xref: /freebsd/contrib/tcpdump/print-syslog.c (revision 0a7e5f1f02aad2ff5fff1c60f44c6975fd07e1d9) 
11de50e9fSSam Leffler /*
20bff6a5aSEd Maste  * Copyright (c) 1998-2004  Hannes Gredler <hannes@gredler.at>
31de50e9fSSam Leffler  *      The TCPDUMP project
41de50e9fSSam Leffler  *
51de50e9fSSam Leffler  * Redistribution and use in source and binary forms, with or without
61de50e9fSSam Leffler  * modification, are permitted provided that: (1) source code
71de50e9fSSam Leffler  * distributions retain the above copyright notice and this paragraph
81de50e9fSSam Leffler  * in its entirety, and (2) distributions including binary code include
91de50e9fSSam Leffler  * the above copyright notice and this paragraph in its entirety in
101de50e9fSSam Leffler  * the documentation or other materials provided with the distribution.
111de50e9fSSam Leffler  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND
121de50e9fSSam Leffler  * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
131de50e9fSSam Leffler  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
141de50e9fSSam Leffler  * FOR A PARTICULAR PURPOSE.
151de50e9fSSam Leffler  */
161de50e9fSSam Leffler 
173340d773SGleb Smirnoff /* \summary: Syslog protocol printer */
18ee67461eSJoseph Mingrone /* specification: RFC 3164 (not RFC 5424) */
193340d773SGleb Smirnoff 
20ee67461eSJoseph Mingrone #include <config.h>
211de50e9fSSam Leffler 
22ee67461eSJoseph Mingrone #include "netdissect-stdinc.h"
231de50e9fSSam Leffler 
243340d773SGleb Smirnoff #include "netdissect.h"
251de50e9fSSam Leffler #include "extract.h"
263c602fabSXin LI 
271de50e9fSSam Leffler 
281de50e9fSSam Leffler /*
291de50e9fSSam Leffler  * tokenlists and #defines taken from Ethereal - Network traffic analyzer
301de50e9fSSam Leffler  * by Gerald Combs <gerald@ethereal.com>
311de50e9fSSam Leffler  */
321de50e9fSSam Leffler 
331de50e9fSSam Leffler #define SYSLOG_SEVERITY_MASK 0x0007  /* 0000 0000 0000 0111 */
341de50e9fSSam Leffler #define SYSLOG_FACILITY_MASK 0x03f8  /* 0000 0011 1111 1000 */
35ee67461eSJoseph Mingrone #define SYSLOG_MAX_DIGITS 3 /* The maximum number of priority digits to read in. */
361de50e9fSSam Leffler 
371de50e9fSSam Leffler static const struct tok syslog_severity_values[] = {
381de50e9fSSam Leffler   { 0,      "emergency" },
391de50e9fSSam Leffler   { 1,      "alert" },
401de50e9fSSam Leffler   { 2,      "critical" },
411de50e9fSSam Leffler   { 3,      "error" },
421de50e9fSSam Leffler   { 4,      "warning" },
431de50e9fSSam Leffler   { 5,      "notice" },
441de50e9fSSam Leffler   { 6,      "info" },
451de50e9fSSam Leffler   { 7,      "debug" },
461de50e9fSSam Leffler   { 0, NULL },
471de50e9fSSam Leffler };
481de50e9fSSam Leffler 
491de50e9fSSam Leffler static const struct tok syslog_facility_values[] = {
501de50e9fSSam Leffler   { 0,     "kernel" },
511de50e9fSSam Leffler   { 1,     "user" },
521de50e9fSSam Leffler   { 2,     "mail" },
531de50e9fSSam Leffler   { 3,     "daemon" },
541de50e9fSSam Leffler   { 4,     "auth" },
551de50e9fSSam Leffler   { 5,     "syslog" },
561de50e9fSSam Leffler   { 6,     "lpr" },
571de50e9fSSam Leffler   { 7,     "news" },
581de50e9fSSam Leffler   { 8,     "uucp" },
591de50e9fSSam Leffler   { 9,     "cron" },
601de50e9fSSam Leffler   { 10,    "authpriv" },
611de50e9fSSam Leffler   { 11,    "ftp" },
621de50e9fSSam Leffler   { 12,    "ntp" },
631de50e9fSSam Leffler   { 13,    "security" },
641de50e9fSSam Leffler   { 14,    "console" },
651de50e9fSSam Leffler   { 15,    "cron" },
661de50e9fSSam Leffler   { 16,    "local0" },
671de50e9fSSam Leffler   { 17,    "local1" },
681de50e9fSSam Leffler   { 18,    "local2" },
691de50e9fSSam Leffler   { 19,    "local3" },
701de50e9fSSam Leffler   { 20,    "local4" },
711de50e9fSSam Leffler   { 21,    "local5" },
721de50e9fSSam Leffler   { 22,    "local6" },
731de50e9fSSam Leffler   { 23,    "local7" },
741de50e9fSSam Leffler   { 0, NULL },
751de50e9fSSam Leffler };
761de50e9fSSam Leffler 
771de50e9fSSam Leffler void
syslog_print(netdissect_options * ndo,const u_char * pptr,u_int len)783c602fabSXin LI syslog_print(netdissect_options *ndo,
79ee67461eSJoseph Mingrone              const u_char *pptr, u_int len)
801de50e9fSSam Leffler {
813c602fabSXin LI     uint16_t msg_off = 0;
823c602fabSXin LI     uint16_t pri = 0;
833c602fabSXin LI     uint16_t facility,severity;
841de50e9fSSam Leffler 
85ee67461eSJoseph Mingrone     ndo->ndo_protocol = "syslog";
861de50e9fSSam Leffler     /* extract decimal figures that are
871de50e9fSSam Leffler      * encapsulated within < > tags
881de50e9fSSam Leffler      * based on this decimal figure extract the
891de50e9fSSam Leffler      * severity and facility values
901de50e9fSSam Leffler      */
911de50e9fSSam Leffler 
92ee67461eSJoseph Mingrone     if (GET_U_1(pptr) != '<')
93ee67461eSJoseph Mingrone         goto invalid;
941de50e9fSSam Leffler     msg_off++;
95ee67461eSJoseph Mingrone 
96ee67461eSJoseph Mingrone     while (msg_off <= SYSLOG_MAX_DIGITS &&
97ee67461eSJoseph Mingrone            GET_U_1(pptr + msg_off) >= '0' &&
98ee67461eSJoseph Mingrone            GET_U_1(pptr + msg_off) <= '9') {
99ee67461eSJoseph Mingrone         pri = pri * 10 + (GET_U_1(pptr + msg_off) - '0');
1001de50e9fSSam Leffler         msg_off++;
1011de50e9fSSam Leffler     }
102ee67461eSJoseph Mingrone 
103ee67461eSJoseph Mingrone     if (GET_U_1(pptr + msg_off) != '>')
104ee67461eSJoseph Mingrone         goto invalid;
1053c602fabSXin LI     msg_off++;
1061de50e9fSSam Leffler 
1071de50e9fSSam Leffler     facility = (pri & SYSLOG_FACILITY_MASK) >> 3;
1081de50e9fSSam Leffler     severity = pri & SYSLOG_SEVERITY_MASK;
1091de50e9fSSam Leffler 
110*0a7e5f1fSJoseph Mingrone     if (ndo->ndo_vflag < 1 ) {
111ee67461eSJoseph Mingrone         ND_PRINT("SYSLOG %s.%s, length: %u",
1121de50e9fSSam Leffler                tok2str(syslog_facility_values, "unknown (%u)", facility),
1131de50e9fSSam Leffler                tok2str(syslog_severity_values, "unknown (%u)", severity),
114ee67461eSJoseph Mingrone                len);
1151de50e9fSSam Leffler         return;
1161de50e9fSSam Leffler     }
1171de50e9fSSam Leffler 
118ee67461eSJoseph Mingrone     ND_PRINT("SYSLOG, length: %u\n\tFacility %s (%u), Severity %s (%u)\n\tMsg: ",
1191de50e9fSSam Leffler            len,
1201de50e9fSSam Leffler            tok2str(syslog_facility_values, "unknown (%u)", facility),
1211de50e9fSSam Leffler            facility,
1221de50e9fSSam Leffler            tok2str(syslog_severity_values, "unknown (%u)", severity),
123ee67461eSJoseph Mingrone            severity);
1241de50e9fSSam Leffler 
1251de50e9fSSam Leffler     /* print the syslog text in verbose mode */
126ee67461eSJoseph Mingrone     /*
127ee67461eSJoseph Mingrone      * RFC 3164 Section 4.1.3: "There is no ending delimiter to this part.
128ee67461eSJoseph Mingrone      * The MSG part of the syslog packet MUST contain visible (printing)
129ee67461eSJoseph Mingrone      * characters."
130ee67461eSJoseph Mingrone      *
131ee67461eSJoseph Mingrone      * RFC 5424 Section 8.2: "This document does not impose any mandatory
132ee67461eSJoseph Mingrone      * restrictions on the MSG or PARAM-VALUE content.  As such, they MAY
133ee67461eSJoseph Mingrone      * contain control characters, including the NUL character."
134ee67461eSJoseph Mingrone      *
135ee67461eSJoseph Mingrone      * Hence, to aid in protocol debugging, print the full MSG without
136ee67461eSJoseph Mingrone      * beautification to make it clear what was transmitted on the wire.
137ee67461eSJoseph Mingrone      */
138ee67461eSJoseph Mingrone     if (len > msg_off)
139ee67461eSJoseph Mingrone         (void)nd_printn(ndo, pptr + msg_off, len - msg_off, NULL);
1401de50e9fSSam Leffler 
1413c602fabSXin LI     if (ndo->ndo_vflag > 1)
1423c602fabSXin LI         print_unknown_data(ndo, pptr, "\n\t", len);
1431de50e9fSSam Leffler     return;
1441de50e9fSSam Leffler 
145ee67461eSJoseph Mingrone invalid:
146ee67461eSJoseph Mingrone     nd_print_invalid(ndo);
1471de50e9fSSam Leffler }
148