the-tcpdump-group / tcpslice Goto Github PK
View Code? Open in Web Editor NEWtcpslice concatenates multiple pcap files together, or extracts time slices from one or more pcap files.
tcpslice concatenates multiple pcap files together, or extracts time slices from one or more pcap files.
I observed that if I try to extract data from a file in a timerange after what is in the file, then tcpslice coredumps. It is very easy to reproduce, just request a timestamp in the future on any file.
$tcpslice -w /tmp/kjeldbond0.pcap 1450750007 +3600 /tmp/dump/5060-102.lxcbr1.pcap
Segmentation fault (core dumped)
$ utc 1450750007
Result string is "2015-12-22 03:06:47"
When using tcpslice to merge two capture files, if one of those files has just one packet, tcpslice will fail with following error:
tcpslice: problems finding end packet of file capture-file
This does not have to be just the action of merging two files. Just reading the one file with one packet ends up the same. This is reproducible in a following ways:
1. Start a capture with tcpdump -c 1 on any interface and capture one packet from any traffic:
# tcpdump -c 1 -w one-packet-capture -i eth0
2. Run tcpslice on this one:
# tcpslice -v one-packet-capture -w one-packet-capture-out
tcpslice: problems finding end packet of file one-packet-capture
3. You can also capture another file with more packets and then merge:
# tcpdump -c 10 -w ten-packets-capture -i eth0
# tcpslice one-packet-capture ten-packet-capture -w merged-capture
tcpslice: problems finding end packet of file one-packet-capture
The error appears even when the captures are merged with a different tool like mergecap:
1. Capture one packet in one file and ten packets in a different file like in the previous example
2. Use mergecap (from wireshark) to merge these together:
# mergecap -w merged-with-mergecap one-packet-capture ten-packet-capture
# tcpdump --count -r merged-with-mergecap
reading from file merged-with-mergecap, link-type EN10MB (Ethernet), snapshot length 262144
11 packets
3. Try to read the file with tcpslice:
# tcpslice merged-with-mergecap
tcpslice: problems finding end packet of file merged-with-mergecap
When tcpslice tries to link with libpcap that was built with dependencies on libnl, libusb or libdbus, the linking fails because tcpslice does not use pcap-config --libs --static
to tell any extra libraries (as tcpdump does):
gcc -O2 -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -I. -I./../libpcap -o tcpslice tcpslice.o gmt2local.o gwtm2secs.o machdep.o search.o sessions.o util.o version.o strlcpy.o ./../libpcap/libpcap.a
./../libpcap/libpcap.a(pcap-linux.o): In function `nl80211_cleanup':
/home/denis/libpcap/./pcap-linux.c:673: undefined reference to `genl_family_put'
[...]
./../libpcap/libpcap.a(pcap-canusb-linux.o): In function `canusb_close':
/home/denis/libpcap/./pcap-canusb-linux.c:329: undefined reference to `pthread_join'
/home/denis/libpcap/./pcap-canusb-linux.c:333: undefined reference to `libusb_close'
[...]
./../libpcap/libpcap.a(pcap-dbus.o): In function `dbus_write':
/home/denis/libpcap/./pcap-dbus.c:114: undefined reference to `dbus_message_demarshal'
[...]
collect2: error: ld returned 1 exit status
Makefile:92: recipe for target 'tcpslice' failed
make: *** [tcpslice] Error 1
This is a low-priority issue but whoever would be willing to work on it should consider moving tcpslice-specific source files (gwrm2secs.c
, search.c
, sessions.c
, tcpslice.c
, util.c
, version.c
and vfprintf.c
) into the tcpdump repository to avoid duplicate maintenance work in future.
I am doing quality assurance work on the tcpslice package in Debian.
I updated the package's homepage to tcpdump.org and would like to change the check for new versions.
Currently the check is performed at ftp://ftp.ee.lbl.gov/ I would like to switch to GitHub.
Could you insert version 1.2a3 on GitHub and create a release of this code?
If possible, it would be interesting to have all possible versions ported on GitHub.
And the use of releases so that we can be alerted in Debian about new versions of this application.
During the compilation of the tcpslice .deb package I use blhc to check for hardening issues.
Absence of CPPFLAGS was pointed out:
# blhc --all --debian ../tcpslice_1.3-1_amd64.build
CPPFLAGS missing (-D_FORTIFY_SOURCE = 2): gcc -g -O2 -fdebug-prefix-map = / PKGS / tcpslice / tcpslice =. -fstack-protector-strong -Wformat -Werror = format-security -c version.c
I don't know if it's the most suitable mode, I solved it with the following patch:
Index: tcpslice / Makefile.in
================================================== =================
--- tcpslice.orig / Makefile.in
+++ tcpslice / Makefile.in
@@ -127.7 +127.7 @@ $ (PROG): $ (OBJ) @ V_PCAPDEP @
$ (CC) $ (FULL_CFLAGS) $ (LDFLAGS) -o $ @ $ (OBJ) $ (LIBS)
version.o: version.c
- $ (CC) $ (CFLAGS) -c version.c
+ $ (CC) $ (CFLAGS) $ (CPPFLAGS) -c version.c
version.c: $ (srcdir) / VERSION
@rm -f $ @
tcpslice test.pcap-ng -w a
zsh: segmentation fault tcpslice test.pcap-ng -w a
% tcpslice --version
Version 1.2a3
Usage: tcpslice [-DdlRrt] [-w file] [start-time [end-time]] file ...
File is produced by tshark correctly parsed by http://wiki.wireshark.org/Development/PcapNg?action=AttachFile&do=view&target=ntartest.c
% lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
% uname -a
Linux mortician.tsuru.it 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
(even if file is corrupted/in unsupported format it shouldn't just segfault)
Originally filed as tcpslice SF bug 3.
Originally filed as tcpslice SF ticket 1800003.
Submitted: Gabriel Friedmann ( gfriedmann ) - 2007-09-21 15:48:11 PDT
When i try to run tcpslice with an input file that contains dashes, i get an error.
To reproduce, attempt the following command
tcpslice 2007-09-21_xxx_xxxxxxxxxxx_server_fixed_segmented.cap
tcpslice: at least one input file must be given
This is in tcpslice version 1.1a3
version 1.5-PRE-GIT
version 1.2a3
tcpslice -w a.txt heap.pcap
Segmentation fault
==1676569==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000000160 at pc 0x7ffff761fa7d bp 0x7fffffffd700 sp 0x7fffffffce90
WRITE of size 56 at 0x617000000160 thread T0
#0 0x7ffff761fa7c in vsnprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c)
#1 0x7ffff7620036 in __snprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0036)
#2 0x7ffff75594ee in pcap_dump_open (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x244ee)
#3 0x555555559ea4 in extract_slice tcpslice.c:882
#4 0x555555559ea4 in main tcpslice.c:312
#5 0x7ffff736a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55555555eadd in _start (/home/constantine/tcpslice/tcpslice+0xaadd)
0x617000000160 is located 224 bytes inside of 664-byte region [0x617000000080,0x617000000318)
freed by thread T0 here:
#0 0x7ffff768d7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555555559d8a in get_next_packet tcpslice.c:747
#2 0x555555559d8a in extract_slice tcpslice.c:879
#3 0x555555559d8a in main tcpslice.c:312
previously allocated by thread T0 here:
#0 0x7ffff768ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7ffff7545bea (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x10bea)
#2 0x64656e696665646d ()
SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c) in vsnprintf
Shadow bytes around the buggy address:
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8060: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1676569==ABORTING
Does tcpslice need to run as root?
I ask because the installation is performed in sbin.
However, if tcpslice does not need special permissions I think it is prudent to install it in the bin folder.
I'm trying to cross-compile tcpslice as follows:
cd src && ./configure
--host=arm-linux
--build=i686-linux
--disable-ipv6
--disable-foo
CONFIG_SITE="/home/md84419/workspaces/config.site"
CFLAGS="-I/home/md84419/workspaces/include/user-linux -I/home/md84419/workspaces/include"
LDFLAGS=""
LIBS=""
configure: warning: CONFIG_SITE=/home/md84419/workspaces/config.site: invalid host type
configure: warning: CFLAGS=-I/home/md84419/workspaces/include/user-linux -I/home/md84419/workspaces/include: invalid host type
configure: warning: LDFLAGS=: invalid host type
configure: warning: LIBS=: invalid host type
loading cache ./config.cache
checking host system type... arm-unknown-linux-gnu
checking target system type... Invalid configuration LIBS=': machine
LIBS=' not recognized
checking build system type... i686-pc-linux-gnu
checking for gcc... (cached) gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking how to run the C preprocessor... (cached) gcc -E
checking for fcntl.h... (cached) yes
checking whether time.h and sys/time.h may both be included... (cached) yes
checking for vfprintf... (cached) yes
checking for fseeko... (cached) yes
checking for ftello... (cached) yes
checking for gethostbyname... (cached) yes
checking for socket... (cached) yes
checking for putmsg in -lstr... (cached) no
checking for local pcap library... ../libpcap/libpcap.a
checking for int32_t using gcc... (cached) yes
checking for u_int32_t using gcc... (cached) yes
checking for a BSD compatible install... (cached) /usr/bin/install -c
creating ./config.status
creating Makefile
make -C src
make[1]: Entering directory /home/md84419/workspaces/tcpslice_1/src' gcc -O -DHAVE_FCNTL_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_VFPRINTF=1 -DHAVE_FSEEKO=1 -DHAVE_FTELLO=1 -DFSEEK=fseeko -DFTELL=ftello -I. -I../libpcap -c ./tcpslice.c ./tcpslice.c:38:21: error: net/bpf.h: No such file or directory In file included from ./tcpslice.c:56: ./tcpslice.h:23: warning: ‘struct tm’ declared inside parameter list ./tcpslice.h:23: warning: its scope is only this definition or declaration, which is probably not what you want ./tcpslice.c:111: warning: ‘struct tm’ declared inside parameter list ./tcpslice.c: In function ‘parse_time’: ./tcpslice.c:286: warning: initialization makes pointer from integer without a cast ./tcpslice.c:287: error: storage size of ‘t’ isn’t known ./tcpslice.c:322: error: dereferencing pointer to incomplete type ./tcpslice.c:348: error: dereferencing pointer to incomplete type ./tcpslice.c:349: error: dereferencing pointer to incomplete type ./tcpslice.c:350: error: dereferencing pointer to incomplete type ./tcpslice.c:351: error: dereferencing pointer to incomplete type ./tcpslice.c:352: error: dereferencing pointer to incomplete type ./tcpslice.c:353: error: dereferencing pointer to incomplete type ./tcpslice.c: At top level: ./tcpslice.c:384: warning: ‘struct tm’ declared inside parameter list ./tcpslice.c:384: error: conflicting types for ‘fill_tm’ ./tcpslice.c:111: note: previous declaration of ‘fill_tm’ was here ./tcpslice.c: In function ‘fill_tm’: ./tcpslice.c:433: error: dereferencing pointer to incomplete type ./tcpslice.c:433: error: dereferencing pointer to incomplete type ./tcpslice.c:440: error: dereferencing pointer to incomplete type ./tcpslice.c:440: error: dereferencing pointer to incomplete type ./tcpslice.c:442: error: dereferencing pointer to incomplete type ./tcpslice.c:442: error: dereferencing pointer to incomplete type ./tcpslice.c:446: error: dereferencing pointer to incomplete type ./tcpslice.c:446: error: dereferencing pointer to incomplete type ./tcpslice.c:450: error: dereferencing pointer to incomplete type ./tcpslice.c:450: error: dereferencing pointer to incomplete type ./tcpslice.c:454: error: dereferencing pointer to incomplete type ./tcpslice.c:454: error: dereferencing pointer to incomplete type ./tcpslice.c: In function ‘timestamp_to_string’: ./tcpslice.c:783: warning: assignment makes pointer from integer without a cast ./tcpslice.c:784: warning: passing argument 2 of ‘strcpy’ makes pointer from integer without a cast /usr/include/string.h:127: note: expected ‘const char * __restrict__’ but argument is of type ‘int’ ./tcpslice.c:789: warning: assignment makes pointer from integer without a cast ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c: At top level: ./tcpslice.c:821: warning: function definition has qualified void return type make[1]: *** [tcpslice.o] Error 1 make[1]: Leaving directory
/home/md84419/workspaces/tcpslice_1/src'
make: *** [top_all] Error 2
The equivilent works for libpcap and tcpdump - how does one cross-compile for tcpslice?
$ uname -a
SunOS tcpdump 5.11 omnios-r151042-7577932f27 i86pc i386 i86pc
$ clang-13 --version
OmniOS/151042 clang version 13.0.1
Target: x86_64-pc-solaris2.11
Thread model: posix
InstalledDir: /opt/ooce/bin
$ clang-14 --version
OmniOS/151042 clang version 14.0.0
Target: x86_64-pc-solaris2.11
Thread model: posix
InstalledDir: /opt/ooce/bin
$ gmake -s clean
$ gmake -s CFLAGS=-Werror
clang-14: error: '-fuse-ld=' taking a path is deprecated; use '--ld-path=' instead [-Werror,-Wfuse-ld-path]
gmake: *** [Makefile:129: tcpslice] Error 1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.