Release pcap-thread 4.0.1

Fixed issue with pcap_dispatch() during non-threaded timed runs by checking packet timestamp and use pcap_breakloop() if the run should end.
Based on reports, it looks like pcap_dispatch() won't stop processing if load is high enough even if documentation says "only one bufferful of packets is read at a time".

8b72d7e Copyright
8f2370e Dispatch, error, hexdump, format
63502bb Bye Travis
5639468 Badges

Release pcap-thread 4.0.0

Major version build due to renaming of an API function and various CI improvements.

Fixes:

• Fix spelling of pcap_thread_filter_optimize()
• Fix pcap_thread_next() when using layers
• reassemble():
  • Check that we have f_prev before using it
  • Free frag and return error if RFC815 since it's not complete yet

02fc33a clang scan, LGTM, configure
1a64e7d Fix pcap_thread_next() when using layers
75d8d72 Fix spelling of pcap_thread_filter_optimize()

Release pcap-thread 3.1.0, hexdump 2.1.0

Fix handling with IP packets that have padding or are missing some of the payload. The padding data can be accessed by going beyond the length of payload reported (see hexdump -G).

New pcap_thread_packet_t fields:

• have_ippadding: Indicate that the IPv4 packet has padding
• have_ip6padding: Indicate that the IPv6 packet has padding
• ippadding: The IPv4 padding length
• ip6padding: The IPv6 padding length

New hexdump option:

• Add option -G to report padding of IP packets

91b9703 Readd tests
c30295e hexdump report padding
f4e8b6f Padding and payload

Release pcap-thread 3.0.1

95db71c Remove bad-packets and scapy as a submodule, was bloating dist too much

Release pcap-thread 3.0.0, hexdump 2.0.0

Implement callback for additional layers, especially IP fragmentation.

• pcap_thread_set_callback_ipv4_frag()
• pcap_thread_set_callback_ipv6_frag()
• pcap_thread_set_callback_icmp()
• pcap_thread_set_callback_icmpv6()
• Additional pcap_thread_packet_t fields:
  • have_icmphdr: Indicate present of ICMP header
  • have_icmpv6hdr: Indicate present of ICMPv6 header
  • have_tcpopts: Indicate present of TCP options
  • icmphdr: ICMP header
  • icmpv6hdr: ICMPv6 header
  • tcpopts: An array with a copy of the TCP options
  • tcpopts_len: Total length of TCP options

IP fragmentation handling is hooked in with a callback object called pcap_thread_layer_callback_frag_t that contains callbacks for:

• new: Create a new context, this is called per PCAP/interface
• free: Free the context
• reassemble: Called with the packet that needs reassembly, this callback may return a fully reassembled packet.
• release: Called to release resources around a fully reassembled packet after the packet has been passed to the next layers.
• Additional pcap_thread_packet_t fields:
  • ip6frag: The IPv6 extension header for fragmentation
  • ip6frag_payload: The protocol of the payload in the fragment
  • ip6rtdst: The IPv6 destination address from the router extension header if not the same as in ip6hdr

New IP fragmentation extension pcap_thread_ext_frag.c|h!

• Use pcap_thread_ext_frag_conf_t to configure
• Has two defragmentation modes
  • PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791 will arrange fragments by ascending offset, higher offset fragments will overwrite lower ones
  • PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD will arrange fragments by descending offset, lower offset fragments will overwrite higher ones
• Use pcap_thread_ext_frag_layer_callback() to generate a pcap_thread_layer_callback_frag_t object and pcap_thread_set_callback_ipv4_frag() / pcap_thread_set_callback_ipv6_frag() to enable the extension

Breaking changes:

• When a fragmented packet is received and no callbacks are set to handled them, the packets will get passed to the next layer if a callback has been set. These packets will also be parse in a non-fatal way so callbacks need to check packet state before processing, see below.
• Layers and invalid callbacks can now get packets that are fragmented, this is indicated with new packet states:
  • PCAP_THREAD_PACKET_IS_FRAGMENT
  • PCAP_THREAD_PACKET_INVALID_FRAGMENT
  • PCAP_THREAD_PACKET_FRAGMENTED_GREHDR
  • PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR
  • PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR
  • PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR
  • PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR
• Additional packet states added:
  • PCAP_THREAD_PACKET_ENOMEM: No more memory
  • PCAP_THREAD_PACKET_EMUTEX: Mutex locking/unlocking error
• Not really breaking but enum pcap_thread_packet_state can be represented with pcap_thread_packet_state_t now.

hexdump:

• New option -F to enable or configure IP fragmentation handling
  • -F <ip proto> to enable defragmentation
  • -F m<ip prot><num> to set maximum number of fragments
  • -F p<ip prot><num> to set maximum number of fragments per packet
  • -F R<ip proto> to reject overlapping fragments
  • -F t<ip proto>[sec] to set enable/set timeout for fragments
  • -F d<ip proto><what> for more output about fragmentations
• Add packet state in output, in both text and numerical
• Add icmp and icmpv6 to -L

Bugfixes:

• Rearrange headers for compatibility with *BSD
• #36: Use AC_HEADER_TIME to include time functions
• Layer callback was not set if using non-threaded mode
• IPv4 addresses was incorrectly parse from IP header
• Check that PCAP_TSTAMP_PRECISION_MICRO macro exists instead of function
• #97: Check for TCP options and offload into tcpopts

f6b5676 TCP options and IP fragments
201d4ce Fix warning that _release() is unused if compiled without threads support
f897c1d IP fragmentation extension
c4e9dfa Append fragment payload length to the reassembled packet's pkthdr len and caplen
c1819cf Check that PCAP_TSTAMP_PRECISION_MICRO macro exists instead of function
3f8caf3 Also copy indicator of pkthdr when reassembling IP packets
55086bb Add test output to CLEANFILES
b2c812f Use defines for layer tracing
b357d3d Fix setting of IPv4 addresses from IP header
011e128 Fix bug where layer callback was not set if using non-threaded mode
3e9926b Packet is a fragment
be359be Add ICMP/ICMPv6 callback layer support
450466a Issue DNS-OARC/dnscap#87: IP v4/v6 fragmentation
54200b1 Fix #36: Use AC_HEADER_TIME
bdd5755 Update code format
5746474 Rearrange headers for *BSD
8a74bd4 Format code
7472531 Format before format

Release 2.1.3

Compatibility fixes for older versions of libpcap submitted by Ray Bellis @raybellis (ISC).

ce20e89 Config header is generated by autotools
d485a0b don't do DLT_IPV4 or DLT_IPV6 if not supported
1efb0a3 missing PCAP_NETMASK_UNKNOWN macro

Release 2.1.2

Bugfixes:

• The first byte of the IP header is read to determine the IP version and when it is IPv6 the pointers and length variables are "reversed" one byte to later continue reading the whole IPv6 header. This was done incorrectly and could result in reading outside the boundaries.
• Add OS X headers for endian

6fe2b2a Update
7306e58 Issue DNS-OARC/dnscap#65: tv_* are signed
a65ac8b Issue DNS-OARC/dnscap#65: Add check for OS X endian
4185b7b Issue DNS-OARC/drool#43, DNS-OARC/drool#44: Fix reverse reading a byte

Release 2.1.1

b1a3a80 Define UDP/TCP headers ourself to not depend on __FAVOR_BSD

Release pcap-thread 2.1.0, hexdump 1.3.0

Implement callbacks for different packet/protocol layers to simplify
processing, based on pcap_layers by Duane Wessels (@wessels).

Following callback exists:

• pcap_thread_set_callback_ether()
• pcap_thread_set_callback_null()
• pcap_thread_set_callback_loop()
• pcap_thread_set_callback_ieee802()
• pcap_thread_set_callback_gre()
• pcap_thread_set_callback_ip()
• pcap_thread_set_callback_ipv4()
• pcap_thread_set_callback_ipv6()
• pcap_thread_set_callback_udp()
• pcap_thread_set_callback_tcp()

For most layers, only one callback can be set so you can't intersect
the packet processing in the middle at, for example GRE. There are a
few layers that can have multiple callback:

• IPv4 and IPv6 callbacks can be set at the same time
• UDP and TCP callbacks can be set at the same time

Layer processing is enabled by pcap_thread_set_use_layers() and is
used if set and no callback has been set (pcap_thread_set_callback()).

For any packet that the layers does not understand or is invalid, use
pcap_thread_set_callback_invalid() to set a handler for them and
check packet->state what went wrong.

Bug fix:

• Fix have_timestamp_type check.
  When converting set functions for some libpcap functionality to a have_what bitmap, one of the functions was left with a compare of greater then -1 (> -1 which will always be true). This would run pcap_set_tstamp_type() every time in pcap_thread_open(), if the functionality existed at compile time, and most likely fail.

New features:

• Ability to reuse pcap_thread
  • pcap_thread_close() only frees/clears things related to running
  • fix pcap_thread_close(), also clear stepping pointer
  • add pcap_thread_clear_filter() for releasing filter on non-allocated pcap_threads
  • fix pcap_thread_set_filter(), check for memory issue
• Add pcap_thread_was_stopped() to indicate if pcap_thread_stop() was used
• New option in hexdump, -L <layer> enabled capturing for the given layer and dumps the payload for it and not the whole packet.

44361e6 Fix unsigned short check
3f44586 Fix automake files to handle building in build dir
b56496b Add pcap_thread_was_stopped() to indicate if pcap_thread_stop() was used
f644789 Ignore errors on apt-get update
aeaded7 Ability to reuse pcap_thread
4900361 Add support for Linux "cooked" capture encapsulation (DLT_LINUX_SLL)
48574b4 Packet Layer Callbacks

Release pcap-thread 2.0.0, hexdump 1.2.0

Reworked queues from being "lockless" to using one mutex, two conditions and use only one queue per context instead of one per interface. Deprecated most queue modes, all callback queue modes and obsoleted pcap_thread_add().

Fixes and tweaks:

• Use bitmaps internally in structures to allow for setting values to zero (as some are enums with valid zero values) for:
  • pcap_thread_set_timestamp_precision()
  • pcap_thread_set_timestamp_type()
  • pcap_thread_set_direction()
• Memory leaks
• Clear and fill errbuf everywhere it should be done
• Handle errors from pcap_snapshot()
• Protect against changing anything while running
• Don't run pcap_stats() on offline pcaps since it will return an error
• Rearrange booleans in hexdump output to make more sense.

New features:

• Delayed activation of pcap capturing can be done by setting PCAP_THREAD_ACTIVATE_MODE_DELAYED with pcap_thread_set_activate_mode() and then calling pcap_thread_activate() before processing packets.
• pcap_thread_timedrun_to() can be used to process packet until an absolute time.
• PCAP_THREAD_QUEUE_MODE_DIRECT can be used to run the callback within the capturing threads and in so with-go of the queue and increase the performance.
• pcap_thread_filter_errno() can be used to get the non-fatal error from setting the pcap bpf, if there is an error it can indicate that the bpf was too large or there is no support for it. This will also mean that libpcap will run it in userland and it may be a lot slower then if it ran in the kernel.
• New option -a <0|1> for hexdump to use delayed activation.
• New queue mode direct for hexdump (-C <mode>) to use process packets in the capture thread.

60fbeb7 Tab to spaces
1161efa Remove lockless and update help
e88f035 Detect if errno was set during open or activate but libpcap did not return error, this indicates filter may be running userland (which is A LOT slower)
1f4a329 Don't run pcap_stats() on offline pcaps, will just return error
814524d Implement direct queue mode, will send packets to callback in the capturing thread
4c7195f Timed run to
200bb11 Reattach threads and join them
3fd399a Notify that _thread have existed
e3a0b92 Prevent changes if we are running
df86684 Simplify thread queue
29ef49e Tweaks and fixes
355e761 If we don't have pcap_activate() then it is already activated
ab8bb9a Rearrange bools for hexdump options to correspond with help text
f5e79e4 Implement the possibility for delayed activation of the interface capturing