> I would like to implement an IP address range filter similar to the
> BPF capture filter that takes an IP address and subnet mask (like in
> "net 192.168.0.0 and mask 255.255.255.0"). What would be the best way
> to calculate this in C? Or in which file can I find the BPF
> implementation of this
Hi,
I would like to implement an IP address range filter similar to the
BPF capture filter that takes an IP address and subnet mask (like in
"net 192.168.0.0 and mask 255.255.255.0"). What would be the best way
to calculate this in C? Or in which file can I find the BPF
implementation of this expr
> Actually the SourceForge repository has more recent activity:
>
> http://sourceforge.net/projects/ssldump/develop
Thanks, ssldump seems like a good starting point.
Cheers,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
>> I would like to ask if somebody could point me to information on howto
>> hook up libpcap to sniff a secure website on HTTPS. I understand I
>> have to decrypt the packets probably using openssl, but I wonder if
>> there is some howto to guide me. I am on the latest Ubuntu.
>
> Last I checked,
Hi,
I would like to ask if somebody could point me to information on howto
hook up libpcap to sniff a secure website on HTTPS. I understand I
have to decrypt the packets probably using openssl, but I wonder if
there is some howto to guide me. I am on the latest Ubuntu.
Cheers,
Andrej
-
This is th
Hi,
>
> Why would an "offset" keyword be better in the filtering language than, say,
> the "vlan" keyword it already has? You'd still have to do the same sort of
> special stuff, but it'd be a more manual operation. (I.e., why would saying
> "offset {length of VLAN tag}" be better than "vlan
With tcprewrite you can change ips too. Not sure if it updates checksums
though...
Andrej
>
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Hi,
>
> Does this help?
>
> https://blog.wireshark.org/2009/10/capture-filters-and-offsets
Yes it does. Makes me wonder though why BPF was not extended with an "offset"
keyword.
Thanks for the link!
Andrej-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Hi,
> I have a ProCurve J9021A Switch 2810-24G and configured port A to be
> mirrored to port B. When I run tcpdump on port B, I can only see the
> outgoing traffic on port A, but no incoming traffic at all! The
> configuration menu of the switch does not have any options for egress
> and/or ingre
Hi,
I am facing an issue that I cannot solve... I was hoping somebody
could get me back on track...
I have a ProCurve J9021A Switch 2810-24G and configured port A to be
mirrored to port B. When I run tcpdump on port B, I can only see the
outgoing traffic on port A, but no incoming traffic at all!
Hi,
I wrote a sniffer using libpcap that re-assembles TCP streams to
enable HTTP request/response re-assembly. It works fine except when
DCERPC-packets are found in the middle of a data-transfer between an
HTTP client and server (example of such a DCERPC-packet see below,
captured with Wireshark).
Hi Guy,
Thanks for the email.
> (No, the "any" device doesn't give you Ethernet packets, even if, at the
> time you start the capture, the only interfaces on your machine are Ethernet
> interfaces. If you want to capture on a particular Ethernet device, use its
> name, e.g. "eth0", in which cas
Hi,
I am trying to get started with a live capture using libpcap. Somehow I
cannot get the contents of a packet. It seems that all bytes are zeroed.
Here is the source code:
#include
#include
#include
void callback(u_char * user, const struct pcap_pkthdr* pkthdr, const u_char
* pkt)
{
fprin
Hi Cedric,
> Support for TCP segmentation as well as new parsers that use this
> feature should be pushed before end of week. Concerning the capture of
> POST messages we should probably start working on this in february (this
> is a small company so no schedule is ever definitive, so no promise)
Hi Cedric,
> TCP reordering, IP fragmentation and buffering of stream is not present on
> github
> yet but is implemented and is being reviewed. I can push on github if you
> want to
> have a look. Concerning HTTP, for now we only fetch hostname and URL but
> were
> asked to capture the whole req
Hi Cedric,
> Looks very similar to :
>
> http://github.com/securactive/junkie
>
>
Is the intention of junkie to follow TCP streams and reassemble complete
HTTP requests/responses from the packets? How far is this implemented?
> if you can live with the AGPL, maybe we could join forces ?
>
At f
Hi,
I have implemented a HTTP parser one year ago. I remembered that when the
> parser calculate the request-response latency, inspect the interested
> fields
> but do not record or dump them, the speed will reach about 2Gbps on a
> single
> core, and 8 Gbps on 6 cores. I think a 0.05Mpps parser i
Hi,
> See urlsnarf:
>
> http://monkey.org/~dugsong/dsniff/
>
> I don't think it does POST data but it may be a good starting point.
>
>
Thanks, this seems to be very useful. It uses libnids which *hopefully*
enables me to re-assemble the HTTP request + POST data from raw packets with
little effor
Hi,
I am asked to write a custom sniffer with libpcap on Linux that has to
handle a load of 50.000 packets per second. The sniffer has to detect all
HTTP requests and dump the URI with additional information, such as request
size and possibly response time/size. The packets, destined for the
load-
Hi Gary,
Thank you for your clear reply, as always.
>
> WinDump, the Windows port of tcpdump, uses WinPcap, the Windows port of
> libpcap. The time stamps come from the WinPcap driver, which might,
> depending on how it's configured, read the system clock for each packet, or
> might read it w
Hi,
Today I received a tcpdump file from a client with timestamps that did
not correspond to the system clock. If I remember correctly, tcpdump
does not store complete timestamps but only a delta compared to the
first timestamp. I guess tcpdump does not read the system clock every
time, but has it
wrote:
>
> On Nov 2, 2010, at 12:05 AM, Andrej van der Zee wrote:
>
>> The idea is to sniff all incoming/outgoing traffic on the WAN side of
>> the load-balancer,
>
> Is the "WAN side" implemented as:
>
> some form of WAN (a T{n} or E{n} serial line, o
load-balancer. Does this change anything
regarding the use of "port mirroring"?
Cheers,
Andrej
On Tue, Nov 2, 2010 at 3:44 PM, Guy Harris wrote:
>
> On Nov 1, 2010, at 8:57 PM, Andrej van der Zee wrote:
>
>> Hi,
>>
>> I am looking for a solution that s
Hi,
I am looking for a solution that sniffs all HTTP traffic to the
load-balancer in a multi-tier web application, but WITHOUT starting
tcpdump on the load-balancer itself. The sniffing has to be isolated
on a dedicated machine, without having to change anything to the web
application itself. If t
Hi Ronnie,
Note:
> The relative numbers are not part of the TCP protocol.
> The relative numbers does not actually exist. Only the absolute
> numbers exist in the packets.
>
> Relative numbers are an invention inside tcpdump to make the printed
> numbers easier to read for humans.
>
>
>
Thank you
Hi,
> const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
>> + IP_HL(ip));
>>
>> This is surely wrong.
>> The size of the IP header is IP_HL(ip)*4 not IP_HL(ip)
>>
>>
> Thank you very much! Now I do get the same seq and ack number for my app
> and tcpdump -vv.
>
>
Though
Hi,
const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
> + IP_HL(ip));
>
> This is surely wrong.
> The size of the IP header is IP_HL(ip)*4 not IP_HL(ip)
>
>
Thank you very much! Now I do get the same seq and ack number for my app
and tcpdump -vv.
Thanks,
Andrej
-
This i
Hi,
Hi Andrej,
>
> Several others have already mentioned it -- tcpdump is using relative
> sequence numbers to make it easier to read the output. Large sequence
> numbers are perfectly valid (after all, they are 32-bit unsigned numbers).
>
> Use the -S argument to tcpdump and you'll see tcpdump re
Hi,
Source port and dest number seem to be ok, so I guess this is not the
>> problem. Nevertheless, I tried the code below but it does not make a
>> difference. Why do I get those weird seq and ack numbers? I am really
>> stuck...
>>
>
> Can you provide some examples of those "weird seq and ack n
Hi,
If I get "bad cksum 0 (->4327)!" for packets with "tcpdump -vv" like below,
do I have to take special measures to read fields like seq and ack from the
TCP header?
17:55:47.657974 IP (tos 0x0, ttl 128, id 13151, offset 0, flags [DF], proto
TCP (6), length 1420, bad cksum 0 (->4327)!)
172.
Hi,
>> static void handle_packet(unsigned char * ifile, const struct pcap_pkthdr
>> *
>> h, const u_char * sp)
>> {
>> const struct ip * ip = (struct ip *) (sp + ETHER_HDRLEN);
>> const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
>> + sizeof(struct iphdr));
>>
>
> You a
Hi,
> I think you are performing your byte ordering conversion wrong. Seq and
> > Ack values are transmitted in network byte order so you need to perform
> > a "network to host long" conversion, and for that, you need to user
> > ntohl(), not htonl().
>
> On standard platforms with byte order 123
ture field is to
read it using little-endian byte encoding instead of big-endian
(network byte order), but I see you use htonl in your code which is
correct.
Try -S option with tcpdump to get "absolute" numbers.
Cheers,
mark...
--- On Thu, 8/19/10, Andrej van der Zee
wrote:
Hi,
I am trying to get the TCP sequence and ack number of TCP packets. Somehow I
get different values than "tcpdump -vv" does. The numbers are way too big
all the time. Source and destination ports are just fine. Below the relevant
code. I studied the tcpdump source code but can't find why. Please
Hi,
Sorry for asking again, but I got no useful answer last time. Hopefully more
luck this time...
I receive many pcap-files from our clients. Now I am constructing an
algorithm using libpcap that deducts time differences between the servers by
matching packets on both ends of the connection and
Hi,
I am looking for way to estimate the number of packages in a pcap file
without traversing throu all packages with pcap_loop(). It does noet
have to be precise, just an estimate. Is there a way?
Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscrib
Hi,
Is it by any means possible to deduct the local IP address from a
cap-file? With local I mean the IP address that is physically bound to
the machine where tcpdump is ran.
Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Hi,
> 2) does, but "helpfully" converts the time to local time (in which
> case, whoever decided to be "helpful" needs to be hit with said sock).
I found that tcpdump with - converts to local time, but tcpdump
-tt report GMT.
>
> However, even with standard pcap files, which have GMT
Thanks a lot for your email. I wish .cap files stored some
meta-information such as local timezone, IP address, etc. Well, that's
just my bad luck.
Cheers,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Hi,
I am having a problem with the timestamps in .cap files. I receive
.cap files captured on machines in a different timezone (GMT +1 or GMT
+3). When I do a "tcpdump -r en0.cap -n -" then the timestamps
are corrected to my local timezone (GMT +8 or GMT +9). The problem is
that I need the t
Hi,
I could not find any users-list for tcpdump, so I am sorry if I offend
anybody.
I have two questions about tcpdump:
1) I get many UDP packages that have an IP that is not bound to one of my
interfaces, like this one (the local IP is 10.69.26.61.22):
1240473922.435472 00:1a:64:79:b9:4c > ff:f
Hi,
Sorry if it has been asked before.
I need to read .cap files produced by tcpdump from c/c++. More specific, I
need to read the timestamp, the protocol, the number of bytes of the package
(including the data) and the destination IP of each package in .cap. My
questions are:
* I have no contro
42 matches
Mail list logo
