d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Convert to mdoc format. Remove unused vars. Use err(3) and change exit(-1).

Browse Source
This commit is contained in:
Philippe Charnier 1998-01-20 07:30:27 +00:00
parent 2768e0c4b5
commit ffe0efc2a9
2 changed files with 151 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

256
usr.sbin/tcpdump/tcpslice/tcpslice.1
View File

@ -1,5 +1,3 @@
.\" @(#) $Header: /home/ncvs/src/usr.sbin/tcpdump/tcpslice/tcpslice.1,v 1.3 1995/03/08 12:53:39 olah Exp $ (LBL)
.\"
.\" Copyright (c) 1988-1990 The Regents of the University of California.
.\" All rights reserved.
.\"
@ -19,242 +17,254 @@
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH TCPSLICE 1 "14 Oct 1991"
.SH NAME
tcpslice \- extract pieces of and/or glue together tcpdump files
.SH SYNOPSIS
.na
.B tcpslice
[
.B \-dRrt
] [
.B \-w
.I file
]
.br
.ti +9
[
.I start-time
[
.I end-time
] ]
.I file ...
.br
.ad
.SH DESCRIPTION
.LP
.I Tcpslice
.\" $Id$
.\"
.Dd October 14, 1991
.Dt TCPSLICE 1
.Os
.Sh NAME
.Nm tcpslice
.Nd extract pieces of and/or glue together tcpdump files
.Sh SYNOPSIS
.Nm tcpslice
.Op Fl dRrt
.Op Fl w Ar file
.Op Ar start-time Op end-time
.Ar
.Sh DESCRIPTION
.Nm Tcpslice
is a program for extracting portions of packet-trace files generated using
\fItcpdump(1)\fP's
.B \-w
.Xr tcpdump 1 Ns 's
.Fl w
flag.
It can also be used to glue together several such files, as discussed
below.
.LP
.Pp
The basic operation of
.I tcpslice
.Nm
is to copy to
.I stdout
.Pa stdout
all packets from its input file(s) whose timestamps fall
within a given range. The starting and ending times of the range
may be specified on the command line. All ranges are inclusive.
The starting time defaults
to the time of the first packet in the first input file; we call
this the
.I first time.
.Em first time .
The ending time defaults to ten years after the starting time.
Thus, the command
.I tcpslice trace-file
.Nm
.Ar trace-file
simply copies
.I trace-file
to \fIstdout\fP (assuming the file does not include more than
.Ar trace-file
to
.Pa stdout
(assuming the file does not include more than
ten years' worth of data).
.LP
.Pp
There are a number of ways to specify times. The first is using
Unix timestamps of the form
.I sssssssss.uuuuuu
(this is the format specified by \fItcpdump\fP's
.B \-tt
.Em sssssssss.uuuuuu
(this is the format specified by
.Xr tcpdump 1 Ns 's
.Fl tt
flag).
For example,
.B 654321098.7654
.Em 654321098.7654
specifies 38 seconds and 765,400 microseconds
after 8:51PM PDT, Sept. 25, 1990.
.LP
.Pp
All examples in this manual are given
for PDT times, but when displaying times and interpreting times symbolically
as discussed below,
.I tcpslice
uses the local timezone, regardless of the timezone in which the \fItcpdump\fP
.Nm
uses the local timezone, regardless of the timezone in which the
.Xr tcpdump 1
file was generated. The daylight-savings setting used is that which is
appropriate for the local timezone at the date in question. For example,
times associated with summer months will usually include daylight-savings
effects, and those with winter months will not.
.LP
.Pp
Times may also be specified relative
to either the
.I first time
.Em first time
(when specifying a starting time)
or the starting time (when specifying an ending time)
by preceding a numeric value in seconds with a `+'.
For example, a starting time of
.B +200
.Em +200
indicates 200 seconds after the
.I first time,
.Em first time ,
and the two arguments
.B +200 +300
.Em +200 +300
indicate from 200 seconds after the
.I first time
.Em first time
through 500 seconds after the
.I first time.
.LP
.Em first time .
.Pp
Times may also be specified in terms of years (y), months (m), days (d),
hours (h), minutes (m), seconds (s), and microseconds(u). For example,
the Unix timestamp 654321098.7654 discussed above could also be expressed
as
.B 90y9m25d20h51m38s765400u.
.LP
.Em 90y9m25d20h51m38s765400u .
.Pp
When specifying times using this style, fields that are omitted default
as follows. If the omitted field is a unit
.I greater
.Em greater
than that of the first specified field, then its value defaults to
the corresponding value taken from either
.I first time
.Em first time
(if the starting time is being specified) or the starting time
(if the ending time is being specified).
If the omitted field is a unit
.I less
.Em less
than that of the first specified field, then it defaults to zero.
For example, suppose that the input file has a
.I first time
.Em first time
of the Unix timestamp mentioned above, i.e., 38 seconds and 765,400 microseconds
after 8:51PM PDT, Sept. 25, 1990. To specify 9:36PM PDT (exactly) on the
same date we could use
.B 21h36m.
.Em 21h36m .
To specify a range from 9:36PM PDT through 1:54AM PDT the next day we
could use
.B 21h36m 26d1h54m.
.LP
.Em 21h36m 26d1h54m .
.Pp
Relative times can also be specified when using the
.I ymdhmsu
.Em ymdhmsu
format. Omitted fields then default to 0 if the unit of the field is
.I greater
.Em greater
than that of the first specified field, and to the corresponding value
taken from either the
.I first time
.Em first time
or the starting time if the omitted field's unit is
.I less
.Em less
than that of the first specified field. Given a
.I first time
.Em first time
of the Unix timestamp mentioned above,
.B 22h +1h10m
.Em 22h +1h10m
specifies a range from 10:00PM PDT on that date through 11:10PM PDT, and
.B +1h +1h10m
.Em +1h +1h10m
specifies a range from 38.7654 seconds after 9:51PM PDT through 38.7654
seconds after 11:01PM PDT. The first hour of the file could be extracted
using
.B +0 +1h.
.LP
.Em +0 +1h .
.Pp
Note that with the
.I ymdhmsu
.Em ymdhmsu
format there is an ambiguity between using
.I m
.Em m
for `month' or for `minute'. The ambiguity is resolved as follows: if an
.I m
.Em m
field is followed by a
.I d
.Em d
field then it is interpreted as specifying months; otherwise it
specifies minutes.
.LP
.Pp
If more than one input file is specified then
.I tcpslice
.Nm
first copies packets lying in the given range from the first file; it
then increases the starting time of the range to lie just beyond the
timestamp of the last packet in the first file, repeats the process
with the second file, and so on. Thus files with interleaved packets
are
.I not
.Em not
merged. For a given file, only packets that are newer than any in the
preceding files will be considered. This mechanism avoids any possibility
of a packet occurring more than once in the output.
.SH OPTIONS
.LP
.Sh OPTIONS
.Pp
If any of
.B \-R,
.B \-r
.Fl R ,
.Fl r
or
.B \-t
.Fl t
are specified then
.I tcpslice
.Nm
reports the timestamps of the first and last packets in each input file
and exits. Only one of these three options may be specified.
.TP
.B \-d
.Pp
The following options are available:
.Bl -tag -width indent
.It Fl d
Dump the start and end times specified by the given range and
exit. This option is useful for checking that the given range actually
specifies the times you think it does. If one of
.B \-R,
.B \-r
.Fl R ,
.Fl r
or
.B \-t
.Fl t
has been specified then the times are dumped in the corresponding
format; otherwise, raw format (\fB \-R\fP) is used.
.TP
.B \-R
format; otherwise, raw format (
.Fl R )
is used.
.It Fl R
Dump the timestamps of the first and last packets in each input file
as raw timestamps (i.e., in the form \fI sssssssss.uuuuuu\fP).
.TP
.B \-r
as raw timestamps (i.e., in the form
.Em sssssssss.uuuuuu Ns ).
.It Fl r
Same as
.B \-R
.Fl R
except the timestamps are dumped in human-readable format, similar
to that used by \fI date(1)\fP.
.TP
.B \-t
to that used by
.Xr date 1 .
.It Fl t
Same as
.B \-R
.Fl R
except the timestamps are dumped in
.I tcpslice
.Nm
format, i.e., in the
.I ymdhmsu
.Em ymdhmsu
format discussed above.
.TP
.B \-w
Direct the output to \fIfile\fR rather than \fIstdout\fP.
.SH "SEE ALSO"
tcpdump(1)
.SH AUTHOR
Vern Paxson (vern@ee.lbl.gov), of
.It Fl w Ar file
Direct the output to
.Ar file
rather than
.Pa stdout .
.El
.Sh SEE ALSO
.Xr tcpdump 1
.Sh AUTHOR
.An Vern Paxson Aq vern@ee.lbl.gov
, of
Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
.SH BUGS
.Sh BUGS
An input filename that beings with a digit or a `+' can be confused
with a start/end time. Such filenames can be specified with a
leading `./'; for example, specify the file `04Jul76.trace' as
`./04Jul76.trace'.
.LP
.I tcpslice
cannot read its input from \fIstdin\fP, since it uses random-access
.Pp
.Nm Tcpslice
cannot read its input from
.Pa stdin ,
since it uses random-access
to rummage through its input files.
.LP
.I tcpslice
.Pp
.Nm Tcpslice
refuses to write to its output if it is a terminal
(as indicated by \fIisatty(3)\fP). This is not a bug but a feature,
(as indicated by
.Xr isatty 3 ). This is not a bug but a feature,
to prevent it from spraying binary data to the user's terminal.
Note that this means you must either redirect \fIstdout\fP or specify an
output file via \fB\-w\fP.
.LP
.I tcpslice
will not work properly on \fItcpdump\fP files spanning more than one year;
Note that this means you must either redirect
.Pa stdout
or specify an
output file via
.Fl w .
.Pp
.Nm Tcpslice
will not work properly on
.Xr tcpdump 1
files spanning more than one year;
with files containing portions of packets whose original length was
more than 65,535 bytes; nor with files containing fewer than three packets.
Such files result in
the error message: `couldn't find final packet in file'. These problems
are due to the interpolation scheme used by
.I tcpslice
.Nm
to greatly speed up its processing when dealing with large trace files.
Note that
.I tcpslice
.Nm
can efficiently extract slices from the middle of trace files of any
size, and can also work with truncated trace files (i.e., the final packet
in the file is only partially present, typically due to \fItcpdump\fP
in the file is only partially present, typically due to
.Xr tcpdump 1
being ungracefully killed).

39
usr.sbin/tcpdump/tcpslice/tcpslice.c
View File

@ -18,24 +18,28 @@
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#if !defined(lint) && !defined(__GNUC__)
char copyright[] =
"@(#) Copyright (c) 1987-1990 The Regents of the University of California.\nAll rights reserved.\n";
static char rcsid[] =
"@(#)$Header: /home/ncvs/src/usr.sbin/tcpdump/tcpslice/tcpslice.c,v 1.3 1995/08/23 05:18:59 pst Exp $ (LBL)";
#endif
#ifndef lint
static const char copyright[] =
"@(#) Copyright (c) 1987-1990\n\
The Regents of the University of California. All rights reserved.\n";
#endif /* not lint */
#ifndef lint
static const char rcsid[] =
"$Id$";
#endif /* not lint */
/*
* tcpslice - extract pieces of and/or glue together tcpdump files
*/
#include <err.h>
#include "tcpslice.h"
int tflag = 0; /* global that util routines are sensitive to */
int fddipad; /* XXX: libpcap needs this global */
char *program_name;
/* Style in which to print timestamps; RAW is "secs.usecs"; READABLE is
* ala the Unix "date" tool; and PARSEABLE is tcpslice's custom format,
* designed to be easy to parse. The default is RAW.
@ -58,7 +62,7 @@ void extract_slice(char filename[], char write_file_name[],
struct timeval *start_time, struct timeval *stop_time);
char *timestamp_to_string(struct timeval *timestamp);
void dump_times(pcap_t **p, char filename[]);
void usage(void);
static void usage(void);
pcap_dumper_t *dumper = 0;
@ -75,11 +79,6 @@ main(int argc, char **argv)
struct timeval first_time, start_time, stop_time;
pcap_t *pcap;
extern char *optarg;
extern int optind, opterr;
program_name = argv[0];
opterr = 0;
while ((op = getopt(argc, argv, "dRrtw:")) != -1)
switch (op) {
@ -197,10 +196,8 @@ long local_time_zone(long timestamp)
struct timezone tz;
long localzone;
if (gettimeofday(&now, &tz) < 0) {
perror("tcpslice: gettimeofday");
exit(1);
}
if (gettimeofday(&now, &tz) < 0)
err(1, "gettimeofday");
localzone = tz.tz_minuteswest * -60;
if (localtime((time_t *) &timestamp)->tm_isdst)
@ -605,14 +602,14 @@ dump_times(pcap_t **p, char filename[])
timestamp_to_string( &last_time ) );
}
void
static void
usage(void)
{
(void)fprintf(stderr, "tcpslice for tcpdump version %d.%d\n",
VERSION_MAJOR, VERSION_MINOR);
(void)fprintf(stderr,
"Usage: tcpslice [-dRrt] [-w file] [start-time [end-time]] file ... \n");
"usage: tcpslice [-dRrt] [-w file] [start-time [end-time]] file ... \n");
exit(-1);
exit(1);
}