maxfd; static pcap_t *pcap_dead; static pcap_dumper_t *dumper; static time_t dumpstart; static unsigned msgcount; +static size_t capturedbytes; static char *dumpname, *dumpnamepart; static char *bpft; static unsigned dns_port = DNS_PORT; @@ -689,7 +691,7 @@ help_1(void) { "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+\n" - "\t[-w [-W suffix] [-k ]] [-t ] [-c ]\n" + "\t[-w [-W suffix] [-k ]] [-t ] [-c ] [-C ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ]+ [-E ]+\n" "\t[-P plugin.so] [-U ]\n", @@ -740,6 +742,7 @@ help_2(void) { "\t-k kick off when each dump closes\n" "\t-t close dump or exit every/after secs\n" "\t-c close dump or exit every/after pkts\n" + "\t-C close dump or exit every/after bytes captured\n" "\t-x select messages matching regex \n" "\t-X select messages not matching regex \n" #ifdef USE_SECCOMP @@ -783,7 +786,7 @@ parse_args(int argc, char *argv[]) { #ifdef USE_SECCOMP "y" #endif - "z:A:B:E:IL:P:STU:W:X:Y:Z:16?MC") + "z:A:B:C:E:IL:P:STU:W:X:Y:Z:16?MC") ) != EOF) { switch (ch) { @@ -964,6 +967,12 @@ parse_args(int argc, char *argv[]) { usage("argument to -c must be an integer"); limit_packets = (unsigned) ul; break; + case 'C': + ul = strtoul(optarg, &p, 0); + if (*p != '\0') + usage("argument to -C must be an integer"); + limit_pcapfilesize = (unsigned) ul; + break; case 'x': /* FALLTHROUGH */ case 'X': @@ -1095,7 +1104,7 @@ parse_args(int argc, char *argv[]) { fprintf(stderr, "%s: version %s\n", ProgramName, version()); fprintf(stderr, - "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u\n", + "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu\n", ProgramName, (msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.', (msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.', @@ -1112,7 +1121,7 @@ parse_args(int argc, char *argv[]) { (err_wanted & ERR_NXDOMAIN) != 0 ? 'x' : '.', (err_wanted & ERR_NOTIMPL) != 0 ? 'i' : '.', (err_wanted & ERR_REFUSED) != 0 ? 'r' : '.', - limit_seconds, limit_packets); + limit_seconds, limit_packets, limit_pcapfilesize); sep = "\tinit"; for (ep = HEAD(initiators); ep != NULL; @@ -1767,6 +1776,17 @@ dl_pkt(u_char *user, const struct pcap_pkthdr *hdr, const u_char *pkt, const cha goto breakloop; msgcount = 0; } + + if (limit_pcapfilesize != 0U && capturedbytes >= limit_pcapfilesize) { + if (preso) { + goto breakloop; + } + if (dumper_opened == dump_state && dumper_close(hdr->ts)) { + goto breakloop; + } + capturedbytes = 0; + } + return; breakloop: breakloop_pcaps(); From 3db6f949fb292a017aefdea3c4e3aed2cbe33745 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 10:23:03 +0200 Subject: [PATCH 05/14] Improve logging - document that -d can be specified multiple times - dump every processed packet --- src/dnscap.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index 0006ed0..331d4c1 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -706,7 +706,7 @@ help_2(void) { "\t-? or -\\? print these instructions and exit\n" "\t-b run in background as daemon\n" "\t-p do not put interface in promiscuous mode\n" - "\t-d dump verbose trace information to stderr\n" + "\t-d dump verbose trace information to stderr, specify multiple times to increase debugging\n" "\t-1 flush output on every packet\n" "\t-g dump packets dig-style on stderr\n" "\t-6 compensate for PCAP/BPF IPv6 bug\n" @@ -1799,7 +1799,7 @@ static void discard(tcpstate_ptr tcpstate, const char *msg) { if (dumptrace >= 3 && msg) - fprintf(stderr, "%s\n", msg); + fprintf(stderr, "discarding packet: %s\n", msg); if (tcpstate) { UNLINK(tcpstates, tcpstate, link); free(tcpstate); @@ -1826,6 +1826,9 @@ network_pkt(const char *descr, my_bpftimeval ts, unsigned pf, size_t len, dnslen; HEADER dns; + if (dumptrace >= 4) + fprintf(stderr, "processing %s packet: len=%zu\n", (pf==PF_INET?"IPv4":(pf==PF_INET6?"IPv6":"unknown")), olen); + /* Make a writable copy of the packet and use that copy from now on. */ memcpy(pkt, opkt, len = olen); @@ -2351,6 +2354,11 @@ output(const char *descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, msgcount++; + if (dumptrace >= 3) { + fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%d, olen=%u, dnslen=%u\n", + capturedbytes, proto, isfrag, olen, dnslen); + } + /* Output stage. */ if (preso) { fputs(descr, stderr); From 348c7383dcc6cc1e4914406d5e65e9afcaa5b6e5 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 10:24:38 +0200 Subject: [PATCH 06/14] Fix -C feature: capturedbytes was not increased --- src/dnscap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/dnscap.c b/src/dnscap.c index 331d4c1..67aa8ce 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -2353,6 +2353,7 @@ output(const char *descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, struct plugin *p; msgcount++; + capturedbytes += olen; if (dumptrace >= 3) { fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%d, olen=%u, dnslen=%u\n", From 519b64f633a3de8efdfafc42ee7e2d663f2cfc75 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 17:21:12 +0200 Subject: [PATCH 07/14] Add -Y option to short usage instructions --- src/dnscap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dnscap.c b/src/dnscap.c index 67aa8ce..c87eedc 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -690,7 +690,7 @@ help_1(void) { "\t[-?bpd1g6fTISMC] [-i ]+ [-r ]+ [-l ]+ [-L ]+\n" "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" - "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+\n" + "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+ [-Y ]+\n" "\t[-w [-W suffix] [-k ]] [-t ] [-c ] [-C ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ]+ [-E ]+\n" From 76f19d17f247138d985049cc66354f8f59140ed0 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 17:28:10 +0200 Subject: [PATCH 08/14] fix usage of -W --- src/dnscap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dnscap.c b/src/dnscap.c index c87eedc..561a340 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -691,7 +691,7 @@ help_1(void) { "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+ [-Y ]+\n" - "\t[-w [-W suffix] [-k ]] [-t ] [-c ] [-C ]\n" + "\t[-w [-W ] [-k ]] [-t ] [-c ] [-C ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ]+ [-E ]+\n" "\t[-P plugin.so] [-U ]\n", From 813dddbbeb909d77e6297c0fc67ffa16160a7c6b Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 17:33:10 +0200 Subject: [PATCH 09/14] Fix -B and -E, these options are supported only once --- src/dnscap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dnscap.c b/src/dnscap.c index 561a340..e68a809 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -693,7 +693,7 @@ help_1(void) { "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+ [-Y ]+\n" "\t[-w [-W ] [-k ]] [-t ] [-c ] [-C ]\n" "\t[-x ]+ [-X ]+\n" - "\t[-B ]+ [-E ]+\n" + "\t[-B ] [-E ]\n" "\t[-P plugin.so] [-U ]\n", ProgramName); } From 7435c496e84e9500504f403231932ecee9ed0db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jerry=20Lundstr=C3=B6m?= Date: Tue, 30 Aug 2016 16:32:41 +0200 Subject: [PATCH 10/14] Change new option C to D because C was already taken --- src/dnscap.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index e68a809..678af6a 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -691,7 +691,7 @@ help_1(void) { "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+ [-Y ]+\n" - "\t[-w [-W ] [-k ]] [-t ] [-c ] [-C ]\n" + "\t[-w [-W ] [-k ]] [-t ] [-c ] [-D ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ] [-E ]\n" "\t[-P plugin.so] [-U ]\n", @@ -742,7 +742,7 @@ help_2(void) { "\t-k kick off when each dump closes\n" "\t-t close dump or exit every/after secs\n" "\t-c close dump or exit every/after pkts\n" - "\t-C close dump or exit every/after bytes captured\n" + "\t-D close dump or exit every/after bytes captured\n" "\t-x select messages matching regex \n" "\t-X select messages not matching regex \n" #ifdef USE_SECCOMP @@ -786,7 +786,7 @@ parse_args(int argc, char *argv[]) { #ifdef USE_SECCOMP "y" #endif - "z:A:B:C:E:IL:P:STU:W:X:Y:Z:16?MC") + "z:A:B:D:E:IL:P:STU:W:X:Y:Z:16?MC") ) != EOF) { switch (ch) { @@ -967,10 +967,10 @@ parse_args(int argc, char *argv[]) { usage("argument to -c must be an integer"); limit_packets = (unsigned) ul; break; - case 'C': + case 'D': ul = strtoul(optarg, &p, 0); if (*p != '\0') - usage("argument to -C must be an integer"); + usage("argument to -D must be an integer"); limit_pcapfilesize = (unsigned) ul; break; case 'x': @@ -1104,7 +1104,7 @@ parse_args(int argc, char *argv[]) { fprintf(stderr, "%s: version %s\n", ProgramName, version()); fprintf(stderr, - "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu\n", + "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, D %zu\n", ProgramName, (msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.', (msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.', From 4dd81d662e680c3670f525e46c284d7681771cc6 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 2 Sep 2014 17:59:47 +0200 Subject: [PATCH 11/14] Update the man page --- src/dnscap.1.in | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/src/dnscap.1.in b/src/dnscap.1.in index 3004357..167a0de 100644 --- a/src/dnscap.1.in +++ b/src/dnscap.1.in @@ -11,6 +11,7 @@ .Op Fl r Ar file ... .Op Fl l Ar vlan ... .Op Fl L Ar vlan ... +.Op Fl u Ar port .Op Fl x Ar pat ... .Op Fl X Ar pat ... .Oo @@ -26,8 +27,12 @@ .Op ir .Oc .Oo +.Fl h +.Op ir +.Oc +.Oo .Fl e -.Op nytfsxir +.Op nytfsxirMC .Oc .Op Fl a Ar host ... .Op Fl z Ar host ... @@ -38,10 +43,16 @@ .Oo .Fl w .Ar base +.Op Fl W Ar suffix .Op Fl k Ar cmd .Oc .Op Fl t Ar lim .Op Fl c Ar lim +.Op Fl D Ar lim +.Op Fl B Ar datetime +.Op Fl E Ar datetime +.Op Fl P Ar plugin.so +.Op Fl U Ar str .Sh DESCRIPTION .Nm is a network capture utility designed specifically for DNS traffic. It @@ -59,6 +70,8 @@ is expected to be used for gathering continuous research or audit traces. .Pp The following options are available: .Bl -tag -width 10n +.It Fl b +Run in background as daemon. .It Fl p Asks that the interface not be put into promiscuous mode. Note that even without this option, the interface could be in promiscuous mode for some other @@ -110,6 +123,8 @@ boundaries, will be captured if and only if the first DNS header passed all filter options. TCP packets will usually not be printable with .Fl g . +.It Fl I +Select ICMP and ICMPv6 packets. .It Fl i Ar if Select an interface to be monitored. On BSD systems, the default is the first interface that was configured at system boot time. On Linux systems, the @@ -241,6 +256,8 @@ and .Fl t options affect the total duration of the capture, and not merely the size and time limits of each individual dump file. +.It Fl W Ar suffix +The provided suffix is added to the dump file name, e. g.: ".pcap" .It Fl k Ar cmd After each dump file specified by .Fl w @@ -281,6 +298,17 @@ file, .Nm exits. This option is inclusive with .Fl t . +.It Fl D Ar lim +By default, +.Nm +will close its packet dump file only when interrupted. A dump file size, +measured in bytes captured, can be specified with the +.Fl D +option. If the packet dump file is standard output, then after closing this +file, +.Nm +exits. This option is inclusive with +.Fl t . .It Fl B Ar datetime When using .Fl w , @@ -312,13 +340,19 @@ Causes .Nm to print pcap_stats() counters on stderr when .Fl t -or +, .Fl c +or +.Fl D limits are reached. .It Fl M Enable monitor mode on interfaces. .It Fl C Enable immediate mode on interfaces. +.It Fl U Ar str +Append "and +.Ar str +" to the pcap filter. .El .Pp If started with no options, From f9cbba049cbc29d597278f0a506545040b88f767 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jerry=20Lundstr=C3=B6m?= Date: Tue, 30 Aug 2016 16:49:54 +0200 Subject: [PATCH 12/14] Do not use dump suffix unless it set --- src/dnscap.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index 678af6a..945795e 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -342,7 +342,7 @@ static myregex_list myregexes; static mypcap_list mypcaps; static mypcap_ptr pcap_offline = NULL; static const char *dump_base = NULL; -static const char *dump_suffix = NULL; +static char *dump_suffix = NULL; static char *extra_bpf = NULL; static enum {nowhere, to_stdout, to_file} dump_type = nowhere; static enum {dumper_opened, dumper_closed} dump_state = dumper_closed; @@ -947,7 +947,9 @@ parse_args(int argc, char *argv[]) { dump_type = to_file; break; case 'W': - dump_suffix = optarg; + if (dump_suffix) + free(dump_suffix); + dump_suffix = strdup(optarg); break; case 'k': if (dump_type != to_file) @@ -2412,7 +2414,7 @@ dumper_open(my_bpftimeval ts) { strftime(sbuf, 64, "%Y%m%d.%H%M%S", gmtime((time_t *) &ts.tv_sec)); if (asprintf(&dumpname, "%s.%s.%06lu%s", dump_base, sbuf, - (u_long) ts.tv_usec, dump_suffix) < 0 || + (u_long) ts.tv_usec, dump_suffix ? dump_suffix : "") < 0 || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) { logerr("asprintf: %s", strerror(errno)); From 0077aff24055e0e7214a368e77afa1570455da3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jerry=20Lundstr=C3=B6m?= Date: Tue, 30 Aug 2016 16:54:03 +0200 Subject: [PATCH 13/14] Correct dump trace with new `flags` --- src/dnscap.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/dnscap.c b/src/dnscap.c index 945795e..e16d1e5 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -2358,8 +2358,14 @@ output(const char *descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, capturedbytes += olen; if (dumptrace >= 3) { - fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%d, olen=%u, dnslen=%u\n", - capturedbytes, proto, isfrag, olen, dnslen); + fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n", + capturedbytes, + proto, + flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no", + flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no", + olen, + payloadlen + ); } /* Output stage. */ From 33576ef7f537354dfaf110ea21134de856c8ebdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jerry=20Lundstr=C3=B6m?= Date: Wed, 31 Aug 2016 07:57:59 +0200 Subject: [PATCH 14/14] Swap option C and D, C for this makes more sense. Also ensure that `capturedbytes` is zero on start. --- src/dnscap.1.in | 12 ++++++------ src/dnscap.c | 20 ++++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/dnscap.1.in b/src/dnscap.1.in index 167a0de..3fabd1f 100644 --- a/src/dnscap.1.in +++ b/src/dnscap.1.in @@ -32,7 +32,7 @@ .Oc .Oo .Fl e -.Op nytfsxirMC +.Op nytfsxirMD .Oc .Op Fl a Ar host ... .Op Fl z Ar host ... @@ -48,7 +48,7 @@ .Oc .Op Fl t Ar lim .Op Fl c Ar lim -.Op Fl D Ar lim +.Op Fl C Ar lim .Op Fl B Ar datetime .Op Fl E Ar datetime .Op Fl P Ar plugin.so @@ -298,12 +298,12 @@ file, .Nm exits. This option is inclusive with .Fl t . -.It Fl D Ar lim +.It Fl C Ar lim By default, .Nm will close its packet dump file only when interrupted. A dump file size, measured in bytes captured, can be specified with the -.Fl D +.Fl C option. If the packet dump file is standard output, then after closing this file, .Nm @@ -343,11 +343,11 @@ to print pcap_stats() counters on stderr when , .Fl c or -.Fl D +.Fl C limits are reached. .It Fl M Enable monitor mode on interfaces. -.It Fl C +.It Fl D Enable immediate mode on interfaces. .It Fl U Ar str Append "and diff --git a/src/dnscap.c b/src/dnscap.c index e16d1e5..7e03072 100644 --- a/src/dnscap.c +++ b/src/dnscap.c @@ -357,7 +357,7 @@ static pcap_t *pcap_dead; static pcap_dumper_t *dumper; static time_t dumpstart; static unsigned msgcount; -static size_t capturedbytes; +static size_t capturedbytes = 0; static char *dumpname, *dumpnamepart; static char *bpft; static unsigned dns_port = DNS_PORT; @@ -687,11 +687,11 @@ help_1(void) { fprintf(stderr, "%s: version %s\n\n", ProgramName, version()); fprintf(stderr, "usage: %s\n" - "\t[-?bpd1g6fTISMC] [-i ]+ [-r ]+ [-l ]+ [-L ]+\n" + "\t[-?bpd1g6fTISMD] [-i ]+ [-r ]+ [-l ]+ [-L ]+\n" "\t[-u ] [-m [qun]] [-e [nytfsxir]]\n" "\t[-h [ir]] [-s [ir]]\n" "\t[-a ]+ [-z ]+ [-A ]+ [-Z ]+ [-Y ]+\n" - "\t[-w [-W ] [-k ]] [-t ] [-c ] [-D ]\n" + "\t[-w [-W ] [-k ]] [-t ] [-c ] [-C ]\n" "\t[-x ]+ [-X ]+\n" "\t[-B ] [-E ]\n" "\t[-P plugin.so] [-U ]\n", @@ -742,7 +742,7 @@ help_2(void) { "\t-k kick off when each dump closes\n" "\t-t close dump or exit every/after secs\n" "\t-c close dump or exit every/after pkts\n" - "\t-D close dump or exit every/after bytes captured\n" + "\t-C close dump or exit every/after bytes captured\n" "\t-x select messages matching regex \n" "\t-X select messages not matching regex \n" #ifdef USE_SECCOMP @@ -754,7 +754,7 @@ help_2(void) { "\t-B begin collecting at this date and time\n" "\t-E end collecting at this date and time\n" "\t-M set monitor mode on interfaces\n" - "\t-C set immediate mode on interfaces\n" + "\t-D set immediate mode on interfaces\n" ); } @@ -786,7 +786,7 @@ parse_args(int argc, char *argv[]) { #ifdef USE_SECCOMP "y" #endif - "z:A:B:D:E:IL:P:STU:W:X:Y:Z:16?MC") + "z:A:B:C:DE:IL:MP:STU:W:X:Y:Z:16?") ) != EOF) { switch (ch) { @@ -969,10 +969,10 @@ parse_args(int argc, char *argv[]) { usage("argument to -c must be an integer"); limit_packets = (unsigned) ul; break; - case 'D': + case 'C': ul = strtoul(optarg, &p, 0); if (*p != '\0') - usage("argument to -D must be an integer"); + usage("argument to -C must be an integer"); limit_pcapfilesize = (unsigned) ul; break; case 'x': @@ -1082,7 +1082,7 @@ parse_args(int argc, char *argv[]) { case 'M': monitor_mode = TRUE; break; - case 'C': + case 'D': immediate_mode = TRUE; break; default: @@ -1106,7 +1106,7 @@ parse_args(int argc, char *argv[]) { fprintf(stderr, "%s: version %s\n", ProgramName, version()); fprintf(stderr, - "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, D %zu\n", + "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu\n", ProgramName, (msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.', (msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.',