2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
24 #define NETDISSECT_REWORKED
29 #include <tcpdump-stdinc.h>
35 #include "interface.h"
36 #include "addrtoname.h"
37 #include "extract.h" /* must come after interface.h */
39 static const char *ns_ops[] = {
40 "", " inv_q", " stat", " op3", " notify", " update", " op6", " op7",
41 " op8", " updateA", " updateD", " updateDA",
42 " updateM", " updateMA", " zoneInit", " zoneRef",
45 static const char *ns_resp[] = {
46 "", " FormErr", " ServFail", " NXDomain",
47 " NotImp", " Refused", " YXDomain", " YXRRSet",
48 " NXRRSet", " NotAuth", " NotZone", " Resp11",
49 " Resp12", " Resp13", " Resp14", " NoChange",
52 /* skip over a domain name */
54 ns_nskip(netdissect_options *ndo,
55 register const u_char *cp)
59 if (!ND_TTEST2(*cp, 1))
63 if ((i & INDIR_MASK) == INDIR_MASK)
65 if ((i & INDIR_MASK) == EDNS0_MASK) {
68 if ((i & ~INDIR_MASK) != EDNS0_ELT_BITLABEL)
69 return(NULL); /* unknown ELT */
70 if (!ND_TTEST2(*cp, 1))
72 if ((bitlen = *cp++) == 0)
74 bytelen = (bitlen + 7) / 8;
78 if (!ND_TTEST2(*cp, 1))
85 /* print a <domain-name> */
87 blabel_print(netdissect_options *ndo,
91 const u_char *bitp, *lim;
94 if (!ND_TTEST2(*cp, 1))
96 if ((bitlen = *cp) == 0)
98 slen = (bitlen + 3) / 4;
101 /* print the bit string as a hex string */
102 ND_PRINT((ndo, "\\[x"));
103 for (bitp = cp + 1, b = bitlen; bitp < lim && b > 7; b -= 8, bitp++) {
105 ND_PRINT((ndo, "%02x", *bitp));
110 ND_PRINT((ndo, "%02x", tc & (0xff << (8 - b))));
114 ND_PRINT((ndo, "%1x", ((tc >> 4) & 0x0f) & (0x0f << (4 - b))));
116 ND_PRINT((ndo, "/%d]", bitlen));
119 ND_PRINT((ndo, ".../%d]", bitlen));
124 labellen(netdissect_options *ndo,
129 if (!ND_TTEST2(*cp, 1))
132 if ((i & INDIR_MASK) == EDNS0_MASK) {
134 if ((elt = (i & ~INDIR_MASK)) != EDNS0_ELT_BITLABEL) {
135 ND_PRINT((ndo, "<ELT %d>", elt));
138 if (!ND_TTEST2(*(cp + 1), 1))
140 if ((bitlen = *(cp + 1)) == 0)
142 return(((bitlen + 7) / 8) + 1);
148 ns_nprint(netdissect_options *ndo,
149 register const u_char *cp, register const u_char *bp)
152 register const u_char *rp = NULL;
153 register int compress = 0;
156 int data_size = ndo->ndo_snapend - bp;
158 if ((l = labellen(ndo, cp)) == (u_int)-1)
160 if (!ND_TTEST2(*cp, 1))
163 if (((i = *cp++) & INDIR_MASK) != INDIR_MASK) {
169 while (i && cp < ndo->ndo_snapend) {
170 if ((i & INDIR_MASK) == INDIR_MASK) {
175 if (!ND_TTEST2(*cp, 1))
177 cp = bp + (((i << 8) | *cp) & 0x3fff);
178 if ((l = labellen(ndo, cp)) == (u_int)-1)
180 if (!ND_TTEST2(*cp, 1))
186 * If we've looked at every character in
187 * the message, this pointer will make
188 * us look at some character again,
189 * which means we're looping.
191 if (chars_processed >= data_size) {
192 ND_PRINT((ndo, "<LOOP>"));
197 if ((i & INDIR_MASK) == EDNS0_MASK) {
198 elt = (i & ~INDIR_MASK);
200 case EDNS0_ELT_BITLABEL:
201 if (blabel_print(ndo, cp) == NULL)
206 ND_PRINT((ndo, "<ELT %d>", elt));
210 if (fn_printn(ndo, cp, l, ndo->ndo_snapend))
215 chars_processed += l;
216 ND_PRINT((ndo, "."));
217 if ((l = labellen(ndo, cp)) == (u_int)-1)
219 if (!ND_TTEST2(*cp, 1))
227 ND_PRINT((ndo, "."));
231 /* print a <character-string> */
232 static const u_char *
233 ns_cprint(netdissect_options *ndo,
234 register const u_char *cp)
238 if (!ND_TTEST2(*cp, 1))
241 if (fn_printn(ndo, cp, i, ndo->ndo_snapend))
246 /* http://www.iana.org/assignments/dns-parameters */
247 const struct tok ns_type2str[] = {
248 { T_A, "A" }, /* RFC 1035 */
249 { T_NS, "NS" }, /* RFC 1035 */
250 { T_MD, "MD" }, /* RFC 1035 */
251 { T_MF, "MF" }, /* RFC 1035 */
252 { T_CNAME, "CNAME" }, /* RFC 1035 */
253 { T_SOA, "SOA" }, /* RFC 1035 */
254 { T_MB, "MB" }, /* RFC 1035 */
255 { T_MG, "MG" }, /* RFC 1035 */
256 { T_MR, "MR" }, /* RFC 1035 */
257 { T_NULL, "NULL" }, /* RFC 1035 */
258 { T_WKS, "WKS" }, /* RFC 1035 */
259 { T_PTR, "PTR" }, /* RFC 1035 */
260 { T_HINFO, "HINFO" }, /* RFC 1035 */
261 { T_MINFO, "MINFO" }, /* RFC 1035 */
262 { T_MX, "MX" }, /* RFC 1035 */
263 { T_TXT, "TXT" }, /* RFC 1035 */
264 { T_RP, "RP" }, /* RFC 1183 */
265 { T_AFSDB, "AFSDB" }, /* RFC 1183 */
266 { T_X25, "X25" }, /* RFC 1183 */
267 { T_ISDN, "ISDN" }, /* RFC 1183 */
268 { T_RT, "RT" }, /* RFC 1183 */
269 { T_NSAP, "NSAP" }, /* RFC 1706 */
270 { T_NSAP_PTR, "NSAP_PTR" },
271 { T_SIG, "SIG" }, /* RFC 2535 */
272 { T_KEY, "KEY" }, /* RFC 2535 */
273 { T_PX, "PX" }, /* RFC 2163 */
274 { T_GPOS, "GPOS" }, /* RFC 1712 */
275 { T_AAAA, "AAAA" }, /* RFC 1886 */
276 { T_LOC, "LOC" }, /* RFC 1876 */
277 { T_NXT, "NXT" }, /* RFC 2535 */
278 { T_EID, "EID" }, /* Nimrod */
279 { T_NIMLOC, "NIMLOC" }, /* Nimrod */
280 { T_SRV, "SRV" }, /* RFC 2782 */
281 { T_ATMA, "ATMA" }, /* ATM Forum */
282 { T_NAPTR, "NAPTR" }, /* RFC 2168, RFC 2915 */
283 { T_KX, "KX" }, /* RFC 2230 */
284 { T_CERT, "CERT" }, /* RFC 2538 */
285 { T_A6, "A6" }, /* RFC 2874 */
286 { T_DNAME, "DNAME" }, /* RFC 2672 */
288 { T_OPT, "OPT" }, /* RFC 2671 */
289 { T_APL, "APL" }, /* RFC 3123 */
290 { T_DS, "DS" }, /* RFC 4034 */
291 { T_SSHFP, "SSHFP" }, /* RFC 4255 */
292 { T_IPSECKEY, "IPSECKEY" }, /* RFC 4025 */
293 { T_RRSIG, "RRSIG" }, /* RFC 4034 */
294 { T_NSEC, "NSEC" }, /* RFC 4034 */
295 { T_DNSKEY, "DNSKEY" }, /* RFC 4034 */
296 { T_SPF, "SPF" }, /* RFC-schlitt-spf-classic-02.txt */
297 { T_UINFO, "UINFO" },
300 { T_UNSPEC, "UNSPEC" },
301 { T_UNSPECA, "UNSPECA" },
302 { T_TKEY, "TKEY" }, /* RFC 2930 */
303 { T_TSIG, "TSIG" }, /* RFC 2845 */
304 { T_IXFR, "IXFR" }, /* RFC 1995 */
305 { T_AXFR, "AXFR" }, /* RFC 1035 */
306 { T_MAILB, "MAILB" }, /* RFC 1035 */
307 { T_MAILA, "MAILA" }, /* RFC 1035 */
312 const struct tok ns_class2str[] = {
313 { C_IN, "IN" }, /* Not used */
314 { C_CHAOS, "CHAOS" },
321 static const u_char *
322 ns_qprint(netdissect_options *ndo,
323 register const u_char *cp, register const u_char *bp, int is_mdns)
325 register const u_char *np = cp;
326 register u_int i, class;
328 cp = ns_nskip(ndo, cp);
330 if (cp == NULL || !ND_TTEST2(*cp, 4))
333 /* print the qtype */
334 i = EXTRACT_16BITS(cp);
336 ND_PRINT((ndo, " %s", tok2str(ns_type2str, "Type%d", i)));
337 /* print the qclass (if it's not IN) */
338 i = EXTRACT_16BITS(cp);
345 ND_PRINT((ndo, " %s", tok2str(ns_class2str, "(Class %d)", class)));
347 ND_PRINT((ndo, i & C_QU ? " (QU)" : " (QM)"));
350 ND_PRINT((ndo, "? "));
351 cp = ns_nprint(ndo, np, bp);
352 return(cp ? cp + 4 : NULL);
356 static const u_char *
357 ns_rprint(netdissect_options *ndo,
358 register const u_char *cp, register const u_char *bp, int is_mdns)
360 register u_int i, class, opt_flags = 0;
361 register u_short typ, len;
362 register const u_char *rp;
364 if (ndo->ndo_vflag) {
365 ND_PRINT((ndo, " "));
366 if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
369 cp = ns_nskip(ndo, cp);
371 if (cp == NULL || !ND_TTEST2(*cp, 10))
372 return (ndo->ndo_snapend);
374 /* print the type/qtype */
375 typ = EXTRACT_16BITS(cp);
377 /* print the class (if it's not IN and the type isn't OPT) */
378 i = EXTRACT_16BITS(cp);
381 class = (i & ~C_CACHE_FLUSH);
384 if (class != C_IN && typ != T_OPT)
385 ND_PRINT((ndo, " %s", tok2str(ns_class2str, "(Class %d)", class)));
387 if (i & C_CACHE_FLUSH)
388 ND_PRINT((ndo, " (Cache flush)"));
394 opt_flags = EXTRACT_16BITS(cp);
395 /* ignore rest of ttl field */
397 } else if (ndo->ndo_vflag > 2) {
399 ND_PRINT((ndo, " ["));
400 relts_print(ndo, EXTRACT_32BITS(cp));
401 ND_PRINT((ndo, "]"));
408 len = EXTRACT_16BITS(cp);
413 ND_PRINT((ndo, " %s", tok2str(ns_type2str, "Type%d", typ)));
414 if (rp > ndo->ndo_snapend)
419 if (!ND_TTEST2(*cp, sizeof(struct in_addr)))
421 ND_PRINT((ndo, " %s", intoa(htonl(EXTRACT_32BITS(cp)))));
430 ND_PRINT((ndo, " "));
431 if (ns_nprint(ndo, cp, bp) == NULL)
438 ND_PRINT((ndo, " "));
439 if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
441 ND_PRINT((ndo, " "));
442 if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
444 if (!ND_TTEST2(*cp, 5 * 4))
446 ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
448 ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
450 ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
452 ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
454 ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
458 ND_PRINT((ndo, " "));
459 if (!ND_TTEST2(*cp, 2))
461 if (ns_nprint(ndo, cp + 2, bp) == NULL)
463 ND_PRINT((ndo, " %d", EXTRACT_16BITS(cp)));
468 ND_PRINT((ndo, " \""));
469 cp = ns_cprint(ndo, cp);
472 ND_PRINT((ndo, "\""));
477 ND_PRINT((ndo, " "));
478 if (!ND_TTEST2(*cp, 6))
480 if (ns_nprint(ndo, cp + 6, bp) == NULL)
482 ND_PRINT((ndo, ":%d %d %d", EXTRACT_16BITS(cp + 4),
483 EXTRACT_16BITS(cp), EXTRACT_16BITS(cp + 2)));
489 struct in6_addr addr;
490 char ntop_buf[INET6_ADDRSTRLEN];
492 if (!ND_TTEST2(*cp, sizeof(struct in6_addr)))
494 memcpy(&addr, cp, sizeof(struct in6_addr));
495 ND_PRINT((ndo, " %s",
496 inet_ntop(AF_INET6, &addr, ntop_buf, sizeof(ntop_buf))));
505 char ntop_buf[INET6_ADDRSTRLEN];
507 if (!ND_TTEST2(*cp, 1))
510 pbyte = (pbit & ~7) / 8;
512 ND_PRINT((ndo, " %u(bad plen)", pbit));
514 } else if (pbit < 128) {
515 if (!ND_TTEST2(*(cp + 1), sizeof(a) - pbyte))
517 memset(&a, 0, sizeof(a));
518 memcpy(&a.s6_addr[pbyte], cp + 1, sizeof(a) - pbyte);
519 ND_PRINT((ndo, " %u %s", pbit,
520 inet_ntop(AF_INET6, &a, ntop_buf, sizeof(ntop_buf))));
523 ND_PRINT((ndo, " "));
524 if (ns_nprint(ndo, cp + 1 + sizeof(a) - pbyte, bp) == NULL)
532 ND_PRINT((ndo, " UDPsize=%u", class));
533 if (opt_flags & 0x8000)
534 ND_PRINT((ndo, " OK"));
537 case T_UNSPECA: /* One long string */
538 if (!ND_TTEST2(*cp, len))
540 if (fn_printn(ndo, cp, len, ndo->ndo_snapend))
546 if (cp + len > ndo->ndo_snapend)
550 ND_PRINT((ndo, " "));
551 if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
554 if (!ND_TTEST2(*cp, 2))
556 ND_PRINT((ndo, " fudge=%u", EXTRACT_16BITS(cp)));
558 if (!ND_TTEST2(*cp, 2))
560 ND_PRINT((ndo, " maclen=%u", EXTRACT_16BITS(cp)));
561 cp += 2 + EXTRACT_16BITS(cp);
562 if (!ND_TTEST2(*cp, 2))
564 ND_PRINT((ndo, " origid=%u", EXTRACT_16BITS(cp)));
566 if (!ND_TTEST2(*cp, 2))
568 ND_PRINT((ndo, " error=%u", EXTRACT_16BITS(cp)));
570 if (!ND_TTEST2(*cp, 2))
572 ND_PRINT((ndo, " otherlen=%u", EXTRACT_16BITS(cp)));
576 return (rp); /* XXX This isn't always right */
580 ns_print(netdissect_options *ndo,
581 register const u_char *bp, u_int length, int is_mdns)
583 register const HEADER *np;
584 register int qdcount, ancount, nscount, arcount;
585 register const u_char *cp;
588 np = (const HEADER *)bp;
590 /* get the byte-order right */
591 qdcount = EXTRACT_16BITS(&np->qdcount);
592 ancount = EXTRACT_16BITS(&np->ancount);
593 nscount = EXTRACT_16BITS(&np->nscount);
594 arcount = EXTRACT_16BITS(&np->arcount);
597 /* this is a response */
598 ND_PRINT((ndo, "%d%s%s%s%s%s%s",
599 EXTRACT_16BITS(&np->id),
600 ns_ops[DNS_OPCODE(np)],
601 ns_resp[DNS_RCODE(np)],
602 DNS_AA(np)? "*" : "",
603 DNS_RA(np)? "" : "-",
604 DNS_TC(np)? "|" : "",
605 DNS_AD(np)? "$" : ""));
608 ND_PRINT((ndo, " [%dq]", qdcount));
609 /* Print QUESTION section on -vv */
610 cp = (const u_char *)(np + 1);
612 if (qdcount < EXTRACT_16BITS(&np->qdcount) - 1)
613 ND_PRINT((ndo, ","));
614 if (ndo->ndo_vflag > 1) {
615 ND_PRINT((ndo, " q:"));
616 if ((cp = ns_qprint(ndo, cp, bp, is_mdns)) == NULL)
619 if ((cp = ns_nskip(ndo, cp)) == NULL)
621 cp += 4; /* skip QTYPE and QCLASS */
624 ND_PRINT((ndo, " %d/%d/%d", ancount, nscount, arcount));
626 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
628 while (cp < ndo->ndo_snapend && ancount--) {
629 ND_PRINT((ndo, ","));
630 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
636 /* Print NS and AR sections on -vv */
637 if (ndo->ndo_vflag > 1) {
638 if (cp < ndo->ndo_snapend && nscount--) {
639 ND_PRINT((ndo, " ns:"));
640 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
642 while (cp < ndo->ndo_snapend && nscount--) {
643 ND_PRINT((ndo, ","));
644 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
650 if (cp < ndo->ndo_snapend && arcount--) {
651 ND_PRINT((ndo, " ar:"));
652 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
654 while (cp < ndo->ndo_snapend && arcount--) {
655 ND_PRINT((ndo, ","));
656 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
665 /* this is a request */
666 ND_PRINT((ndo, "%d%s%s%s", EXTRACT_16BITS(&np->id), ns_ops[DNS_OPCODE(np)],
667 DNS_RD(np) ? "+" : "",
668 DNS_CD(np) ? "%" : ""));
671 b2 = EXTRACT_16BITS(((u_short *)np)+1);
673 ND_PRINT((ndo, " [b2&3=0x%x]", b2));
675 if (DNS_OPCODE(np) == IQUERY) {
677 ND_PRINT((ndo, " [%dq]", qdcount));
679 ND_PRINT((ndo, " [%da]", ancount));
683 ND_PRINT((ndo, " [%da]", ancount));
685 ND_PRINT((ndo, " [%dq]", qdcount));
688 ND_PRINT((ndo, " [%dn]", nscount));
690 ND_PRINT((ndo, " [%dau]", arcount));
692 cp = (const u_char *)(np + 1);
694 cp = ns_qprint(ndo, cp, (const u_char *)np, is_mdns);
697 while (cp < ndo->ndo_snapend && qdcount--) {
698 cp = ns_qprint(ndo, (const u_char *)cp,
708 /* Print remaining sections on -vv */
709 if (ndo->ndo_vflag > 1) {
711 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
713 while (cp < ndo->ndo_snapend && ancount--) {
714 ND_PRINT((ndo, ","));
715 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
721 if (cp < ndo->ndo_snapend && nscount--) {
722 ND_PRINT((ndo, " ns:"));
723 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
725 while (nscount-- && cp < ndo->ndo_snapend) {
726 ND_PRINT((ndo, ","));
727 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
733 if (cp < ndo->ndo_snapend && arcount--) {
734 ND_PRINT((ndo, " ar:"));
735 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
737 while (cp < ndo->ndo_snapend && arcount--) {
738 ND_PRINT((ndo, ","));
739 if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
747 ND_PRINT((ndo, " (%d)", length));
751 ND_PRINT((ndo, "[|domain]"));