On Dec 15, 2010, at 3:01 PM, Gabe Black wrote:
I had looked at libnet prior to posting, however the first hit on google that
led to its documentation
http://libnet.sourceforge.net/libnet.html#Alphabetic%20List%20of%20Functions
did not seem like it would be helpful; nothing on packet
On Dec 1, 2010, at 1:19 AM, Jon Zhou wrote:
The bigger PCAP_FRAMES or a smaller value will get a better performance?
I.e.
PCAP_FRAMES=max tcpdump -I eth0 -w /dev/null
Or
PCAP_FRAMES=4096 tcpdump .
As distributed by tcpdump.org, neither libpcap nor tcpdump pay any attention
On Nov 30, 2010, at 10:35 PM, Mali Shternhell wrote:
Hi, Thanks for the response.
my question is why tcpdump doesn't parse the large snmp response packet
as it does for the typical response packet.
Because the SNMP printer routine that parses an ASN.1 BER item will quit if the
length of the
On Nov 30, 2010, at 10:28 PM, Michael Szalay wrote:
Thanks, now I have another error:
./runlex.sh flex -Ppcap_ -oscanner.c scanner.l
bison -y -p pcap_ -d grammar.y
NONE:0: /usr/bin/m4: ERROR: EOF in string
bison: subsidiary program `/usr/bin/m4' failed (exit status 1)
make: ***
On Nov 25, 2010, at 4:59 AM, Michael Szalay wrote:
OS is SLES10, Kernel 2.6.16.60-0.21.
Thanks. I've checked into the trunk and the 1.1 branche a change that should
fix this; could you try those versions?-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On Nov 24, 2010, at 5:49 AM, Michael Szalay wrote:
is it possible to configure libpcap.1.1.1 without usb support?
I do not need it and I have the following error:
I don't have that error, at least not on:
Ubuntu 9.10, 2.6.31-22-generic kernel;
Fedora 9,
On Nov 23, 2010, at 12:51 AM, Ankith Agarwal wrote:
I am trying to filter all the SIP packets using pcap filter on ports of
5060 and 5061. But, some of the SIP packets are fragmented in the IP layer
because of their size (greater than MTU). I wanted to know whether the
pcap_loop api gives
On Nov 15, 2010, at 8:23 AM, Martin Vidner wrote:
Hello? Are there some concerns that I should address? Just too busy?
Just been busy. I've assigned 231 as DLT_DBUS/LINKTYPE_DBUS, and checked the
changes into the trunk and 1.1 branches and pushed them.-
This is the tcpdump-workers list.
On Nov 15, 2010, at 5:08 AM, try fatur wrote:
Hi there. I have something serious problem. I am installing Snort ver 2.9,
there's wrote must have libcap library. I've download from tcpdump, then i
install daq ver 03. The problem is coming, when i type command ./configure
in the daq
On Nov 15, 2010, at 7:16 PM, alfian ilarizky wrote:
please help me... (it is for my final assignment)
i want to capture bluetooth packet data using wireshark..
but i cannot...
please help me...
my OS is windows 7 ultimate x86
Wireshark depends on libpcap/WinPcap to capture network
On Nov 9, 2010, at 4:20 PM, Mark Ashley wrote:
I notice libnl has incremented to 2.0 a few weeks ago and the API is
reportedly different.
http://www.infradead.org/~tgr/libnl/
Has anyone verfied that libnl 2.0 works with libpcap 1.1.1?
I've verified that it *doesn't*, and have checked
On Nov 10, 2010, at 10:40 AM, sth...@nethelp.no wrote:
Having started to play with DHCPv6, I found the tcpdump printout of
DHCPv6 options,
http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2
could be improved. Below are my suggested improvements,
On Nov 10, 2010, at 4:40 AM, Flavio Truzzi wrote:
Hi, I'm getting a memory leak in the following code, I made it to iterate
through multiple files, I don't know where it leaks...
https://sourceforge.net/tracker/?func=detailaid=2987111group_id=53067atid=469579
Not fixed in any
On Nov 11, 2010, at 6:55 PM, Jon Zhou wrote:
Does libpcap/tcpdump support SKF_AD_QUEUE instruction and BPF filter?
I presume you mean does libpcap support generating the SKF_AD_QUEUE special
packet offset in BPF filter programs? If so, the answer is no; there's
probably no reason why there
, and thus those values
will have to appear in some header file.)
Person to contact for further information
See RFC 4288, section 4.9
* Name
[Guy Harris]
* E-mail
[...@.___.___]
* Author/Change controller
[Guy Harris g...@.___.___]
Again - Michael, do you want
On Nov 9, 2010, at 5:00 PM, Glen Turner wrote:
9. Applications which use this media type
See RFC 4288, section 4.5
[
Libpcap, a C library to capture network packets for POSIX-like systems.
Net::Pcap, Jpcap, python-libpcap, Ruby/Pcap are respectively Perl, Java,
Python and Ruby bindings
On Nov 1, 2010, at 9:42 PM, Jim Lloyd wrote:
You want some kind of port
mirroringhttp://en.wikipedia.org/wiki/Port_mirroring
And
http://wiki.wireshark.org/SwitchReference
for information and links to manuals about doing port mirroring - or whatever
the switch vendor calls it - on
On Nov 1, 2010, at 8:57 PM, Andrej van der Zee wrote:
Hi,
I am looking for a solution that sniffs all HTTP traffic to the
load-balancer in a multi-tier web application, but WITHOUT starting
tcpdump on the load-balancer itself.
Does the load balancer support some form of mirror port?
If
On Nov 2, 2010, at 12:05 AM, Andrej van der Zee wrote:
The idea is to sniff all incoming/outgoing traffic on the WAN side of
the load-balancer,
Is the WAN side implemented as:
some form of WAN (a T{n} or E{n} serial line, or an OC{n} or STM{n}
optical link) going directly into the
On Nov 2, 2010, at 6:01 PM, Glen Turner wrote:
I was a bit surprised when I clicked on a libpcap packet capture that it did
not automatically launch wireshark -r. I have searched the archive of this
mailing list looking for a MIME type and found no consensus.
I seek consensus for the
On Oct 31, 2010, at 12:29 AM, Martin Vidner wrote:
please allocate a new network type for libpcap dump files, as
described in
http://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header
.
It is for dumping traffic on D-Bus, http://en.wikipedia.org/wiki/D-Bus
, and the packets
On Oct 19, 2010, at 5:52 AM, Subhasis Mohapatra (submohap) wrote:
I have designed a tool using libpcap,but its not reading big pcaps.
What does big mean here? Larger than 2GB, larger than 4GB, or larger than
some other value?
What happens if your tool tries to read a big pcap file?
What
On Oct 20, 2010, at 2:01 AM, Subhasis Mohapatra (submohap) wrote:
Thanks for the information,
I was using an older version of libpcap.
My pcap file is greater then 4GB and in Linux platform.
Then you'll probably need libpcap 1.0.0 or later.
It was giving an error like Unable to read the
On Oct 4, 2010, at 5:40 PM, Branca Beiruth wrote:
I have been used SuSE Linux Server and I need TcpDump.
Can you help me?
http://software.opensuse.org/113/en
Type tcpdump into the search box, select whatever version of SuSE SLE you
have from the version list (what version are you
On Sep 25, 2010, at 6:44 AM, Nigel Kent wrote:
Why does tcpdump not give my more details? Each time it only comes as -
16:22:26.128541 [|ether]
# ./tcpdump -vv not port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
16:22:26.128541 [|ether]
On Aug 23, 2010, at 3:54 PM, Jim Lloyd wrote:
What is the relationship between the socket receive buffer and the
mmap buffer? Does the mmap buffer replace the socket receive buffer,
Yes.
I currently have my primary testing
machine configured with
net.core.rmem_default = 4194304
On Aug 24, 2010, at 5:11 AM, Tim mizas wrote:
What kind of FD does pcap_get_selectable_fd return?
It returns either
1) the same FD that pcap_fileno() returns, if select() is supported on
it
or
2) -1, if select() is *not* supported on it (which is the case in, for
example,
On Aug 23, 2010, at 8:30 PM, Aaron Turner wrote:
So building the latest tcpdump from git and it won't link against the
latest libpcap from git:
ld: warning: in /usr/local/lib/libpcap.dylib, file was built for
unsupported file format which is not the architecture being linked
(i386)
On Aug 21, 2010, at 3:30 PM, Jim Lloyd wrote:
I have tested with the above logic while sniffing traffic on a GigE ethernet
NIC (eth0) and on the loopback device (lo). The test machine is an 8-core
Opteron with 32Gb of RAM running CentOS 5.5 with kernel 2.6.18. The traffic
generator program
On Aug 22, 2010, at 11:44 PM, Guy Harris wrote:
On Aug 21, 2010, at 3:30 PM, Jim Lloyd wrote:
Does this mean the 512Mb memory buffer is huge overkill?
For this application, it might be.
Of course, we must bear in mind that the average human has one breast and one
testicle
On Aug 17, 2010, at 2:21 AM, Ambika Prasad Tripathy wrote:
I am searching a way how to filter GTP packets and hence mobile IP data over
GTP-U. I can do that by applying index based filter for BPF. But can when I
see struct bpf_insn structure I think, if I modify the gencode.c/h and
grammer.y
On Aug 22, 2010, at 10:15 PM, Ambika Prasad Tripathy wrote:
But my proposal is to include a filter like VLAN for GTP.
Exactly. See my response to your earlier message, except that:
So after support it the above filter will work like
Gtp 23456345 to filter all GTP packets with TEID as
On Aug 22, 2010, at 4:15 PM, Aaron Turner wrote:
Long story short, tcpreplay allows users to replay traffic in verbose
mode which basically involves forking tcpdump and writing each packet
over a socketpair(). This has worked for quite a while (years now)
but recently I've realized
On May 24, 2010, at 7:26 AM, Mcmillan, Scott A wrote:
This patch adds the capability to select the packet timestamp source. It
also adds support for the PACKET_TIMESTAMP Linux kernel setting to specify
the source of packet timestamps. The corresponding Linux kernel patch is
being
(and ARPHRD_FRAD) comes from a patch submitted by Krzysztof Halasa
back in 2003; when I asked him about it, he replied
Guy Harris g...@alum.mit.edu writes:
Do ARPHRD_DLCI devices supply a useful link-layer header (from which the
protocol running atop Frame Relay can be determined
On Aug 15, 2010, at 6:15 AM, Doktor Bernd wrote:
thanks for the advice. If I use libpcap 1.1.1 compiled with the
HAVE_PACKET_RING stuff commented out, the my softare performs very well.
Ubuntu currently ships with 1.0.0.6 I think. If I use that version my
application has problems capturing
On Aug 10, 2010, at 3:35 AM, Doktor Bernd wrote:
I am experiencing the same problem as described in
http://news.gmane.org/find-root.php?message_id=%3c972613.6039.qm%40web59701.mail.ac4.yahoo.com%3e
I have written a software that captures Ethernet frames and forwards them to
different
On Aug 6, 2010, at 11:47 AM, Jon Smirl wrote:
Can I request a DLT for IEEE802.15.4 no FCS frames.
The ARPHRD for these frames is already in the Linux kernel:
#define ARPHRD_IEEE802154 804
So that's with a standard 802.15.4 header (as opposed to, say, headers with
addresses padded
On Aug 6, 2010, at 12:04 PM, Jon Smirl wrote:
Not all radios provide access to the FCS internally so it is stripped
in the Linux implementation. That's the only difference from the first
one. so we need another DLT
#define DLT_IEEE_802154 230
OK, I've added
On Aug 6, 2010, at 2:34 PM, Jon Smirl wrote:
Thanks for adding the DLT.
Do I need this bit about LINKTYPE?
If you want to be able to read 802.15.4-with-no-FCS captures with applications
that use libpcap to read capture files, yes.
diff --git a/pcap-linux.c b/pcap-linux.c
index
On Jul 4, 2010, at 7:15 AM, bored to death wrote:
i'm having quite a problem with tcpdump 4.0.0
Combine the previous sentence and the subject line - at this point, you're
comparing libpcap 0.9.8+tcpdump 3.9.8 with libpcap 1.0.0+tcpdump 4.0.0, and the
problem could be caused by libpcap 1.0.0,
On Jun 23, 2010, at 5:37 PM, Steve Scott wrote:
When I use this pcap compile string, my gcc compiler builds the executable,
but the pcap compile fails at run time:
\\(tcp or udp\\) and \\(src host 172.19.18.2 or src host 172.19.18.3\\)
The backslashes are unnecessary. If I do
On Jun 23, 2010, at 3:57 AM, Hemal Shah wrote:
I am trying to run tool on linux.
What distribution, and what version of that distribution?
It caught into the error :
/cbm: error while loading shared libraries: libpcap.so.1: cannot open
shared object file: No such file or
On Jun 22, 2010, at 8:48 AM, Alan Neville wrote:
I have been trying to cross-compile libpcap-1.1.1 for use on the iPhone
(armv6 architecture) to no avail.
Note that, in iOS, the BPF devices are probably owned by root and only openable
by root, so you will have to run your program as root,
On Apr 9, 2010, at 12:24 PM, Romain Francoise wrote:
Reading from a capture file that has not yet received any packets fails
with truncated dump file; to avoid this, flush the file (forcing the
pcap header out) immediately after opening it.
Checked into the main and 4.1 branches and pushed.
On May 11, 2010, at 1:01 AM, Peter Volkov wrote:
Although it's rather trivial to fix udevinfo call I think this check
should not exist at all. It is quite common to build package on one
system and deploy on another,thus it is always bad idea to check system
capabilities during build. I guess
On Apr 9, 2010, at 12:24 PM, Romain Francoise wrote:
Merge back changes from the Debian package:
- fix TCP flags output description, by Christophe Rhodes cs...@cantab.net
Original patch submitted in http://bugs.debian.org/575724
- two remaining typo fixes, by A Costa agco...@gis.net
On May 31, 2010, at 6:10 PM, Ondrej Moriš wrote:
there are some issues when running self-tests on ppc64, it seems to be
related to little / big endian - packet checksums are twisted:
Example (ikev2fourv.out.diff):
192.168.1.2.500 192.168.1.1.500: [bad udp cksum ee7a!] isakmp 2.0
On May 10, 2010, at 12:26 AM, Peter Volkov wrote:
In Gentoo linux (sparc arch too) we do not have such problem.
OK, so I've checked into the main and 1.1 branches a change that, for SPARCv9
(sparc64) on FreeBSD, uses -fPIC. Regular FreeBSD appears to use -fPIC on
SPARCv9 as well. If
On May 9, 2010, at 11:42 AM, Guy Harris wrote:
On May 9, 2010, at 6:32 AM, Rafe Yer wrote:
To ensure a successfull re-run of
make install
amend
ln
with
ln -f
Do all versions of all UN*Xes that support libpcap also support ln -f?
If not, the Makefile would need to, instead, do
On May 24, 2010, at 7:26 AM, Mcmillan, Scott A wrote:
This patch adds the capability to select the packet timestamp source. It
also adds support for the PACKET_TIMESTAMP Linux kernel setting to specify
the source of packet timestamps. The corresponding Linux kernel patch is
being
On May 26, 2010, at 9:03 AM, Mcmillan, Scott A wrote:
Both the 'raw' and 'nic' timestamps are in the form of seconds since the Unix
epoch, plus fractions of a second. Please see my response to Darren for more
info on the difference between these two timestamp sources.
Which reply was
On May 27, 2010, at 9:48 AM, Mcmillan, Scott A wrote:
This is an updated patch for tcpdump-4.1.1 to add the capability to select hw
timestamps via the -j command line option. The usage has been simplified: -j
now takes no argument, and uses the hw timestamp transformed into the system
On May 24, 2010, at 7:26 AM, Mcmillan, Scott A wrote:
[My apologies if this double posts. The mail server didn't care for the
first submission.]
This patch adds the capability to select the packet timestamp source.
Is there ever any reason *NOT* to use the hardware timestamp if it's
On May 13, 2010, at 12:57 PM, Edgar, Thomas wrote:
I have updated libpcap to capture traffic from serial COM ports. However, in
order to do this I needed to configure the serial port settings before
starting the capture. The method I have working is to add the port settings
variables to
On May 9, 2010, at 2:11 AM, Peter Volkov wrote:
It was reported that libpcap fails to link on freebsd-sparc:
http://bugs.gentoo.org/show_bug.cgi?id=247076
Patch in attachment fixes this issue. Please, apply.
Is SPARC the only architecture that requires -fPIC? (On what architectures
does
On May 9, 2010, at 2:24 AM, Guy Harris wrote:
On May 9, 2010, at 2:11 AM, Peter Volkov wrote:
It was reported that libpcap fails to link on freebsd-sparc:
http://bugs.gentoo.org/show_bug.cgi?id=247076
Patch in attachment fixes this issue. Please, apply.
Is SPARC the only
On May 9, 2010, at 6:32 AM, Rafe Yer wrote:
To ensure a successfull re-run of
make install
amend
ln
with
ln -f
Do all versions of all UN*Xes that support libpcap also support ln -f?
If not, the Makefile would need to, instead, do an rm -f of the old link and
an ln to re-create it.-
This
On May 3, 2010, at 11:29 PM, Thomas Habets wrote:
Has anyone looked into timestamping the captured packets using
clock_gettime(CLOCK_MONOTONIC, ...)?
I'm thinking adding a struct timespec to struct pcap_pkthdr
pcap_pkthdr is in a file. You cannot add *ANYTHING* to it without breaking
On Apr 30, 2010, at 5:15 PM, Andrej van der Zee wrote:
I am looking for way to estimate the number of packages in a pcap file
without traversing throu all packages with pcap_loop(). It does noet
have to be precise, just an estimate. Is there a way?
*IF* you have an idea what the average
On Apr 30, 2010, at 12:14 AM, Andrej van der Zee wrote:
Is it by any means possible to deduct the local IP address from a
cap-file? With local I mean the IP address that is physically bound to
the machine where tcpdump is ran.
If you mean deduce - i.e., given a capture file, determine what
On Apr 15, 2010, at 9:59 AM, Edgar, Thomas wrote:
After looking at how the pcap_set_datalink process works I think I have
decided to keep my timing method as the default COM interface datalink type.
But I will create it with the capability of setting the datalink type so that
you can
On Apr 8, 2010, at 1:25 PM, Luca Bruno wrote:
Since Linux 2.6.30, IEEE 802.15.4 interfaces got assigned a proper
ARP hardware type (ARPHRD_IEEE802154 - 804).
This patch introduces the relevant code to match it with its own
DLT type.
There are currently three different types for it, but
.
I am currently working on an project using 802.15.4 and would like to
use libpcap.
Thank you in advance
Juergen G. Schimmer
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Date: Sun, 01 Apr 2007 14:32:15 -0700
From: Guy Harris g...@alum.mit.edu
On Apr 13, 2010, at 8:53 AM, Edgar, Thomas wrote:
We are targeting framed protocols over serial, such as the serial versions of
DNP3 and Modbus,
Then perhaps the right thing to do is to have *multiple* DLT_/LINKTYPE_ values,
one for each protocol, and use the particular protocol's framing
On Apr 13, 2010, at 2:34 PM, Edgar, Thomas wrote:
I am open to the possibility of going forward with that approach. Just to
clarify, does this work by the user preselecting the framing mechanism before
the capture is started?
Yes.
For instance, I would have to know that DNP3 is being
On Apr 12, 2010, at 3:18 PM, Edgar, Thomas wrote:
I am posting to request a value for DLT_SERIAL and LINKTYPE_SERIAL for use
with libpcap. I am working on a project to update libpcap and Wireshark to
capture and parse RS232 and RS485 traffic (written such that it could handle
a wide
On Apr 7, 2010, at 11:52 PM, Vlabs .C wrote:
i am developing a small sniffer using libpcap API's. I want to capture,
process ARP, IP and TCP packets at a time. Right now I am not able find how
to do it using pcap_compile to capture more than one type of packet at a
time.
arp or ip
On Apr 6, 2010, at 7:54 PM, ronnie sahlberg wrote:
Pcap does not have a raw-udp encapsulation, so yours is a reasonable approach.
It does, however, have a raw-IP encapsulation; the link-layer type value in the
file header would be 101, and the raw packet data begins with the IP header. A
On Apr 1, 2010, at 10:24 PM, Peter Volkov wrote:
Hi. It looks like tests directory is missed tcpdump-4.1.0.tar.gz. Do you
suggest to avoid running tests for tcpdump or was tarball corrupted
somehow?
The Makefile didn't include the tests in the list of files to distribute. I've
changed
On Mar 31, 2010, at 1:10 PM, Chris Maynard wrote:
I encountered the same problem trying to compile the latest libpcap-1.1
sources
on a RHEL5 system.
Odd - it compiled on my Ubuntu 9.10 virtual machine, with a 2.6.31-19-generic
kernel. What kernel does your RHEL5 system have?
I fixed it
On Apr 1, 2010, at 1:04 PM, Chris Maynard wrote:
I was under the impression that libpcap allowed one to capture raw USB traffic
(See http://wiki.wireshark.org/CaptureSetup/USB). However, with libpcap 1.1,
this doesn't seem to work as I get an error from pcap_compile() with
pcap_geterr()
On Apr 1, 2010, at 10:44 PM, Peter Volkov wrote:
./configure --without-chroot will configure tcpdump with no as the
value of chroot directory and cause tcpdump to fail with:
tcpdump: Couldn't chroot/chdir to 'no': No such file or directory
Patch in attachment fixes this issue. Please
On Mar 30, 2010, at 1:55 PM, Wesley Shields wrote:
The links on http://www.tcpdump.org are broken.
The tarballs are libpcap-1.1.tar.gz and tcpdump-4.1.tar.gz, rather than
libpcap-1.1.0.tar.gz and tcpdump-4.1.0.tar.gz. Are we now calling the major
releases 1.x and 4.x rather than 1.x.0 and
On Mar 31, 2010, at 9:15 AM, Michael Richardson wrote:
Two questions:
1) is there anything preventing us from processing pflog
format pcap files on any system (i.e. a header I'm missing
on non-BSD systems)?
The fact that the header for packets in a DLT_PFLOG file can be (and has
On Mar 31, 2010, at 6:41 AM, Wesley Shields wrote:
Looks like commit e8b523758959c1854689d71c7a4686c631e5501c broke
tcpdump on FreeBSD (and probably any other system with PF). The attached
patch fixes the build.
Checked into the main branch and, it appears, into the 4.1 branch - I did, in a
On Mar 31, 2010, at 12:08 PM, krishna manohar wrote:
I am new to pcap.I am writing a sniffer for s3c2440 arm board.
In the process i have cross compile libpcap 1.0.0 and loaded my executable
on the target.
when i run the sniffer application on target pcap_open_live is failing with
Illegal
On Mar 18, 2010, at 8:02 AM, Jim Lloyd wrote:
Perhaps someone can clarify this point for me. When is filtering done?
If the packet capture mechanism supports BPF packet filtering in the kernel
(and the filter isn't too complicated to fit in the kernel or otherwise
incapable of being handled
On Mar 18, 2010, at 8:20 AM, Eloy Paris wrote:
pcap_create() and pcap_activate() were not available in versions of
libpcap prior to 1.0; if you are writing an application that must work on
versions of libpcap prior to 1.0, either use pcap_open_live() to get a handle
for a live capture or,
On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote:
So, what does an error code of -3 indicate?
#define PCAP_ERROR_NOT_ACTIVATED-3 /* the capture needs to
be activated */
I've done some experimentation and determined that apparently I must call
pcap_activate before calling
On Mar 16, 2010, at 7:34 AM, jon_me...@selinc.com wrote:
What type of information do I need to supply in order to have a new DLT
type assigned?
A description of the format of the header at the beginning of the packet (so
that we can say this DLT type is for a header that looks like this; if
On Mar 7, 2010, at 10:59 PM, M.Turner Turner wrote:
I have problem with libpcap-0.9.4.
when i compile (configure and make and make install) libpcap-0.9.4 the .so
files don't create
and only libpcap.a create .
why this happend ?
Because tcpdump.org's libpcap, in all of the currently
On Mar 8, 2010, at 11:50 AM, Gianluca Varenni wrote:
Can we wait until tomorrow for the release? I fixed a minor compilation issue
of tcpdump under Windows
As per my earlier mail, it looks as if 4.0.1rc3 wasn't made from the top of the
tree; should the final 4.1 release be made from the top
On Mar 2, 2010, at 5:00 PM, Pavel Roskin wrote:
This patch to libpcap helps:
--- a/pcap-linux.c
+++ b/pcap-linux.c
@@ -1563,6 +1563,7 @@ live_open_new(pcap_t *handle, const char
memset(mr, 0, sizeof(mr));
mr.mr_ifindex = handle-md.ifindex;
On Mar 5, 2010, at 8:48 AM, Michael Richardson wrote:
Does anyone see a problem if I move bpf_filter.c from CSRC
to GENSRC in the libpcap Makefile?
The Makefile has a rule to generate it, so I'd see that as OK. (It also
means that make clean would remove the symlink, which is arguably the
On Mar 5, 2010, at 9:42 AM, Ken Bantoft wrote:
On 2010-03-03, at 11:55 PM, Darren Reed wrote:
On 19/02/10 10:56 AM, Michael Richardson wrote:
Darren == Darren Reeddarren.r...@sun.com writes:
Darren Is there a target date for the delivery of tcpdump 4.1 and
Darren libpcap
On Mar 5, 2010, at 3:56 AM, Selçuk Cevher wrote:
As far as I know, in general, pcap_loop() function of libpcap library is
preferred over pcap_next_ex() function in both live and offline capture.
Is it related to some kind of fact that pcap_loop() is more
robust/reliable/efficient ?
It
On Feb 20, 2010, at 12:47 AM, Kovarththanan Rajaratnam wrote:
Please pull from:
git://github.com/krajaratnam/tcpdump.git cleanup
Pulled and pushed.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On Feb 22, 2010, at 5:40 PM, d00fy wrote:
Does pcap-1.0.0 use mmap to copy packets from kernel space to user spcace as
default?
If it's compiled on
1) a Linux distribution with the right headers to allow it to support
memory-mapped capture
or
2) a FreeBSD release with
On Feb 15, 2010, at 3:55 PM, Marco De Angelis wrote:
I have set the non-blocking mode to 0, expecting
the call to pcap_dispatch to hang when packets are not
collected. But instead, I can see many printouts (Read 0 packets)
which indicate that the pcap_dispatch has exited when no
packets
On Feb 10, 2010, at 1:42 PM, Marco De Angelis wrote:
So the call to pcap_dispatch not preceded by a select() could still
cause problems in 10.6.2?
It *shouldn't* cause problems, but, from what you and Carter are reporting, it
*does* cause problems.
This is the output on my machine:
On Feb 11, 2010, at 1:54 PM, Richard Bejtlich wrote:
In situations like this it is helpful to troubleshoot with the -d option
http://taosecurity.blogspot.com/2004/12/understanding-tcpdumps-d-option-part-2.html
...and especially note the pointer to the BPF paper, which explains the
machine
On Feb 9, 2010, at 10:20 PM, Frank W. Miller wrote:
I'm getting the feeling that pcap_inject() isn't well supported?
I guess it's a question of which code we're talking about in the code path to
the hardware.
pcap_inject() - like the rest of libpcap - is implemented atop an underlying
On Feb 9, 2010, at 2:15 AM, Marco De Angelis wrote:
I made an interesting test.
By collecting pcap_stats() after every call to pcap_dispatch and
printing the pcap_stat values out, I could verify that the packets
are received.
E.g. if I filter for ICMP packets, by launching ping commands
On Feb 8, 2010, at 2:34 PM, Frank W. Miller wrote:
FWIW, packetspammer does not work either.
The current top-of-tree version of packetspammer from
git://git.warmcat.com/packetspammer
uses pcap_inject(), so it's not *too* surprising that it doesn't work. It is a
nice small (and
On Feb 8, 2010, at 2:33 PM, Frank W. Miller wrote:
Stock FC12. Linux kernel 2.6.31.5-127.fc12.1686.PAE #1 SMP
What type of 802.11 adapter are you using?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On Feb 9, 2010, at 9:41 AM, Carter Bullard wrote:
Just after the call to pcap_open_live(), I set this ioctl. You may not need
the pcap_setnonblock() for
your application.
if ((pd = pcap_open_live(device-name, snaplen, !pflag, 100, errbuf)) !=
NULL) {
That's a sub-second timeout,
On Feb 8, 2010, at 1:33 PM, Frank W. Miller wrote:
I'm trying to use pcap_inject over my 802.11 connection. I can receive
packets using pcap_next() fine and when I call pcap_inject() it returns with
the length of the frame to be transmitted except that no frame is seen over
the air. I have
On Feb 1, 2010, at 6:27 AM, David Horn wrote:
I have created a patch to support the RFC 5006 IPv6 RA option 25
(RDNSS) decoding in tcpdump. The patch (against GIT) is available
here:
https://sourceforge.net/tracker/?func=detailaid=2942379group_id=53066atid=469575
I would appreciate a
On Feb 6, 2010, at 4:41 PM, Guy Harris wrote:
[0x000e]:
In theory, that would be an indication that there's a radiotap
presence bit that tcpdump doesn't know about, except that 0x000e has 3
bits set.
That's a bit number, not a bit, so it's a radiotap field with a bit
901 - 1000 of 1905 matches
Mail list logo