Re: Printing of TCP flags seems incorrect

[grarpamp <grarpamp () gmail com>]

Hi. Patch inline. I conformed the naming to the RFC's and maintained
the bitfield order in the man pages. No doubt I missed some parts.
The "Nonce Sum" bit was left out as it is still experimental, not
standards track. Compiles clean and seems to work. Enjoy.

FYI, tcpreplay has problems installing its man page because the
directory for it is not created by the makefile.

========================================
--- libpcap/pcap-filter.4.orig  Thu May 29 21:35:33 2008
+++ libpcap/pcap-filter.4       Thu Jul  3 00:46:37 2008
@@ -768,9 +768,15 @@
 \fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP,
 \fBicmp-maskreq\fP, \fBicmp-maskreply\fP.

-The following TCP flags field values are available: \fBtcp-fin\fP,
-\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP,
-\fBtcp-ack\fP, \fBtcp-urg\fP.
+The following TCP flags field values are available:
+\fBtcp-cwr\fP,
+\fBtcp-ece\fP,
+\fBtcp-urg\fP,
+\fBtcp-ack\fP,
+\fBtcp-psh\fP,
+\fBtcp-rst\fP,
+\fBtcp-syn\fP,
+\fBtcp-fin\fP.
 .LP
 Primitives may be combined using:
 .IP
--- libpcap/scanner.l.orig      Wed Feb  6 05:21:30 2008
+++ libpcap/scanner.l   Thu Jul  3 00:43:59 2008
@@ -362,9 +362,11 @@
 tcp-fin                        { yylval.i = 0x01; return NUM; }
 tcp-syn                        { yylval.i = 0x02; return NUM; }
 tcp-rst                        { yylval.i = 0x04; return NUM; }
-tcp-push               { yylval.i = 0x08; return NUM; }
+tcp-psh                        { yylval.i = 0x08; return NUM; }
 tcp-ack                        { yylval.i = 0x10; return NUM; }
 tcp-urg                        { yylval.i = 0x20; return NUM; }
+tcp-ece                        { yylval.i = 0x40; return NUM; }
+tcp-cwr                        { yylval.i = 0x80; return NUM; }
 [A-Za-z0-9]([-_.A-Za-z0-9]*[.A-Za-z0-9])? {
                         yylval.s = sdup((char *)yytext); return ID; }
 "\\"[^ !()\n\t]+       { yylval.s = sdup((char *)yytext + 1); return ID; }
--- tcpdump/print-cnfp.c.orig   Wed Apr 20 16:53:18 2005
+++ tcpdump/print-cnfp.c        Thu Jul  3 00:49:37 2008
@@ -169,9 +169,11 @@
                        if (flags & TH_FIN)     putchar('F');
                        if (flags & TH_SYN)     putchar('S');
                        if (flags & TH_RST)     putchar('R');
-                       if (flags & TH_PUSH)    putchar('P');
+                       if (flags & TH_PSH)     putchar('P');
                        if (flags & TH_ACK)     putchar('A');
                        if (flags & TH_URG)     putchar('U');
+                       if (flags & TH_ECE)     putchar('E');
+                       if (flags & TH_CWR)     putchar('C');
                        if (flags)
                                putchar(' ');
                }
--- tcpdump/print-tcp.c.orig    Fri Dec 21 22:08:04 2007
+++ tcpdump/print-tcp.c Thu Jul  3 00:49:37 2008
@@ -101,11 +101,11 @@
         { TH_FIN, "F" },
         { TH_SYN, "S" },
         { TH_RST, "R" },
-        { TH_PUSH, "P" },
-        { TH_ACK, "." },
+        { TH_PSH, "P" },
+        { TH_ACK, "A" },
         { TH_URG, "U" },
-        { TH_ECNECHO, "E" },
-        { TH_CWR, "W" },
+        { TH_ECE, "E" },
+        { TH_CWR, "C" },
         { 0, NULL }
 };

@@ -312,7 +312,7 @@
         }

         flags = tp->th_flags;
-        printf("Flags [%s]", bittok2str_nosep(tcp_flag_values, "none", flags));
+        printf("Flags [%s]", bittok2str_nosep(tcp_flag_values,
"undef", flags));

         if (!Sflag && (flags & TH_ACK)) {
                 register struct tcp_seq_hash *th;
--- tcpdump/tcp.h.orig  Sat Dec  8 19:30:47 2007
+++ tcpdump/tcp.h       Thu Jul  3 00:49:37 2008
@@ -54,14 +54,14 @@
 #define TH_OFF(th)     (((th)->th_offx2 & 0xf0) >> 4)

 /* TCP flags */
-#define        TH_FIN     0x01
-#define        TH_SYN     0x02
-#define        TH_RST     0x04
-#define        TH_PUSH    0x08
-#define        TH_ACK     0x10
-#define        TH_URG     0x20
-#define TH_ECNECHO 0x40        /* ECN Echo */
-#define TH_CWR    0x80 /* ECN Cwnd Reduced */
+#define        TH_FIN  0x01    /* RFC 793 0x01 through 0x20 */
+#define        TH_SYN  0x02
+#define        TH_RST  0x04
+#define        TH_PSH  0x08
+#define        TH_ACK  0x10
+#define        TH_URG  0x20
+#define        TH_ECE  0x40    /* RFC 3168 ECN-Echo */
+#define        TH_CWR  0x80    /* RFC 3168 Congestion Window Reduced */


 #define        TCPOPT_EOL              0
--- tcpdump/tcpdump.1.orig      Thu May 29 21:37:41 2008
+++ tcpdump/tcpdump.1   Thu Jul  3 00:49:37 2008
@@ -846,9 +846,17 @@
 .RE
 \fISrc\fP and \fIdst\fP are the source and destination IP
 addresses and ports.
-\fIFlags\fP are some combination of S (SYN),
-F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
-`.' (no flags).
+\fIFlags\fP are some combination of
+C (CWR),
+E (ECE),
+U (URG),
+A (ACK),
+P (PSH),
+R (RST),
+S (SYN),
+F (FIN),
+or nothing within the brackets if none of the flags in the applicable
+RFC were set.
 \fIData-seqno\fP describes the portion of sequence space covered
 by the data in this packet (see example below).
 \fIAck\fP is sequence number of the next data expected the other
@@ -870,9 +878,9 @@
 .sp .5
 \s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
-rtsg.1023 > csam.login: . ack 1 win 4096
+rtsg.1023 > csam.login: A ack 1 win 4096
 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
-csam.login > rtsg.1023: . ack 2 win 4096
+csam.login > rtsg.1023: A ack 2 win 4096
 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
@@ -895,8 +903,6 @@
 Csam replies with a similar packet except it includes a piggy-backed
 ack for rtsg's SYN.
 Rtsg then acks csam's SYN.
-The `.' means no
-flags were set.
 The packet contained no data so there is no data sequence number.
 Note that the ack sequence
 number is a small integer (1).
@@ -914,7 +920,7 @@
 .LP
 On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20
 in the rtsg \(-> csam side of the conversation).
-The PUSH flag is set in the packet.
+The PSH flag is set in the packet.
 On the 7th line, csam says it's received data sent by rtsg up to
 but not including byte 21.
 Most of this data is apparently sitting in the
@@ -1572,9 +1578,9 @@
 .RS
 .nf
 .sp .5
-\s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win
4096 (frag 595a:328@0+)
+\s-2\f(CWarizona.ftp-data > rtsg.1170: A 1024:1332(308) ack 1 win
4096 (frag 595a:328@0+)
 arizona > rtsg: (frag 595a:204@328)
-rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
+rtsg.1170 > arizona.ftp-data: A ack 1536 win 2560\fP\s+2
 .sp .5
 .fi
 .RE
--- tcpreplay/Libnet/include/libnet/libnet-headers.h.orig       Mon
Nov 11 04:43:49 2002
+++ tcpreplay/Libnet/include/libnet/libnet-headers.h    Thu Jul  3 01:08:46 2008
@@ -1151,14 +1151,20 @@
 #ifndef TH_RST
 #define TH_RST    0x04      /* reset the connection */
 #endif
-#ifndef TH_PUSH
-#define TH_PUSH   0x08      /* push data to the app layer */
+#ifndef TH_PSH
+#define TH_PSH    0x08      /* push data to the app layer */
 #endif
 #ifndef TH_ACK
 #define TH_ACK    0x10      /* acknowledge */
 #endif
 #ifndef TH_URG
 #define TH_URG    0x20      /* urgent! */
+#endif
+#ifndef TH_ECE
+#define TH_ECE    0x40      /* ECN Echo */
+#endif
+#ifndef TH_CWR
+#define TH_CWR    0x80      /* Congestion Window Reduced */
 #endif
     u_short th_win;         /* window */
     u_short th_sum;         /* checksum */
========================================
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.