Re: tcpdump under RedHat 6.1

[Ken Lyon]

I found that -n affects the src and dest IPs and -nn will add the port numbers.
Note the newly added second field after the datetime stamp.
Courtney and Trojan PERLs will have to change the line[] array to add 1 to each 
position _after 0.
line[1] becomes line[2], etc.

...ken

**************************
Another problem is that the -e flag doesn't work correctly.  For an outgoing
packet
the source  MAC address is 0:0:0:0:0:0, for an incoming packet the destination
MAC address is 0:0:0:0:0:1.  I have this problem with tcpdump-3.4-16,
with tcpdump-3.4-10 copied from another machine the source and destination
addresses are correct.

John Comeau wrote:

<FONT COLOR="#222255">> Another nice gotcha is that -p now means the opposite of its 
old</FONT>
<FONT COLOR="#222255">> behavior (and what its manpage still reads): rather than 
disabling</FONT>
<FONT COLOR="#222255">> promiscuous mode, it now enables same (default is now 
nonpromiscuous -</FONT>
<FONT COLOR="#222255">> all you'll see is your own traffic plus broadcast and 
multicast) - jc</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Renaud Deraison wrote:</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > RedHat 6.1 comes bundled with a modified version of tcpdump, 
which has</FONT>
<FONT COLOR="#222255">> > the ability to listen on all the interfaces at once, which 
is nice.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > However, the output format has changed. Whereas a typical 
tcpdump</FONT>
<FONT COLOR="#222255">> > line was :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time source.port > dest.port:[.....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > It is now :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time interface > source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> > or</FONT>
<FONT COLOR="#222255">> > time interface < source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > If you explicitely ask tcpdump to listen on one interface, 
the</FONT>
<FONT COLOR="#222255">> > output will be :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time > source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> > or</FONT>
<FONT COLOR="#222255">> > time < source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > Also, the 'port' is no longer a numeric value. It is taken 
from</FONT>
<FONT COLOR="#222255">> > /etc/services, even with the -n option set.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > This new behavior will make a lot of programs that use 
tcpdump's</FONT>
<FONT COLOR="#222255">> > output panic or produce bogus output. I think shadow is 
affected,</FONT>
<FONT COLOR="#222255">> > but it's not the only one.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > I have been looking through the man page, and I could not 
find an option</FONT>
<FONT COLOR="#222255">> > to issue a backward compatible output. What is worst is 
that</FONT>
<FONT COLOR="#222255">> > tcpdump --version will show up the same version numbers 
(3.4) than</FONT>
<FONT COLOR="#222255">> > the older tcpdumps, so this problem will only be detected at 
runtime.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > So, if you have written your own custom scripts or if some 
of the programs</FONT>
<FONT COLOR="#222255">> > you use are relying on tcpdump, then install the tcpdump 
that comes</FONT>
<FONT COLOR="#222255">> > bundled with RH 6.0, or modify your scripts so that they can 
handle this</FONT>
<FONT COLOR="#222255">> > modification.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> >                                 -- Renaud</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > (apologies if this was already known)</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > --</FONT>
<FONT COLOR="#222255">> > Renaud Deraison</FONT>
<FONT COLOR="#222255">> > The Nessus Project</FONT>
<FONT COLOR="#222255">> > <A TARGET=nonlocal 
HREF="/external/http://www.nessus.org">http://www.nessus.org</A></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> --</FONT>
<FONT COLOR="#222255">> John Comeau - Chief Operating Officer</FONT>
<FONT COLOR="#222255">> Dialtone Internet - Extremely Fast Web Systems</FONT>
<FONT COLOR="#222255">> 954-581-0097  fax://954-581-7629</FONT>
<FONT COLOR="#222255">> <A 
HREF="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A></FONT>
<FONT COLOR="#222255">> <A TARGET=nonlocal 
HREF="/external/http://www.dialtoneinternet.net">http://www.dialtoneinternet.net</A></FONT>

--
Fran�ois MORRIS                Lab. Min�ralogie-Cristallographie,
4, place Jussieu               F-75252 PARIS
Phone: +33 (0) 1 44 27 52 42   Fax: +33 (0) 1 44 27 37 85
E-mail: <A HREF="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A> URL: <A 
TARGET=nonlocal 
HREF="/external/http://www.lmcp.jussieu.fr/~morris">http://www.lmcp.jussieu.fr/~morris</A>