Re: [tcpdump-workers] pcap file format documentation
Offhand I'd say this has nothing to do with truncation, since the truncated packet shouldn't be included in the clean pcap file. My guess would be that you've found a bug in one of ethereal's protocol dissectors. Jefferson, I finally got a chance to work on this. You are correct, there was no truncation. I wrote a quick script to read through them all, and all payload sizes match up, and there are no partial headers in the file, so my next step will be to look at the Ethereal Dissectors. Thanks for the help. Hopefully, I'll be allowed to send in the patch. Regards, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
On Mar 24, 2006, at 1:35 PM, Don Morrison wrote: My apologies, what I said was incorrect. Running the command does not crash tcpdump, but the outputfile (clean.pcap) will crash Ethereal, so while both files are clean enough for tcpdump to display and not crash, not so for Ethereal. That doesn't mean that the problem is a result of an incomplete record at the end of the file; tcpdump and Ethereal can handle those OK. The problem is probably a crash in some dissector, due to a bug in the dissector. You should submit that to the Ethereal bugzilla at bugs.ethereal.com - preferably with a stack trace. Note that without a stack trace or a capture, it's unlikely that anybody will be able to do anything about it - there are 997,557 lines in all the .c and .h files in the directory containing Ethereal dissectors (stated as such because that counts comments, blank lines, etc.). If broken.pcap caused a crash or hang in tcpdump (when printing its output, not when writing it to a file with -w), there might be a bug in a tcpdump dissector as well. Note that the crash might be due to a *non*-truncated packet. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
On 03/24/2006 04:35 PM, Don Morrison wrote: The trivial way to fix a truncated pcap file: tcpdump -r broken.pcap -w clean.pcap I tried this method, but it hangs tcpdump. That would be a bug in tcpdump. Why don't you send an example pcap file along that does this (or post it to a web or FTP site and send a URL), and state what version of tcpdump you are using. You did run tcpdump with no options other than -r and -w, right? My apologies, what I said was incorrect. Running the command does not crash tcpdump, but the outputfile (clean.pcap) will crash Ethereal, so while both files are clean enough for tcpdump to display and not crash, not so for Ethereal. Offhand I'd say this has nothing to do with truncation, since the truncated packet shouldn't be included in the clean pcap file. My guess would be that you've found a bug in one of ethereal's protocol dissectors. Just for grins, have you tried tethereal? Also, have you identified exactly what packet ethereal/tethereal crashes on? If so, extract just that packet from the pcap file into a separate pcap and see if it still crashes ethereal. There is at least one tool for noising up pcap files so it's fairly safe to release to others without fear that it might contain private data. Why am I using Ethereal? :) UMA decodes. Unfortunately, I cannot send you the pcap file because it would be a violation of my contract with the telecom I work for. Understood. Thanks very much for your help. No problem. -- Jefferson Ogata [EMAIL PROTECTED] NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED] Never try to retrieve anything from a bear.--National Park Service - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Offhand I'd say this has nothing to do with truncation, since the truncated packet shouldn't be included in the clean pcap file. My guess would be that you've found a bug in one of ethereal's protocol dissectors. Relax guys :) I'll send you the answer when I have time to fix it, jeez. ;) I only had like 30 minutes to look at the problem today. The reason why I suspect truncation is the following. When I use tethereal in my script, it cannot both output the text summary lines and write to file at the same time. Instead of hacking my own version of tethereal, I did (not showing all options here:) tethereal -i eth0 -w - | tee filename | tethereal -i - I think when this pipeline gets torn down, sometimes, a partial packet is written. Could it instead be a crashing dissector? Sure could be...I will then poke a stick at the hornet's nest that is the Ethereal mailing list. ;) - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Jefferson, Sorry, I have been home sick with the flu for 3 days. I will get to this tomorrow hopefully. Don On 3/23/06, Jefferson Ogata [EMAIL PROTECTED] wrote: On 03/20/2006 04:18 AM, Don Morrison wrote: [top posting fixed YET again] On 3/20/06, Jefferson Ogata [EMAIL PROTECTED] wrote: On 03/20/2006 02:01 AM, Don Morrison wrote: [top posting fixed again] I tried this method, but it hangs tcpdump. That would be a bug in tcpdump. Why don't you send an example pcap file along that does this (or post it to a web or FTP site and send a URL), and state what version of tcpdump you are using. The files are at work, so I'll have to reply in the morning. -Don Don, did you want to point us at one of your problem files? -- Jefferson Ogata [EMAIL PROTECTED] NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED] Never try to retrieve anything from a bear.--National Park Service - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
On 03/20/2006 02:01 AM, Don Morrison wrote: [top posting fixed again] On 3/19/06, Jefferson Ogata [EMAIL PROTECTED] wrote: The trivial way to fix a truncated pcap file: tcpdump -r broken.pcap -w clean.pcap I tried this method, but it hangs tcpdump. That would be a bug in tcpdump. Why don't you send an example pcap file along that does this (or post it to a web or FTP site and send a URL), and state what version of tcpdump you are using. You did run tcpdump with no options other than -r and -w, right? -- Jefferson Ogata [EMAIL PROTECTED] NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED] Never try to retrieve anything from a bear.--National Park Service - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] pcap file format documentation
Hello, Is there documentation describing the pcap file formats (other than the libpcap source)? Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
It may be worth noting (AFAIK) the libpcap file format is intended to be opaque, with access for read/writing provided only by libpcap itself. This allows the implementation of the file format to be changed by the libpcap maintainers, while remaining transparent to the user. If you write your own code to read/write the current libpcap file format it may not deal with older files or with potential new changes (aka pcap-ng, pcap 1.0, NTAR etc) Stephen. On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: Hello, Is there documentation describing the pcap file formats (other than the libpcap source)? Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Don, That sounds quite likely. This may well be a case where you need to edit the file directly, and it seems unlikely that the compatibility issues I mentioned would be a problem. Alternatively have you looked to see if NetDude will do what you want? Stephen. On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: Hi Stephen, Here's the problem. I'm dealing with corrupted pcap files, where the last packet was partially written, but it's not of interest and all I want to do is truncate the last packet. My assumption is that libpcap's API will not allow me to deal with this since programs that are dependent on it (tcpdump, ethereal) hang when attempting to open any such file. Is this assumption incorrect? Thanks, Don On 3/19/06, Stephen Donnelly [EMAIL PROTECTED] wrote: It may be worth noting (AFAIK) the libpcap file format is intended to be opaque, with access for read/writing provided only by libpcap itself. This allows the implementation of the file format to be changed by the libpcap maintainers, while remaining transparent to the user. If you write your own code to read/write the current libpcap file format it may not deal with older files or with potential new changes (aka pcap-ng, pcap 1.0, NTAR etc) Stephen. On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: Hello, Is there documentation describing the pcap file formats (other than the libpcap source)? Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
