Re: [tcpdump-workers] aclocal.m4 and openssl

2004-04-05 Thread Guy Harris
On Sat, Apr 03, 2004 at 05:44:55PM -0500, Michael Richardson wrote: It appears that we don't really do the right with: ./configure --with-crypto=/path ./configure --with-openssl=/path ./configure --with-ssleay=/path (I'm uncertain which of these is right) --with-openssl and

Re: [tcpdump-workers] proposed new pcap format

2004-04-06 Thread Guy Harris
On Apr 5, 2004, at 10:39 PM, Ryan Mooney wrote: What about adding the concept of arbitrary meta-packets that can sit anywhere in the capture stream. These could be used to encode comments, and other meta-data. In Michael Richardson's proposal, a capture file is a sequence of records, each of

Re: [tcpdump-workers] libpcap pcap_sendpacket support across platforms.

2004-04-07 Thread Guy Harris
On Tue, Mar 23, 2004 at 04:56:43PM -0800, Mark Pizzolato wrote: I wonder where the sendto() stuff is really necessary. The simple send() worked for us on RH 7.3-Fedora Core1 on Intel. And RH 6.2 on Sparc, and numerous other linux environments. We've never gotten a complaint send()

Re: [tcpdump-workers] bpf/pcap performance

2004-04-12 Thread Guy Harris
On Apr 12, 2004, at 5:07 PM, Guy Harris wrote: ...which would require that pcap_pkthdr be changed to begin with a struct pcap_timeval. If it's OK to, on platforms where, for example, ts_sec is 64 bits, break binary compatibility with applications dynamically linked with libpcap, we could do

Re: [tcpdump-workers] bpf/pcap performance

2004-04-14 Thread Guy Harris
(Noise inserted in the hopes that that the mailing list software doesn't think that this is a duplicate of my previous message, which I sent from my sonic.net address and which thus didn't get through, and thus prevent it from getting to the list.) On Wed, Apr 14, 2004 at 12:30:45PM +1000, Darren

Re: [tcpdump-workers] List management

2004-04-14 Thread Guy Harris
On Wed, Apr 14, 2004 at 02:13:54PM -0400, Jefferson Ogata wrote: So now I have these questions: One more issue: At least at one point, postings with more than 2048 bytes of mail headers were rejected - but that includes Received: headers, which means that if you have too

Re: [tcpdump-workers] List management

2004-04-14 Thread Guy Harris
On Apr 14, 2004, at 11:23 AM, Guy Harris wrote: One more issue: At least at one point, postings with more than 2048 bytes of mail headers were rejected - but that includes Received: headers, which means that if you have too many mail routers you might be unable

Re: [tcpdump-workers] Proposed new pcap format

2004-04-14 Thread Guy Harris
On Apr 14, 2004, at 12:06 AM, Jefferson Ogata wrote: Additional protocol dissectors for protocols unknown to tcpdump/tethereal could be written in any language with XML support (preferably event-based). In fact, many protocol analyzers could be written directly in XSLT/XPath and processed

Re: [tcpdump-workers] pcap filter for 802.11

2004-04-16 Thread Guy Harris
On Apr 16, 2004, at 3:01 AM, Chen Hsia Lee wrote: I have just started using libpcap and am still unfamiliar with it. What is the filter expression to pick up only wireless 802.11 packets? If you're capturing on an 802.11 interface, by definition all the packets you will get are wireless

Re: [tcpdump-workers] Proposed new pcap format

2004-04-21 Thread Guy Harris
On Tue, Apr 20, 2004 at 06:16:48PM -0700, Michael Richardson wrote: Darren btw, is it at all easily possible to get the 802.3 checksum Darren into captured data ? On some OSes you ask for that. Not on BSD AFAIK, yes, with PF_PACKET on Linux. Some BSDs give it to you, at least for

Re: [tcpdump-workers] IPv6 dependency

2004-04-29 Thread Guy Harris
On Apr 29, 2004, at 4:05 PM, Michael Richardson wrote: Okay, it has been years since I was on a v6-crippled system, so I didn't know that we weren't OS independant. Can we extract some in6_addr code from one of the BSDs and include that if we need it? That might work - one concern would be a

Re: [tcpdump-workers] pcap_stats

2004-05-21 Thread Guy Harris
On Fri, May 21, 2004 at 02:06:57AM -0700, Guy Harris wrote: The DLPI code should *probably* add the dropped-packet count to the packets-received count, so as to reduce the differences between statistics (although it doesn't eliminate them - the right long-term fix is probably to introduce

Re: [tcpdump-workers] single packet capture time w/pcap vs. recvfrom()

2004-05-25 Thread Guy Harris
On May 23, 2004, at 6:37 PM, Brandon Stafford wrote: I'm writing a server that captures UDP packets and, after some manipulation, sends the data out the serial port. Right now, I'm using recvfrom(), but it takes 20 ms to execute for each packet captured. I know that tcpdump can capture

Re: [tcpdump-workers] savefile.c patch

2004-05-26 Thread Guy Harris
On May 26, 2004, at 1:55 AM, Gisle Vanem wrote: I feel it's high time we cleanup some of the sources. I'd start with savefile.c. Currently it doesn't work for offline data from stdin. --gv --- libpcap-2004.05.20/savefile.c Tue Mar 23 21:18:08 2004 +++ savefile.c Wed Mar 24 16:29:06 2004 @@

Re: [tcpdump-workers] savefile.c patch

2004-05-27 Thread Guy Harris
On May 27, 2004, at 5:22 AM, Gisle Vanem wrote: Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? If it's opened for capture or

Re: [tcpdump-workers] How to extract the source name field data of

2004-05-28 Thread Guy Harris
On May 27, 2004, at 11:56 PM, Jun-ichiro itojun Hagino wrote: Yes I am doing live capturing, but all what I interested about is the 16 byte Source Name field (Name to Add). I want to include the tcpdump command in my perl program so that I can make further processing on the data of that field.

Re: [tcpdump-workers] pcab and libpcap differences?

2004-05-31 Thread Guy Harris
On Mon, May 31, 2004 at 03:45:04PM +0800, Bassam A. Al-Khaffaf wrote: As introduction for me to learn the network programming, anyone can tell me what is the difference between the pcap and libpcap? THe letters l, i, and b. :-) The name of the library is libpcap; sometimes people might just

Re: [tcpdump-workers] Are all traces captured by dag card in tcpdump

2004-06-04 Thread Guy Harris
On Jun 4, 2004, at 1:09 PM, ice ice wrote: here is more information about tcpdump's output: % tcpdump -c 5 -n tcp -r 20020814-09-0-anon.pcap.gz 11:00:00.58 69.245.49.10.2082 143.173.237.247.1214: . 2133229289:2133230749(1460) ack 6821225 win 17188 (DF) 11:00:00.69

Re: [tcpdump-workers] Linktype needed

2004-06-05 Thread Guy Harris
Martin Angler said: my name is Martin Angler and I am developing a BACnet MS/TP - enabled netdevice-driver under GNU/Debian Linux. Now I've seen, that there is no linktype that specifies BACnet MS/TP. So I wanted to ask whether you could define/implement a corresponding linktype. I infer from

Re: [tcpdump-workers] Unexpected primitive ack DL_UNITDATA_IND

2004-06-09 Thread Guy Harris
On Jun 9, 2004, at 1:27 PM, Rick Jones wrote: Does it always happen or just sometimes? A DL_UNITDATA_IND is basically saying Hi there, here is a packet in DLPI speak. It looks like the stream is sending one of those up to the application when libpcap isn't expecting it. In fact, it's sending

Re: [tcpdump-workers] Unexpected primitive ack DL_UNITDATA_IND

2004-06-09 Thread Guy Harris
On Jun 9, 2004, at 1:58 PM, Rick Jones wrote: On the surface I wouldn't think so - simply attaching to a PPA I don't think means traffic could arrive - however, if one has attached, and then binds to a SAP, then traffic could indeed start arriving. (Il-informed guesstimation, and hopefully I'm

Re: [tcpdump-workers] pcap range no worky on ppc? (e.g. udp[2:2] = 137 udp[2:2] = 139)

2004-06-17 Thread Guy Harris
On Thu, Jun 17, 2004 at 03:19:40PM +1000, Ben Low wrote: I attempted to use the following expression to filter netbios stuff: udp[2:2] = 137 udp[2:2] = 139 However this expression only captures port 137 packets on my two Power PC machines: - linux 2.4.18 ppc (debian) tcpdump

Re: [tcpdump-workers] TCPDUMP filter for multicast

2004-06-19 Thread Guy Harris
(I'm on tcpdump-workers, so there's no need to send mail to me *and* tcpdump-workers; if you have a question, it's better to ask tcpdump-workers than to ask only me.) On Sat, Jun 19, 2004 at 10:07:17PM -0400, Ernest L. Williams Jr. wrote: Could you tell me a tcpdump filter that only gives

Re: [tcpdump-workers] libpcap problems

2004-06-22 Thread Guy Harris
On Jun 22, 2004, at 8:45 AM, Bowser Jason S Contr AFRL/IFTA wrote: I am writing some software that forks multiple process on a unix macine(IRIX) however when i have each child start the pcap_loop when i get to the 4th child and beyond i get the following error pcap_open_live snoop bind: Cant

Re: [tcpdump-workers] Web page needs updating

2004-06-22 Thread Guy Harris
On Jun 22, 2004, at 8:48 AM, Eddie Kohler wrote: The www.tcpdump.org section on mailing lists needs updating -- sending mail to '[EMAIL PROTECTED]' results in an error; it looks like the address has changed to '[EMAIL PROTECTED]'. I've checked in a change to replace @tcpdump.org with

Re: [tcpdump-workers] text format stability

2004-06-25 Thread Guy Harris
On Jun 25, 2004, at 2:21 PM, Christian Kreibich wrote: an XML based tcpdump output would be great in the long term -- it would certainly eliminate a lot of parsing ambiguity. Yes - the problem with the traditional UNIX the output of one program should be usable as input to another program idea is

Re: [tcpdump-workers] Corrupt files

2004-06-25 Thread Guy Harris
On Jun 25, 2004, at 4:34 PM, Xavier Brouckaert wrote: Could it happen because there are several applications using libpcap at the same time ? Not if they're writing to different files. There's no data that would be shared by all libpcap-using processes on a given machine. If multiple

[tcpdump-workers] 3-clause vs. 4-clause BSD license for {libp,WinP}cap and {tcpd,WinD}ump

2004-06-28 Thread Guy Harris
On Jun 28, 2004, at 1:21 PM, [EMAIL PROTECTED] wrote: We would like to include WinPcap and WinDump on the Windows Toolbox compilation of software but your licencing restrictions present a problem. The clause we have difficulty with in particular is this: all advertising materials mentioning

Re: [tcpdump-workers] linux pcap blocking and cpu utilization

2004-06-28 Thread Guy Harris
On Jun 28, 2004, at 12:10 PM, four wrote: Here is the situation: I am trying to build a simple bridging program. If I use pcap_set_nonblock() the function call returns fine, but the program ends up using 100% cpu utilization, presumably because it is simply looping and returning with no packets

Re: [tcpdump-workers] Libpcap and Super User mode

2004-06-30 Thread Guy Harris
On Jun 30, 2004, at 10:00 AM, Jefferson Ogata wrote: More specifically, you can use libpcap as any user. On most systems, you have to be root, however, to monitor traffic on a network interface. I.e., you can use libpcap to read a capture file as any user (if that user has permission to read

Re: [tcpdump-workers] text format stability

2004-06-30 Thread Guy Harris
On Jun 30, 2004, at 12:58 PM, Michael Richardson wrote: How widespread is PDML? Tethereal and Ethereal can generate it; I presume the intent is to have Analyzer 3.0 generate it as well, given that it was invented by the Politecnico di Torino folks. (I don't see anything immediately obvious

Re: [tcpdump-workers] text format stability

2004-07-01 Thread Guy Harris
On Thu, Jul 01, 2004 at 07:34:44AM +0200, Fulvio Risso wrote: Ethereal is able to prodice PDML output (altough it uses a slightly modified dialectn of PDML). What are the modifications? (Note that one problem is that PDML's field names come from the NetPDL specification for the protocol - this

Re: [tcpdump-workers] PCAP - IP Fragments

2004-07-01 Thread Guy Harris
On Jul 1, 2004, at 2:50 AM, [EMAIL PROTECTED] wrote: tcpdump doesn't have any specific facility to handle fragmented packets, as far as I know (it cannot reassemble the fragments). That capability could be added (Ethereal supports it), although, if provided, it should be an option (as reassembly

Re: [tcpdump-workers] jump to a packet flag

2004-07-01 Thread Guy Harris
On Jul 1, 2004, at 12:18 PM, alex medvedev wrote: this, however, does not work well with relative seq numbers in tcp packets [maybe smth else too?]. Anything that maintains and uses state information between packets wouldn't work. However, what could be done would be something that still runs

Re: [tcpdump-workers] patch for print-ppp.c

2004-07-06 Thread Guy Harris
On Jul 5, 2004, at 3:13 AM, Darren Reed wrote: Looks better if its compressed PPP data :) Checked in, with compressed PPP data - and with another change to use ppptype2str[] in the default case. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] core dump with PPP messages 1 byte long.

2004-07-06 Thread Guy Harris
On Jul 5, 2004, at 4:51 AM, Darren Reed wrote: If ppp_hdlc() is called with length 2, bad things happen. Should it be called *at all* from handle_ppp()? Or, if this is really just HDLC-over-L2TP, in which case it should be called directly from t

Re: [tcpdump-workers] LLC protocol, ethereal and pcap libraries get along togheter?

2004-07-07 Thread Guy Harris
On Jul 7, 2004, at 10:44 AM, Claudio Lavecchia wrote: Writing a packet dissector based on pcap libraries on Linux and using it to sniff traffic going through a WLAN (dell truemobile 1150 with orinoco driver) card I noticed a really strange behaviour. The card is set in promiscous mode, and I

Re: [tcpdump-workers] Bad TCP header len question

2004-07-08 Thread Guy Harris
On Thu, Jul 08, 2004 at 11:38:33AM +0200, rmkml wrote: Possible add detect tcp header len pb in tcpdump ? I've added those checks to the x.8 and main branches in the tcpdump CVS tree. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] error-message IP11 truncated-ip in last tcpdump/libpcap

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 7:56 AM, Klaus Schrod wrote: Again our situation: Two computers connected to the net, one (lion) with a fixed ip address and one (styx) with pppoe. We established an ipsec tunnel between them successfully. tcpdump showed an error in the ESP traffic between styx and lion. But

Re: [tcpdump-workers] error-message IP11 truncated-ip in last tcpdump/libpcap

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 11:51 AM, Guy Harris wrote: whereas the traffic from 62.225.140.214 to 217.234.111.121 has Linux cooked capture IP with a protocol type of IP-inside-IP IP (with a bogus version number of 3 and a bogus header length of 8) The second capture is similar

Re: [tcpdump-workers] windump options 4 writing in a *.txt file

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 12:44 PM, César Cárdenas wrote: It is possible to write raw packets in a *.txt file? That depends on what you mean by raw packets. Packet data is binary, so that wouldn't go into a .txt file. The packet data can be dumped in hex and/or ASCII, and that could be put into a text

Re: [tcpdump-workers] Changing filter condition dynamically works fine on Windows but fails on LINUX

2004-07-19 Thread Guy Harris
On Jul 19, 2004, at 6:57 AM, Alex Narinsky wrote: I need to change the filter condition dynamically. So I have another thread that changes filter expression. This code works fine on Windows changing the filter condition. On LINUX if I change a filter condition no packages come anymore through

Re: [tcpdump-workers] convert back to expression

2004-07-20 Thread Guy Harris
On Jul 20, 2004, at 1:32 AM, Li Ruzhen wrote: hi, whether i can use libpcap to optimize some complicate expressions and then conver the optimized result back to the expression format? If by expressions you mean filter expressions, no, you can't - there's no code that takes a BPF program (which is

Re: [tcpdump-workers] Errors in gencode.c building on HP-UX 11.11.

2004-07-20 Thread Guy Harris
On Jul 20, 2004, at 10:40 AM, [EMAIL PROTECTED] wrote: gcc -O2 -I. -DHAVE_CONFIG_H -D_U_=__attribute__((unused)) -c ./gencode.c In file included from gencode.c:73: pf.h:66: syntax error before sa_family_t Which version of libpcap is this? 0.8.3? And what are the contents of the

[tcpdump-workers] Building IPv6 code in tcpdump on systems without native IPv6 support

2004-07-21 Thread Guy Harris
I have some changes to support that. The main change is to add a union h6addr to tcpdump-stdinc.h, along with defintions of IN6_IS_ADDR_UNSPECIFIED, AF_INET6, and NI_MAXHOST if they're not defined. Some side-effects of this: 1) it defines DEFAULT_SNAPLEN as 96 unconditionally, rather

Re: [tcpdump-workers] Building tcpdump 3.8.3 undex Solaris 2.9

2004-07-21 Thread Guy Harris
On Tue, Jul 20, 2004 at 03:25:03PM -0400, Michael Richardson wrote: Guy == Guy Harris [EMAIL PROTECTED] writes: Guy Michael, should we put out a libpcap 0.8.4/tcpdump 3.8.4 Guy release with the fixes that have been added since then? I guess. Are there other things that should

Re: [tcpdump-workers] Tcpdump time discrepancy (vs ethereal/tcptrace)

2004-07-22 Thread Guy Harris
On Jul 22, 2004, at 1:47 PM, Aaron Mitchell wrote: I've noticed a peculiar behavior. Given the same hand-crafted dump file (with an intended time of 5:36 on Jan 1, 1970), tcpdump reports a time of 6:36 for default output, and a time of 10:36 when run with the - option (supposedly same time

Re: [tcpdump-workers] libpcap on AIX 5.2

2004-07-29 Thread Guy Harris
On Jul 29, 2004, at 1:11 PM, Lowrie, Tom wrote: Adding -lcfg along with -lodm solves my problem. Thanks for the push in the right direction. Next step will be to figure how to compile the libpcap source so that these libraries are included. The standard libpcap build procedure in the main CVS

Re: [tcpdump-workers] Better dumping of packets with bad TCP checksums?

2004-07-30 Thread Guy Harris
On Jul 30, 2004, at 10:14 AM, Greg Weiss wrote: Is there a way to command-line filter tcpdump so that only packets with bad TCP checksums are dumped? No. The BPF filtering mechanism can't handle it, as there's no way for it to compute a checksum, and the filtering mechanism is BPF-based. A

Re: [tcpdump-workers] advice for heavy traffic capturing

2004-08-08 Thread Guy Harris
On Mon, Aug 09, 2004 at 01:08:49AM +1000, Darren Reed wrote: In some email I received from Fulvio Risso, sie wrote: Darren, could you please give us some numbers? If you take a look at this paper: F. Risso, L. Degioanni An architecture for high performance network analysis

Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?

2004-08-25 Thread Guy Harris
On Aug 25, 2004, at 11:05 AM, David Front wrote: 11:33:55.601653 IP lxfs5623.cern.ch.32962 lcgmon002d.cern.ch.12509: UDP, length: 1637 UDP, length: 1637 means that the *UDP* packet length is 1637 bytes. That doesn't mean that the *Ethernet* packet is 1637 bytes, as you note later: IP message

Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?

2004-08-25 Thread Guy Harris
On Aug 25, 2004, at 11:09 AM, Guy Harris wrote: Note, however, that the reassembly is *NOT* done at the low-layer capture level, so a capture filter of port 12509 will only capture the first fragment of a fragmented datagram, and Ethereal and Tethereal will *NOT* be able to reassemble

Re: [tcpdump-workers] undesired promiscuous mode toggling

2004-08-26 Thread Guy Harris
On Aug 26, 2004, at 3:43 PM, Chris Reining wrote: I am running into an interesting promiscuous mode issue on Redhat Enterprise WS 3, kernel version 2.4.21, libpcap version 0.7.2 and tcpdump 3.7.2. The issue is unanticipated toggling of promisc state. I am running Snort version 2.1.2 which itself

Re: [tcpdump-workers] Bug Fix in tcpdump 3.8.3

2004-09-03 Thread Guy Harris
On Sep 3, 2004, at 3:48 AM, Sebastien Vincent wrote: So I made changes into ./tcpdump.c and it now works fine. Checked in. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] performance considerations

2004-09-12 Thread Guy Harris
(Noise to trick the duplicate post recognize. Noise to trick the duplicate post recognizer. Pack my bag with five dozen liquor jugs.) Shaun wrote: Or get a DAG card? Not sure if they support FreeBSD though. http://www.endace.com/faq.htm#linux Q: Do you support any other operating systems

Re: [tcpdump-workers] compilation status of current (2004-09-13) on HP-UX 11.11

2004-09-13 Thread Guy Harris
On Sep 13, 2004, at 4:24 PM, Rick Jones wrote: For other nefarious porpoises I downloaded libpcap and tcpudmp currents on 2004-09-13 and did straight-up ./configure;make on HP-UX 11.11 (aka 11i v1) using the HP compiler. This system did not have the TOUR installed to get IPv6 functionality.

Re: [tcpdump-workers] compilation status of current (2004-09-13) on HP-UX 11.11

2004-09-13 Thread Guy Harris
On Sep 13, 2004, at 7:24 PM, rick jones wrote: thanks. the end goal is to look at NFS over TCP traffic where the traffic may have nfs messages split across segments, several in a segment, that sort of thing. If look at implies dissect as NFS, Ethereal or Tethereal might be the way to go (they

Re: [tcpdump-workers] performance considerations

2004-09-14 Thread Guy Harris
Shaun wrote: Or get a DAG card? Not sure if they support FreeBSD though. http://www.endace.com/faq.htm#linux Q: Do you support any other operating systems than Linux? Do you support BSD or Solaris? A: Linux is the primary platform for the DAG product range, with robust support. A device

Re: [tcpdump-workers] compilation status of current (2004-09-13)

2004-09-14 Thread Guy Harris
On Sep 14, 2004, at 10:33 AM, Rick Jones wrote: well, with the link in place, i did the make dist clean then the configure then the make and did get the duplicate symbols. so, here is the config.log ... configure:8312: checking for local pcap library configure:8420: result:

Re: [tcpdump-workers] compilation status of current (2004-09-13)

2004-09-14 Thread Guy Harris
On Sep 14, 2004, at 4:38 PM, Rick Jones wrote: no datalinks.o: LOCALSRC = print-smb.c smbutil.c GENSRC = version.c LIBOBJS = strlcat$U.o strlcpy$U.o strsep$U.o But you got duplicate symbol errors? What's the output of make? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to

Re: [tcpdump-workers] possible pcap-bpf.c uname usage bug

2004-09-15 Thread Guy Harris
On Sep 15, 2004, at 12:37 AM, Matthew Luckie wrote: There is code in pcap-bpf.c to set the selectable fd to -1 if it is detected the OS is FreeBSD 4.3 or 4.4 I don't think the check actually successfully detects 4.3 or 4.4, as the osinfo.release parameter will have something like 4.3-RELEASE or

Re: [tcpdump-workers] Trace conversion.

2004-09-17 Thread Guy Harris
On Sep 17, 2004, at 3:20 PM, Paul Berube wrote: One question, though. I see h.m.s:ms, a.b.c.d.x:, and I'm wondering what the 'x' is? By the frequent occurences of 80, I'm guessing these are port numbers, but I'd like to be sure :) Yes. this won't work with icmp though... That's fine, I'm only

Re: [tcpdump-workers] final radiotap patch for tcpdump

2004-09-19 Thread Guy Harris
(Blah blah blah work around duplicate message detector blah blah blah someday I'll figure out if I can configure Thunderbird to know that all tcpdump-workers mail should come from my alum.mit.edu address blah blah blah.) David Young wrote: Here is support for radiotap, an extensible radio

Re: [tcpdump-workers] final radiotap patch for tcpdump

2004-09-19 Thread Guy Harris
(blah blah blah duplicate posts blah blah blah thunderbird blah blah blah multiple accounts blah blah blah) Guy Harris wrote: Looks good to me, at least for the top-of-tree (where we require that the platform support 64-bit integers, and where we define u_int64_t to be an unsigned 64-bit integer

Re: [tcpdump-workers] Wrong tcp sequence numbers???

2004-09-22 Thread Guy Harris
Claudio Lavecchia wrote: 3. How do you calculate size_ip? int size_ip = sizeof(struct sniff_ip); Do any of the packets have IP options? If so, then that's *not* the size of the IP header. You should get the IP header length from the header length/version field from the IP header (and should

Re: [tcpdump-workers] [PATCH] Add ioctl to disable bpf timestamping

2004-09-25 Thread Guy Harris
Matthew Luckie wrote: The motivation for this patch was to obtain something resembling the timestamp closest to when a packet I generated and transmitted hit the wire, to infer a more accurate RTT with an associated response packet. That's certainly a worthy goal, but the patch might not help

Re: [tcpdump-workers] x.9 branch

2004-10-11 Thread Guy Harris
On Sep 24, 2004, at 6:02 AM, Hannes Gredler wrote: any suggestion for a x.9 branch date ? what about 31-oct-04 ? Speaking of x.9 branch, should the VERSION files in libpcap and tcpdump change to 0.9-PRE-CVS and 3.9-PRE-CVS, respectively? - This is the tcpdump-workers list. Visit

Re: [tcpdump-workers] pcap_compile and tcpdump syntax

2004-10-13 Thread Guy Harris
(Blah blah blah defeat duplicate detector blah blah blah once again I forgot to send with my alum.mit.edu address in the from line blah blah blah Thunderbird blah blah blah time to pester Bugzilla.) Travis wrote: Is it not correct that pcap_compile takes in a filter program with tcpdump

Re: [tcpdump-workers] Buffer size question

2004-10-14 Thread Guy Harris
Gianluca Varenni wrote: ...like pcap_setbuff(), as implemented in WinPcap... ...and which I already know about. Unfortunately, given that, on systems with BPF, you cannot change the buffer size after a BPF device has been bound to a network interface, pcap_setbuff() is unimplementable on those

Re: [tcpdump-workers] Buffer size question

2004-10-15 Thread Guy Harris
On Oct 15, 2004, at 6:19 AM, Hannes Gredler wrote: shouldn't we have upper/lower boundary checks for such a buffer ? i.e. minbuffer 1.5K maxbuffer 128K I think the BPF kernel code in most of the BSDs already impose upper and lower bounds; are you suggesting that libpcap impose its own

Re: [tcpdump-workers] Newbie user question: Getting packets from

2004-09-27 Thread Guy Harris
(blah blah blah wrong from address blah blah blah duplicate message dissector blah blah blah time to see whether I can configure Thunderbird to automatically set the from address for tcpdump-workers messages blah blah blah) KEVIN ZEMBOWER wrote: www:~# tcpdump src host centernet.jhuccp.org and

Re: [tcpdump-workers] Newbie user question: Getting packets from

2004-09-27 Thread Guy Harris
KEVIN ZEMBOWER wrote: As you can see, I'm still getting packets from ns1.jhmi.edu on the DNS port. What does the command tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) print? If it helps, I'm using bash 2.05 on a Debian woody (stable, 3.0) distro running kernal

Re: [tcpdump-workers] Fw: new file format

2004-10-06 Thread Guy Harris
Sorry I didn't get around to this until now, but On Jul 30, 2004, at 1:09 PM, Gianluca Varenni wrote: There is another issue related to these block types. Fulvio's proposal: a shb (even corrupted by the ftp transfer) can begin with the following strings: \r\n\r\x1A - 1 reserved block type

Re: [tcpdump-workers] Buffer size question

2004-10-18 Thread Guy Harris
On Oct 18, 2004, at 3:04 PM, Alexander Dupuy wrote: Guy Harris writes: Unfortunately, given that, on systems with BPF, you cannot change the buffer size after a BPF device has been bound to a network interface, pcap_setbuff() is unimplementable on those systems, so it's not a candidate

Re: [tcpdump-workers] help needed for sniffer in c++

2004-10-05 Thread Guy Harris
akshar SNIFFER wrote: I am writing a sniffer in C++ , Then this is a question that belongs in the tcpdump-workers list, not the ethereal-dev list, so I'm redirecting it there. I have included the pcap.h header file .While compiling i get the following error

Re: [tcpdump-workers] Problem compiling tcpdump-3.8.3

2004-10-22 Thread Guy Harris
Gerard Beekmans wrote: tcpdump.o(.text+0x947): In function `main': : undefined reference to `pcap_debug' collect2: ld returned 1 exit status What does nm -o ../libpcap-0.8.3/libpcap.a | egrep pcap_dump print, and... Configure did check for, and found, pcap_debug: checking whether

Re: [tcpdump-workers] libpcap and select problem

2004-10-25 Thread Guy Harris
On Oct 25, 2004, at 1:27 PM, Ying Li wrote: Sometimes select() times out way too fast, like 0.0001 seconds while my timevar is set to 0.001 sec. Times out in the sense that retval is 0? On what OS are you doing this? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to

Re: [tcpdump-workers] Can I excude a protocol?

2004-10-31 Thread Guy Harris
Pete Wilson wrote: I'm a new user of tcpdump, so please forgive these few amateur questions. 1. I need to look at SNMP traffic, so I issue: node2:/root#tcpdump udp host node1 or node2 or node3 tcpdump: 'udp' modifier applied to host UDP doesn't know about hosts - that's IP's responsibility.

Re: [tcpdump-workers] dealing with collisions, dropped packets

2004-11-01 Thread Guy Harris
Matt Van Mater wrote: Recently I've been investigating why tcpdump on my IDS shows quite a few packets as being dropped. Probably because it's receiving so many packets that it can't keep up. Drops, as reported by tcpdump, are drops due to the buffer in the packet capture mechanism overflowing

Re: [tcpdump-workers] Can I excude a protocol?

2004-11-01 Thread Guy Harris
On Oct 31, 2004, at 6:15 PM, Pete Wilson wrote: although do you want to exclude TCP or exclude everything but UDP (or exclude everything but port-161 and port-162 UDP traffic)? Well, since you ask :-) Yes, sure. Then that's where the If you want to see all UDP traffic to and from particular hosts

Re: [tcpdump-workers] Question about promiscuous mode

2004-11-01 Thread Guy Harris
(Blah blah blah once again I forgot to set the from line yes I know I should set up my sonic address as an alias but if I sent from my mit address replies get to me at work and at home so I can respond from either site blah blah blah.) Kathy Chen wrote: I want to know in what situations the

Re: [tcpdump-workers] Question about promiscuous mode

2004-11-01 Thread Guy Harris
(Blah blah blah oops I did it again blah blah blah avoid duplicate message detection blah blah blah.) Kathy Chen wrote: I want to know in what situations the machine's network is set to promiscuous mode. It's put into promiscuous mode if an application requests that the interface be put into

Re: [tcpdump-workers] Question about pcap_next()

2004-11-01 Thread Guy Harris
(Blah blah blah another wrong from line blah blah blah avoid the duplicate message detector blah blah blah.) Kathy Chen wrote: When I call u_char *packet = pcap_next(handle, header); I can get the packet length value, but I can't really get the packet data (Using printf(..., packet)). The

Re: [tcpdump-workers] Radius

2004-11-16 Thread Guy Harris
On Nov 16, 2004, at 1:08 PM, jesk wrote: in some auth-replies iam missing some attributes but instead of them i can see at the end of a tcpdump line the following: [|radius] what does this exactly mean? It probably means that either 1) the RADIUS packet didn't fit in a single link-layer packet

Re: [tcpdump-workers] Sniffing ranges of ips

2004-11-19 Thread Guy Harris
Alexander Dupuy wrote: Note also that there is a bug in the libpcap BPF optimizer (as of 0.8.3) that breaks the hack described above, Try it with the top-of-tree CVS version; I've made some optimizer fixes that will, I think, fix this. However, the libpcap 0.7 optimizer not only generates

Re: [tcpdump-workers] pcap_offline_read() fix

2004-11-30 Thread Guy Harris
On Nov 27, 2004, at 10:31 PM, Dug Song wrote: a program which changes the filter for its pcap handle at runtime with pcap_compile/setfilter() will abort when operating on a savefile, due to this dangling ptr reference in pcap_offline_read(): Checked in. - This is the tcpdump-workers list. Visit

Re: [tcpdump-workers] Promiscuous mode and BPF filters?

2004-12-01 Thread Guy Harris
On Dec 1, 2004, at 7:53 AM, Claudio Lavecchia wrote: I have two laptops (say A and B) that have 802.11 wireless cards. I am developing some application that essentially perform sniffing functions using wireless cards in promiscuous mode. To test my code, I need those two laptops not to see each

Re: [tcpdump-workers] loopback interface and byte order

2004-12-01 Thread Guy Harris
On Dec 1, 2004, at 3:31 PM, Robert Lowe wrote: In testing a small app using libpcap, I noticed differences in behaviour when using the loopback interface vs. using a hardware interface. In particular, it seems the packets coming in over the loopback interface are still in host byte order

Re: [tcpdump-workers] loopback interface and byte order

2004-12-02 Thread Guy Harris
Robert Lowe wrote: Well, I was reporting this from memory. Let me back up a bit. When I first looked at pcap, I went through Tim Carsten's tutorial, referenced from the tcpdump.org website. Using that code (sniffer.c) on Linux with a downed eth0 i/f (forcing the dev to any) results in very

Re: [tcpdump-workers] what does tcpdump record files' header D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 means

2004-12-02 Thread Guy Harris
On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote: what does the 10 bytes mean~{#?~} The file header is 24 bytes long, not 10 bytes long. The first 4 bytes are a 4-byte magic number, with a value that's either 0xa1b2c3d4 or 0xd4c3b2a1. If it's 0xa1b2c3d4, all the other fields in the file header, and

Re: [tcpdump-workers] what does tcpdump record files' header D4

2004-12-03 Thread Guy Harris
wrote: Can u tell me something about your new capture file format? See http://www.tcpdump.org/pcap/pcap.html - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Listening on multiple devices in promiscous mode

2004-12-06 Thread Guy Harris
On Dec 6, 2004, at 2:07 AM, Peter Sandford wrote: I need to capture from 2 interfaces on a machine in promiscuous mode. This is because we are routing a copy of 2 load balanced streams onto a box for monitoring. I'm aware it isn't possible (?) to listen on any with a pcap_open_live in promiscuous

Re: [tcpdump-workers] DLT_ request

2004-12-07 Thread Guy Harris
marc hermstein wrote: I would like to request a DLT_ number for usage with raw GPRS LLC frames (DLT_GPRS_LLC). On a mobile, this is an output format that some loggers use. Having it defined as a possible link-layer type would allow me to have the GPRS_LLC dissector in ethereal register with that

Re: [tcpdump-workers] DLT_ request

2004-12-07 Thread Guy Harris
On Dec 6, 2004, at 9:16 AM, marc hermstein wrote: I would like to request a DLT_ number for usage with raw GPRS LLC frames (DLT_GPRS_LLC). On a mobile, this is an output format that some loggers use. Loggers in what sense? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to

Re: [tcpdump-workers] DLT_ request

2004-12-08 Thread Guy Harris
marc hermstein wrote: When developing a handset, some manufacturers dump debugging data from the protocol stack out the serial port on the bottom of the handset. This is what I meant by a logger. So you'll be writing, or have written, a piece of code that reads from the serial port and writes to

Re: [tcpdump-workers] request for new type

2004-12-09 Thread Guy Harris
Dumas Hwang wrote: I would like to request two new link layer types for Generic Framing Procedure (DLT_GFP_T and DLT_GFP_F). Thank you. OK, DLT_GPF_T is 170 and DLT_GPF_F is 171. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] some problem in the source code

2004-12-09 Thread Guy Harris
aman Reddy wrote: But when I assign either eth0 or eth1 is working fine , I am able to capture correct packets: But I fail to understand why I am getting corrupt packets if any or NULL is set You're *not* getting corrupt packets. You're getting packets that don't have an Ethernet header on them,

Re: [tcpdump-workers] nanosecond timestamp

2004-12-09 Thread Guy Harris
On Dec 9, 2004, at 12:48 PM, Dumas Hwang wrote: I would like to get nanosecond resolution on Solaris in libpcap. What's the best way to go about it? I suppose it's not a good idea to change struct timeval ts in pkthdr to timespec. That would be an amazingly bad idea (and it was an

Re: [tcpdump-workers] nanosecond timestamp

2004-12-09 Thread Guy Harris
On Dec 9, 2004, at 12:48 PM, Dumas Hwang wrote: I would like to get nanosecond resolution on Solaris in libpcap. BTW, where are you getting the nanosecond-resolution time stamps in Solaris? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Usage of pcap_open_live argument to_ms

2004-12-09 Thread Guy Harris
On Dec 9, 2004, at 1:09 PM, Robert Lowe wrote: to_ms specifies the read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it wait for some amount of time to allow more packets to arrive and to read multiple

  1   2   3   4   5   6   7   8   9   10   >