I am doing quality assurance work on the tcpslice package in Debian.
I updated the package's homepage to tcpdump.org and would like to change the check for new versions.
Currently the check is performed at ftp://ftp.ee.lbl.gov/ I would like to switch to GitHub.
Could you insert version 1.2a3 on GitHub and create a release of this code?
If possible, it would be interesting to have all possible versions ported on GitHub.
And the use of releases so that we can be alerted in Debian about new versions of this application.

Does tcpslice need to run as root?
I ask because the installation is performed in sbin.
However, if tcpslice does not need special permissions I think it is prudent to install it in the bin folder.

Tested on:

version 1.5-PRE-GIT
version 1.2a3

Command:

tcpslice -w a.txt heap.pcap
Segmentation fault

Results:

==1676569==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000000160 at pc 0x7ffff761fa7d bp 0x7fffffffd700 sp 0x7fffffffce90
WRITE of size 56 at 0x617000000160 thread T0
#0 0x7ffff761fa7c in vsnprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c)
#1 0x7ffff7620036 in __snprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0036)
#2 0x7ffff75594ee in pcap_dump_open (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x244ee)
#3 0x555555559ea4 in extract_slice tcpslice.c:882
#4 0x555555559ea4 in main tcpslice.c:312
#5 0x7ffff736a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55555555eadd in _start (/home/constantine/tcpslice/tcpslice+0xaadd)

0x617000000160 is located 224 bytes inside of 664-byte region [0x617000000080,0x617000000318)
freed by thread T0 here:
#0 0x7ffff768d7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555555559d8a in get_next_packet tcpslice.c:747
#2 0x555555559d8a in extract_slice tcpslice.c:879
#3 0x555555559d8a in main tcpslice.c:312

previously allocated by thread T0 here:
#0 0x7ffff768ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7ffff7545bea (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x10bea)
#2 0x64656e696665646d ()

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c) in vsnprintf
Shadow bytes around the buggy address:
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8060: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1676569==ABORTING

PoC:

heap.pcap.zip

Originally filed as tcpslice SF bug 3.
Originally filed as tcpslice SF ticket 1800003.
Submitted: Gabriel Friedmann ( gfriedmann ) - 2007-09-21 15:48:11 PDT

When i try to run tcpslice with an input file that contains dashes, i get an error.
To reproduce, attempt the following command

tcpslice 2007-09-21_xxx_xxxxxxxxxxx_server_fixed_segmented.cap
tcpslice: at least one input file must be given

This is in tcpslice version 1.1a3

When using tcpslice to merge two capture files, if one of those files has just one packet, tcpslice will fail with following error:

tcpslice: problems finding end packet of file capture-file

This does not have to be just the action of merging two files. Just reading the one file with one packet ends up the same. This is reproducible in a following ways:

1. Start a capture with tcpdump -c 1 on any interface and capture one packet from any traffic:
    # tcpdump -c 1 -w one-packet-capture -i eth0
2. Run tcpslice on this one:
    # tcpslice -v one-packet-capture -w one-packet-capture-out
    tcpslice: problems finding end packet of file one-packet-capture
3. You can also capture another file with more packets and then merge:
    # tcpdump -c 10 -w ten-packets-capture -i eth0
    # tcpslice one-packet-capture ten-packet-capture -w merged-capture
    tcpslice: problems finding end packet of file one-packet-capture

The error appears even when the captures are merged with a different tool like mergecap:

1. Capture one packet in one file and ten packets in a different file like in the previous example
2. Use mergecap (from wireshark) to merge these together:
    # mergecap -w merged-with-mergecap one-packet-capture ten-packet-capture
    # tcpdump --count -r merged-with-mergecap 
    reading from file merged-with-mergecap, link-type EN10MB (Ethernet), snapshot length 262144
    11 packets
3. Try to read the file with tcpslice:
    # tcpslice merged-with-mergecap 
    tcpslice: problems finding end packet of file merged-with-mergecap

I'm trying to cross-compile tcpslice as follows:

cd src && ./configure
--host=arm-linux
--build=i686-linux
--disable-ipv6
--disable-foo
CONFIG_SITE="/home/md84419/workspaces/config.site"
CFLAGS="-I/home/md84419/workspaces/include/user-linux -I/home/md84419/workspaces/include"
LDFLAGS=""
LIBS=""
configure: warning: CONFIG_SITE=/home/md84419/workspaces/config.site: invalid host type
configure: warning: CFLAGS=-I/home/md84419/workspaces/include/user-linux -I/home/md84419/workspaces/include: invalid host type
configure: warning: LDFLAGS=: invalid host type
configure: warning: LIBS=: invalid host type
loading cache ./config.cache
checking host system type... arm-unknown-linux-gnu
checking target system type... Invalid configuration LIBS=': machineLIBS=' not recognized

checking build system type... i686-pc-linux-gnu
checking for gcc... (cached) gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking how to run the C preprocessor... (cached) gcc -E
checking for fcntl.h... (cached) yes
checking whether time.h and sys/time.h may both be included... (cached) yes
checking for vfprintf... (cached) yes
checking for fseeko... (cached) yes
checking for ftello... (cached) yes
checking for gethostbyname... (cached) yes
checking for socket... (cached) yes
checking for putmsg in -lstr... (cached) no
checking for local pcap library... ../libpcap/libpcap.a
checking for int32_t using gcc... (cached) yes
checking for u_int32_t using gcc... (cached) yes
checking for a BSD compatible install... (cached) /usr/bin/install -c
creating ./config.status
creating Makefile

make -C src
make[1]: Entering directory /home/md84419/workspaces/tcpslice_1/src' gcc -O -DHAVE_FCNTL_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_VFPRINTF=1 -DHAVE_FSEEKO=1 -DHAVE_FTELLO=1 -DFSEEK=fseeko -DFTELL=ftello -I. -I../libpcap -c ./tcpslice.c ./tcpslice.c:38:21: error: net/bpf.h: No such file or directory In file included from ./tcpslice.c:56: ./tcpslice.h:23: warning: ‘struct tm’ declared inside parameter list ./tcpslice.h:23: warning: its scope is only this definition or declaration, which is probably not what you want ./tcpslice.c:111: warning: ‘struct tm’ declared inside parameter list ./tcpslice.c: In function ‘parse_time’: ./tcpslice.c:286: warning: initialization makes pointer from integer without a cast ./tcpslice.c:287: error: storage size of ‘t’ isn’t known ./tcpslice.c:322: error: dereferencing pointer to incomplete type ./tcpslice.c:348: error: dereferencing pointer to incomplete type ./tcpslice.c:349: error: dereferencing pointer to incomplete type ./tcpslice.c:350: error: dereferencing pointer to incomplete type ./tcpslice.c:351: error: dereferencing pointer to incomplete type ./tcpslice.c:352: error: dereferencing pointer to incomplete type ./tcpslice.c:353: error: dereferencing pointer to incomplete type ./tcpslice.c: At top level: ./tcpslice.c:384: warning: ‘struct tm’ declared inside parameter list ./tcpslice.c:384: error: conflicting types for ‘fill_tm’ ./tcpslice.c:111: note: previous declaration of ‘fill_tm’ was here ./tcpslice.c: In function ‘fill_tm’: ./tcpslice.c:433: error: dereferencing pointer to incomplete type ./tcpslice.c:433: error: dereferencing pointer to incomplete type ./tcpslice.c:440: error: dereferencing pointer to incomplete type ./tcpslice.c:440: error: dereferencing pointer to incomplete type ./tcpslice.c:442: error: dereferencing pointer to incomplete type ./tcpslice.c:442: error: dereferencing pointer to incomplete type ./tcpslice.c:446: error: dereferencing pointer to incomplete type ./tcpslice.c:446: error: dereferencing pointer to incomplete type ./tcpslice.c:450: error: dereferencing pointer to incomplete type ./tcpslice.c:450: error: dereferencing pointer to incomplete type ./tcpslice.c:454: error: dereferencing pointer to incomplete type ./tcpslice.c:454: error: dereferencing pointer to incomplete type ./tcpslice.c: In function ‘timestamp_to_string’: ./tcpslice.c:783: warning: assignment makes pointer from integer without a cast ./tcpslice.c:784: warning: passing argument 2 of ‘strcpy’ makes pointer from integer without a cast /usr/include/string.h:127: note: expected ‘const char * __restrict__’ but argument is of type ‘int’ ./tcpslice.c:789: warning: assignment makes pointer from integer without a cast ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:791: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c:792: error: dereferencing pointer to incomplete type ./tcpslice.c: At top level: ./tcpslice.c:821: warning: function definition has qualified void return type make[1]: *** [tcpslice.o] Error 1 make[1]: Leaving directory/home/md84419/workspaces/tcpslice_1/src'
make: *** [top_all] Error 2

The equivilent works for libpcap and tcpdump - how does one cross-compile for tcpslice?

I observed that if I try to extract data from a file in a timerange after what is in the file, then tcpslice coredumps. It is very easy to reproduce, just request a timestamp in the future on any file.

$tcpslice -w /tmp/kjeldbond0.pcap 1450750007 +3600 /tmp/dump/5060-102.lxcbr1.pcap
Segmentation fault (core dumped)
$ utc 1450750007
Result string is "2015-12-22 03:06:47"

When tcpslice tries to link with libpcap that was built with dependencies on libnl, libusb or libdbus, the linking fails because tcpslice does not use pcap-config --libs --static to tell any extra libraries (as tcpdump does):

gcc -O2 -DHAVE_CONFIG_H   -D_U_="__attribute__((unused))" -I. -I./../libpcap   -o tcpslice tcpslice.o gmt2local.o gwtm2secs.o machdep.o search.o sessions.o util.o version.o strlcpy.o ./../libpcap/libpcap.a 
./../libpcap/libpcap.a(pcap-linux.o): In function `nl80211_cleanup':
/home/denis/libpcap/./pcap-linux.c:673: undefined reference to `genl_family_put'
[...]
./../libpcap/libpcap.a(pcap-canusb-linux.o): In function `canusb_close':
/home/denis/libpcap/./pcap-canusb-linux.c:329: undefined reference to `pthread_join'
/home/denis/libpcap/./pcap-canusb-linux.c:333: undefined reference to `libusb_close'
[...]
./../libpcap/libpcap.a(pcap-dbus.o): In function `dbus_write':
/home/denis/libpcap/./pcap-dbus.c:114: undefined reference to `dbus_message_demarshal'
[...]
collect2: error: ld returned 1 exit status
Makefile:92: recipe for target 'tcpslice' failed
make: *** [tcpslice] Error 1

This is a low-priority issue but whoever would be willing to work on it should consider moving tcpslice-specific source files (gwrm2secs.c, search.c, sessions.c, tcpslice.c, util.c, version.c and vfprintf.c) into the tcpdump repository to avoid duplicate maintenance work in future.

tcpslice test.pcap-ng -w a
zsh: segmentation fault  tcpslice test.pcap-ng -w a

% tcpslice --version
Version 1.2a3
Usage: tcpslice [-DdlRrt] [-w file] [start-time [end-time]] file ...

File is produced by tshark correctly parsed by http://wiki.wireshark.org/Development/PcapNg?action=AttachFile&do=view&target=ntartest.c

% lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

% uname  -a
Linux mortician.tsuru.it 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

(even if file is corrupted/in unsupported format it shouldn't just segfault)

During the compilation of the tcpslice .deb package I use blhc to check for hardening issues.
Absence of CPPFLAGS was pointed out:

# blhc --all --debian ../tcpslice_1.3-1_amd64.build
CPPFLAGS missing (-D_FORTIFY_SOURCE = 2): gcc -g -O2 -fdebug-prefix-map = / PKGS / tcpslice / tcpslice =. -fstack-protector-strong -Wformat -Werror = format-security -c version.c

I don't know if it's the most suitable mode, I solved it with the following patch:

Index: tcpslice / Makefile.in
================================================== =================
--- tcpslice.orig / Makefile.in
+++ tcpslice / Makefile.in
@@ -127.7 +127.7 @@ $ (PROG): $ (OBJ) @ V_PCAPDEP @
         $ (CC) $ (FULL_CFLAGS) $ (LDFLAGS) -o $ @ $ (OBJ) $ (LIBS)
 
  version.o: version.c
- $ (CC) $ (CFLAGS) -c version.c
+ $ (CC) $ (CFLAGS) $ (CPPFLAGS) -c version.c
 
  version.c: $ (srcdir) / VERSION
         @rm -f $ @