* When opening a live pcap, obtain the list of supported DLTs from
the BPF.
* Add pcap_list_datalinks() to obtain a list of supported DLTs
supported by the interface associated with the pcap descriptor.
* Add pcap_set_datalink() to set the current DLT of the pcap.
* Bump shlib 1.2 -> 1.3; new functions added.
From David Young <dyoung@ojctech.com>, with some minor changes by me.
- icmptype (offset of ICMP type field)
- icmpcode (offset of ICMP code field)
- tcpflags (offset of TCP flags field)
and field values:
- icmp-echoreply, icmp-unreach, icmp-sourcequench,
icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timxceed, icmp-paramprob,
icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply,
icmp-maskreq, icmp-maskreply
- tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg
This allows expressions like the following:
icmp[0] = 3
(tcp[13] & 0x02) != 0
to be written as:
icmp[icmptype] = icmp-unreach
(tcp[tcpflags] & tcp-syn) != 0
which is a bit more user-friendly for e.g. writing packet filter rules.
pointed by Gui Harris.
---
Fix a hairy optimizer bug that causes the expression:
'ip and ((icmp and dst host 1.1.1.1 and not host 2.2.2.2) or (host 1.1.1.1 and src host 3.3.3.3))'
to compile incorrectly. Details about to be mailed to LBL.
from tcpdump.org, although with a slightly different signature.
The tcpdump.org version has no way to report an error string back
to the caller. This version takes an additional "errbuf" argument
(similar to pcap_open_*()).
sync with more-recent LBL 0.4, about loopback interface detection
(/^lo[0-9]?$/).
CAVEAT: with GENERIC kernel on laptops laptops, pcap_lookupdev would almost
always pick eon0 as the interface, and fails because eon0 has no bpf
attachment. we may want to change pcap_lookup{,dev} to check if the
interface has bpf attachment or not.
almost in sync with tcpdump.org source code tree.
date (NOTE: there are multiple version 0.4 with different datestamp!)
v0.4 Sat Jul 25 12:40:09 PDT 1998
libpcap CHANGES reads:
- Fixed bug in pcap_dispatch() that kept it from returning on packet
timeouts.
(this fixes nmap hangup if we use /usr/lib/libpcap.a with nmap)
- oldstyle and PHDS IPv4+ARP; RARP, IPv6, Appletalk are matched now.
- in case this is an unfragmented or first-fragment IPv4, IPv6, ARP, RARP or
Appletalk packet, matching inside the payload is possible to the extent
already supported by tcpdump/libpcap. For 2nd and next fragments, this
won't work; it also won't work for oldstyle (RFC1051) IPv4 and ARP.
wiz