Re: [tcpdump-workers] aclocal.m4 and openssl

2004-04-05 Thread Guy Harris
On Sat, Apr 03, 2004 at 05:44:55PM -0500, Michael Richardson wrote: It appears that we don't really do the right with: ./configure --with-crypto=/path ./configure --with-openssl=/path ./configure --with-ssleay=/path (I'm uncertain which of these is right) --with-openssl and

Re: [tcpdump-workers] proposed new pcap format

2004-04-06 Thread Guy Harris
On Apr 5, 2004, at 10:39 PM, Ryan Mooney wrote: What about adding the concept of arbitrary meta-packets that can sit anywhere in the capture stream. These could be used to encode comments, and other meta-data. In Michael Richardson's proposal, a capture file is a sequence of records, each of

Re: [tcpdump-workers] libpcap pcap_sendpacket support across platforms.

2004-04-07 Thread Guy Harris
On Tue, Mar 23, 2004 at 04:56:43PM -0800, Mark Pizzolato wrote: I wonder where the sendto() stuff is really necessary. The simple send() worked for us on RH 7.3-Fedora Core1 on Intel. And RH 6.2 on Sparc, and numerous other linux environments. We've never gotten a complaint send()

Re: [tcpdump-workers] bpf/pcap performance

2004-04-12 Thread Guy Harris
On Apr 12, 2004, at 5:07 PM, Guy Harris wrote: ...which would require that pcap_pkthdr be changed to begin with a struct pcap_timeval. If it's OK to, on platforms where, for example, ts_sec is 64 bits, break binary compatibility with applications dynamically linked with libpcap, we could do

Re: [tcpdump-workers] bpf/pcap performance

2004-04-14 Thread Guy Harris
(Noise inserted in the hopes that that the mailing list software doesn't think that this is a duplicate of my previous message, which I sent from my sonic.net address and which thus didn't get through, and thus prevent it from getting to the list.) On Wed, Apr 14, 2004 at 12:30:45PM +1000, Darren

Re: [tcpdump-workers] List management

2004-04-14 Thread Guy Harris
On Wed, Apr 14, 2004 at 02:13:54PM -0400, Jefferson Ogata wrote: So now I have these questions: One more issue: At least at one point, postings with more than 2048 bytes of mail headers were rejected - but that includes Received: headers, which means that if you have too

Re: [tcpdump-workers] List management

2004-04-14 Thread Guy Harris
On Apr 14, 2004, at 11:23 AM, Guy Harris wrote: One more issue: At least at one point, postings with more than 2048 bytes of mail headers were rejected - but that includes Received: headers, which means that if you have too many mail routers you might be unable

Re: [tcpdump-workers] Proposed new pcap format

2004-04-14 Thread Guy Harris
On Apr 14, 2004, at 12:06 AM, Jefferson Ogata wrote: Additional protocol dissectors for protocols unknown to tcpdump/tethereal could be written in any language with XML support (preferably event-based). In fact, many protocol analyzers could be written directly in XSLT/XPath and processed

Re: [tcpdump-workers] pcap filter for 802.11

2004-04-16 Thread Guy Harris
On Apr 16, 2004, at 3:01 AM, Chen Hsia Lee wrote: I have just started using libpcap and am still unfamiliar with it. What is the filter expression to pick up only wireless 802.11 packets? If you're capturing on an 802.11 interface, by definition all the packets you will get are wireless

Re: [tcpdump-workers] Proposed new pcap format

2004-04-21 Thread Guy Harris
On Tue, Apr 20, 2004 at 06:16:48PM -0700, Michael Richardson wrote: Darren btw, is it at all easily possible to get the 802.3 checksum Darren into captured data ? On some OSes you ask for that. Not on BSD AFAIK, yes, with PF_PACKET on Linux. Some BSDs give it to you, at least for

Re: [tcpdump-workers] IPv6 dependency

2004-04-29 Thread Guy Harris
On Apr 29, 2004, at 4:05 PM, Michael Richardson wrote: Okay, it has been years since I was on a v6-crippled system, so I didn't know that we weren't OS independant. Can we extract some in6_addr code from one of the BSDs and include that if we need it? That might work - one concern would be a

Re: [tcpdump-workers] pcap_stats

2004-05-21 Thread Guy Harris
On Fri, May 21, 2004 at 02:06:57AM -0700, Guy Harris wrote: The DLPI code should *probably* add the dropped-packet count to the packets-received count, so as to reduce the differences between statistics (although it doesn't eliminate them - the right long-term fix is probably to introduce

Re: [tcpdump-workers] single packet capture time w/pcap vs. recvfrom()

2004-05-25 Thread Guy Harris
On May 23, 2004, at 6:37 PM, Brandon Stafford wrote: I'm writing a server that captures UDP packets and, after some manipulation, sends the data out the serial port. Right now, I'm using recvfrom(), but it takes 20 ms to execute for each packet captured. I know that tcpdump can capture

Re: [tcpdump-workers] savefile.c patch

2004-05-26 Thread Guy Harris
On May 26, 2004, at 1:55 AM, Gisle Vanem wrote: I feel it's high time we cleanup some of the sources. I'd start with savefile.c. Currently it doesn't work for offline data from stdin. --gv --- libpcap-2004.05.20/savefile.c Tue Mar 23 21:18:08 2004 +++ savefile.c Wed Mar 24 16:29:06 2004 @@

Re: [tcpdump-workers] savefile.c patch

2004-05-26 Thread Guy Harris
On May 26, 2004, at 2:35 PM, Guy Harris wrote: Also, that means that if it's writing to the standard output it won't do a setbuf() even on Windows. ...which, of course, it isn't doing now, either - but now writing to the standard output won't work right on Windows as it's writing in text mode

Re: [tcpdump-workers] Various diffs for more complete LDP decoding

2004-05-27 Thread Guy Harris
On May 27, 2004, at 11:04 AM, [EMAIL PROTECTED] wrote: Below are patches to perform significantly more complete LDP decoding. Checked in, with an unused variable removed, and with declarations of decode_prefix{4,6}() put into a decode_prefix.h header included by print-bgp.c and print-ldp.c. -

Re: [tcpdump-workers] savefile.c patch

2004-05-27 Thread Guy Harris
On May 27, 2004, at 5:22 AM, Gisle Vanem wrote: Since pcap_dump_close() doesn't have a pcap_t argument, where should the oldmode come from? Can we have two module globals; oldmode_stdin, oldmode_stdout, assuming stdin/stdout won't be opened for capture more than once? If it's opened for capture or

Re: [tcpdump-workers] How to extract the source name field data of

2004-05-28 Thread Guy Harris
On May 27, 2004, at 11:56 PM, Jun-ichiro itojun Hagino wrote: Yes I am doing live capturing, but all what I interested about is the 16 byte Source Name field (Name to Add). I want to include the tcpdump command in my perl program so that I can make further processing on the data of that field.

Re: [tcpdump-workers] pcab and libpcap differences?

2004-05-31 Thread Guy Harris
On Mon, May 31, 2004 at 03:45:04PM +0800, Bassam A. Al-Khaffaf wrote: As introduction for me to learn the network programming, anyone can tell me what is the difference between the pcap and libpcap? THe letters l, i, and b. :-) The name of the library is libpcap; sometimes people might just

Re: [tcpdump-workers] Are all traces captured by dag card in tcpdump

2004-06-04 Thread Guy Harris
On Jun 4, 2004, at 9:32 AM, ice ice wrote: Yes, I should say that the trace file is in pcap format. 20020814-09-0-anon.pcap.gz: tcpdump capture file (little-endian) - version 2.4 (BSD/OS Cisco HDLC, capture length 48) So I couldn't assume the 48byte header is the normal IP+whatever header

Re: [tcpdump-workers] Are all traces captured by dag card in tcpdump

2004-06-04 Thread Guy Harris
On Jun 4, 2004, at 1:09 PM, ice ice wrote: here is more information about tcpdump's output: % tcpdump -c 5 -n tcp -r 20020814-09-0-anon.pcap.gz 11:00:00.58 69.245.49.10.2082 143.173.237.247.1214: . 2133229289:2133230749(1460) ack 6821225 win 17188 (DF) 11:00:00.69

Re: [tcpdump-workers] Linktype needed

2004-06-05 Thread Guy Harris
Martin Angler said: my name is Martin Angler and I am developing a BACnet MS/TP - enabled netdevice-driver under GNU/Debian Linux. Now I've seen, that there is no linktype that specifies BACnet MS/TP. So I wanted to ask whether you could define/implement a corresponding linktype. I infer from

Re: [tcpdump-workers] Unexpected primitive ack DL_UNITDATA_IND

2004-06-09 Thread Guy Harris
On Jun 9, 2004, at 1:27 PM, Rick Jones wrote: Does it always happen or just sometimes? A DL_UNITDATA_IND is basically saying Hi there, here is a packet in DLPI speak. It looks like the stream is sending one of those up to the application when libpcap isn't expecting it. In fact, it's sending

Re: [tcpdump-workers] Unexpected primitive ack DL_UNITDATA_IND

2004-06-09 Thread Guy Harris
On Jun 9, 2004, at 1:58 PM, Rick Jones wrote: On the surface I wouldn't think so - simply attaching to a PPA I don't think means traffic could arrive - however, if one has attached, and then binds to a SAP, then traffic could indeed start arriving. (Il-informed guesstimation, and hopefully I'm

Re: [tcpdump-workers] Unexpected primitive ack DL_UNITDATA_IND

2004-06-09 Thread Guy Harris
On Jun 9, 2004, at 2:55 PM, Rick Jones wrote: Guy Harris wrote: Well, we *are* doing an info request after binding, so perhaps it might happen then. I'm not sure why we're doing that; it dates back to libpcap 0.4. Do you know of any reason why the dl_mac_type from an info request before

Re: [tcpdump-workers] timeout in linux

2004-06-14 Thread Guy Harris
On Jun 14, 2004, at 7:11 AM, fcarone wrote: Hello! Im new in programming with libpcap and im using the libpcap0.8.3, and i´d like to know if the timeout works in linux RH9 kernel 2.4.20. No, it does not. The timeout is passed on to the underlying OS's packet capture mechanism, if it supports a

Re: [tcpdump-workers] pcap range no worky on ppc? (e.g. udp[2:2] = 137 udp[2:2] = 139)

2004-06-17 Thread Guy Harris
On Thu, Jun 17, 2004 at 03:19:40PM +1000, Ben Low wrote: I attempted to use the following expression to filter netbios stuff: udp[2:2] = 137 udp[2:2] = 139 However this expression only captures port 137 packets on my two Power PC machines: - linux 2.4.18 ppc (debian) tcpdump

Re: [tcpdump-workers] TCPDUMP filter for multicast

2004-06-19 Thread Guy Harris
(I'm on tcpdump-workers, so there's no need to send mail to me *and* tcpdump-workers; if you have a question, it's better to ask tcpdump-workers than to ask only me.) On Sat, Jun 19, 2004 at 10:07:17PM -0400, Ernest L. Williams Jr. wrote: Could you tell me a tcpdump filter that only gives

Re: [tcpdump-workers] libpcap problems

2004-06-22 Thread Guy Harris
On Jun 22, 2004, at 8:45 AM, Bowser Jason S Contr AFRL/IFTA wrote: I am writing some software that forks multiple process on a unix macine(IRIX) however when i have each child start the pcap_loop when i get to the 4th child and beyond i get the following error pcap_open_live snoop bind: Cant

Re: [tcpdump-workers] Web page needs updating

2004-06-22 Thread Guy Harris
On Jun 22, 2004, at 8:48 AM, Eddie Kohler wrote: The www.tcpdump.org section on mailing lists needs updating -- sending mail to '[EMAIL PROTECTED]' results in an error; it looks like the address has changed to '[EMAIL PROTECTED]'. I've checked in a change to replace @tcpdump.org with

Re: [tcpdump-workers] text format stability

2004-06-25 Thread Guy Harris
On Jun 25, 2004, at 2:21 PM, Christian Kreibich wrote: an XML based tcpdump output would be great in the long term -- it would certainly eliminate a lot of parsing ambiguity. Yes - the problem with the traditional UNIX the output of one program should be usable as input to another program idea is

Re: [tcpdump-workers] Corrupt files

2004-06-25 Thread Guy Harris
On Jun 25, 2004, at 4:34 PM, Xavier Brouckaert wrote: Could it happen because there are several applications using libpcap at the same time ? Not if they're writing to different files. There's no data that would be shared by all libpcap-using processes on a given machine. If multiple

[tcpdump-workers] 3-clause vs. 4-clause BSD license for {libp,WinP}cap and {tcpd,WinD}ump

2004-06-28 Thread Guy Harris
On Jun 28, 2004, at 1:21 PM, [EMAIL PROTECTED] wrote: We would like to include WinPcap and WinDump on the Windows Toolbox compilation of software but your licencing restrictions present a problem. The clause we have difficulty with in particular is this: all advertising materials mentioning

Re: [tcpdump-workers] linux pcap blocking and cpu utilization

2004-06-28 Thread Guy Harris
On Jun 28, 2004, at 12:10 PM, four wrote: Here is the situation: I am trying to build a simple bridging program. If I use pcap_set_nonblock() the function call returns fine, but the program ends up using 100% cpu utilization, presumably because it is simply looping and returning with no packets

Re: [tcpdump-workers] Libpcap and Super User mode

2004-06-30 Thread Guy Harris
On Jun 30, 2004, at 10:00 AM, Jefferson Ogata wrote: More specifically, you can use libpcap as any user. On most systems, you have to be root, however, to monitor traffic on a network interface. I.e., you can use libpcap to read a capture file as any user (if that user has permission to read

Re: [tcpdump-workers] text format stability

2004-06-30 Thread Guy Harris
On Jun 30, 2004, at 12:58 PM, Michael Richardson wrote: How widespread is PDML? Tethereal and Ethereal can generate it; I presume the intent is to have Analyzer 3.0 generate it as well, given that it was invented by the Politecnico di Torino folks. (I don't see anything immediately obvious

Re: [tcpdump-workers] text format stability

2004-07-01 Thread Guy Harris
On Thu, Jul 01, 2004 at 07:34:44AM +0200, Fulvio Risso wrote: Ethereal is able to prodice PDML output (altough it uses a slightly modified dialectn of PDML). What are the modifications? (Note that one problem is that PDML's field names come from the NetPDL specification for the protocol - this

Re: [tcpdump-workers] PCAP - IP Fragments

2004-07-01 Thread Guy Harris
On Jul 1, 2004, at 2:50 AM, [EMAIL PROTECTED] wrote: tcpdump doesn't have any specific facility to handle fragmented packets, as far as I know (it cannot reassemble the fragments). That capability could be added (Ethereal supports it), although, if provided, it should be an option (as reassembly

Re: [tcpdump-workers] jump to a packet flag

2004-07-01 Thread Guy Harris
On Jul 1, 2004, at 12:18 PM, alex medvedev wrote: this, however, does not work well with relative seq numbers in tcp packets [maybe smth else too?]. Anything that maintains and uses state information between packets wouldn't work. However, what could be done would be something that still runs

Re: [tcpdump-workers] patch for print-ppp.c

2004-07-06 Thread Guy Harris
On Jul 5, 2004, at 3:13 AM, Darren Reed wrote: Looks better if its compressed PPP data :) Checked in, with compressed PPP data - and with another change to use ppptype2str[] in the default case. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] core dump with PPP messages 1 byte long.

2004-07-06 Thread Guy Harris
On Jul 5, 2004, at 4:51 AM, Darren Reed wrote: If ppp_hdlc() is called with length 2, bad things happen. Should it be called *at all* from handle_ppp()? Or, if this is really just HDLC-over-L2TP, in which case it should be called directly from t

Re: [tcpdump-workers] core dump with PPP messages 1 byte long.

2004-07-07 Thread Guy Harris
On Wed, Jul 07, 2004 at 04:21:39PM +1000, Darren Reed wrote: IP 1.1.1.1.1701 2.2.2.2.1701: l2tp:[TLS](24460/3222)Ns=23239,Nr=647 *MSGTYPE(ICCN) *TX_CONN_SPEED(156000) *FRAMING_TYPE(A) *VENDOR0c7f:ATTR0066(00) RX_CONN_SPEED(156000) I'm not sure what the framing

Re: [tcpdump-workers] LLC protocol, ethereal and pcap libraries get along togheter?

2004-07-07 Thread Guy Harris
On Jul 7, 2004, at 10:44 AM, Claudio Lavecchia wrote: Writing a packet dissector based on pcap libraries on Linux and using it to sniff traffic going through a WLAN (dell truemobile 1150 with orinoco driver) card I noticed a really strange behaviour. The card is set in promiscous mode, and I

Re: [tcpdump-workers] Bad TCP header len question

2004-07-08 Thread Guy Harris
On Thu, Jul 08, 2004 at 11:38:33AM +0200, rmkml wrote: Possible add detect tcp header len pb in tcpdump ? I've added those checks to the x.8 and main branches in the tcpdump CVS tree. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] error-message IP11 truncated-ip in last tcpdump/libpcap

2004-07-12 Thread Guy Harris
On Mon, Jul 12, 2004 at 03:13:33PM +0200, Klaus Schrod wrote: Does anybody have any idea why we still get this error? Because, for whatever reason, the dissector for the protocol atop which the purported IP traffic is running thinks it's IP even though it isn't? (The version field has 11, not 4

Re: [tcpdump-workers] error-message IP11 truncated-ip in last tcpdump/libpcap

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 7:56 AM, Klaus Schrod wrote: Again our situation: Two computers connected to the net, one (lion) with a fixed ip address and one (styx) with pppoe. We established an ipsec tunnel between them successfully. tcpdump showed an error in the ESP traffic between styx and lion. But

Re: [tcpdump-workers] error-message IP11 truncated-ip in last tcpdump/libpcap

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 11:51 AM, Guy Harris wrote: whereas the traffic from 62.225.140.214 to 217.234.111.121 has Linux cooked capture IP with a protocol type of IP-inside-IP IP (with a bogus version number of 3 and a bogus header length of 8) The second capture is similar

Re: [tcpdump-workers] windump options 4 writing in a *.txt file

2004-07-13 Thread Guy Harris
On Jul 13, 2004, at 12:44 PM, César Cárdenas wrote: It is possible to write raw packets in a *.txt file? That depends on what you mean by raw packets. Packet data is binary, so that wouldn't go into a .txt file. The packet data can be dumped in hex and/or ASCII, and that could be put into a text

Re: [tcpdump-workers] Changing filter condition dynamically works fine on Windows but fails on LINUX

2004-07-19 Thread Guy Harris
On Jul 19, 2004, at 6:57 AM, Alex Narinsky wrote: I need to change the filter condition dynamically. So I have another thread that changes filter expression. This code works fine on Windows changing the filter condition. On LINUX if I change a filter condition no packages come anymore through

Re: [tcpdump-workers] Building tcpdump 3.8.3 undex Solaris 2.9

2004-07-20 Thread Guy Harris
On Tue, Jul 20, 2004 at 09:50:01PM +1000, [EMAIL PROTECTED] wrote: I have had a problem building tcpdump 3.8.3 under Solaris 2.9. Unable to build inet_aton.o.o I changed configure and removed .o from the inet_anon.o${ac} line nad was able to perform a compile. I was not able to get

Re: [tcpdump-workers] convert back to expression

2004-07-20 Thread Guy Harris
On Jul 20, 2004, at 1:32 AM, Li Ruzhen wrote: hi, whether i can use libpcap to optimize some complicate expressions and then conver the optimized result back to the expression format? If by expressions you mean filter expressions, no, you can't - there's no code that takes a BPF program (which is

Re: [tcpdump-workers] Errors in gencode.c building on HP-UX 11.11.

2004-07-20 Thread Guy Harris
On Jul 20, 2004, at 10:40 AM, [EMAIL PROTECTED] wrote: gcc -O2 -I. -DHAVE_CONFIG_H -D_U_=__attribute__((unused)) -c ./gencode.c In file included from gencode.c:73: pf.h:66: syntax error before sa_family_t Which version of libpcap is this? 0.8.3? And what are the contents of the

[tcpdump-workers] Building IPv6 code in tcpdump on systems without native IPv6 support

2004-07-21 Thread Guy Harris
I have some changes to support that. The main change is to add a union h6addr to tcpdump-stdinc.h, along with defintions of IN6_IS_ADDR_UNSPECIFIED, AF_INET6, and NI_MAXHOST if they're not defined. Some side-effects of this: 1) it defines DEFAULT_SNAPLEN as 96 unconditionally, rather

Re: [tcpdump-workers] Building tcpdump 3.8.3 undex Solaris 2.9

2004-07-21 Thread Guy Harris
On Tue, Jul 20, 2004 at 03:25:03PM -0400, Michael Richardson wrote: Guy == Guy Harris [EMAIL PROTECTED] writes: Guy Michael, should we put out a libpcap 0.8.4/tcpdump 3.8.4 Guy release with the fixes that have been added since then? I guess. Are there other things that should

Re: [tcpdump-workers] additional HP-UX 11.11 HP ANSI C triggered cleanup.

2004-07-21 Thread Guy Harris
On Jul 21, 2004, at 2:16 PM, Rick Jones wrote: First was print-esp.c - it was warning in three places about an integer being converted to a pointer with the return value of strsep. There is no strsep in HP-UX, and it seems that interface.h deals with that, but print-esp.c was not including

Re: [tcpdump-workers] 64-bit warnings for july 22 libpcap. no July 22 tcpdump-current?

2004-07-22 Thread Guy Harris
On Jul 22, 2004, at 10:29 AM, Rick Jones wrote: cc: pcap-dlpi.c, line 376: LP64 migration warning 720: Argument #3 may overflow integer. } ret = dlrawdatareq(p-send_fd, buf, size); I guess that one depends on how large size is likely to get. ...and changing the third argument to

Re: [tcpdump-workers] how pcap filter string works?

2004-07-22 Thread Guy Harris
On Jul 22, 2004, at 1:13 PM, Hu Thomas Pan wrote: Still not work. No data comes into my callback function. But tcpdump, with the same filter, shows packets? We'd have to see the source to your program to figure out what the problem is. - This is the tcpdump-workers list. Visit

Re: [tcpdump-workers] Tcpdump time discrepancy (vs ethereal/tcptrace)

2004-07-22 Thread Guy Harris
On Jul 22, 2004, at 1:47 PM, Aaron Mitchell wrote: I've noticed a peculiar behavior. Given the same hand-crafted dump file (with an intended time of 5:36 on Jan 1, 1970), tcpdump reports a time of 6:36 for default output, and a time of 10:36 when run with the - option (supposedly same time

Re: [tcpdump-workers] Only SYN

2004-07-22 Thread Guy Harris
On Jul 22, 2004, at 9:10 AM, César Cárdenas wrote: I am trying: windump -i 2 'tcp[13]2==2' It recognizes the interface but still there doing nothing... I assume from the -i 2 that you have more than one interface on your machine. What happens if you try to connect from the machine running

Re: [tcpdump-workers] Tcpdump time discrepancy (vs ethereal/tcptrace)

2004-07-23 Thread Guy Harris
On Thu, Jul 22, 2004 at 09:21:36PM -0400, Michael Richardson wrote: Guy == Guy Harris [EMAIL PROTECTED] writes: Guy If that's still valid, we should probably have it set Guy thiszone to gmt2local(time stamp of first packet) after Guy reading, but before processing, the first

Re: [tcpdump-workers] new file format

2004-07-26 Thread Guy Harris
On Jul 23, 2004, at 11:57 AM, Gianluca Varenni wrote: If the file is transfered from win to unix in ASCII mode, the file should become \n\n\r .. In this case we recognize the first three characters \n\n\r, try to convert the first 12 bytes from unix-ascii to win-ascii, and check the

Re: [tcpdump-workers] additional boundary check necessary in MLDv2 packet parsing

2004-07-28 Thread Guy Harris
On Jul 28, 2004, at 12:59 AM, SUZUKI Shinsuke wrote: Here's a patch to properly check buffer boundary in MLDv2 packet parsing. Checked into the main and x.8 branches. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] libpcap on AIX 5.2

2004-07-29 Thread Guy Harris
On Jul 29, 2004, at 1:11 PM, Lowrie, Tom wrote: Adding -lcfg along with -lodm solves my problem. Thanks for the push in the right direction. Next step will be to figure how to compile the libpcap source so that these libraries are included. The standard libpcap build procedure in the main CVS

Re: [tcpdump-workers] Better dumping of packets with bad TCP checksums?

2004-07-30 Thread Guy Harris
On Jul 30, 2004, at 10:14 AM, Greg Weiss wrote: Is there a way to command-line filter tcpdump so that only packets with bad TCP checksums are dumped? No. The BPF filtering mechanism can't handle it, as there's no way for it to compute a checksum, and the filtering mechanism is BPF-based. A

Re: [tcpdump-workers] advice for heavy traffic capturing

2004-08-08 Thread Guy Harris
On Mon, Aug 09, 2004 at 01:08:49AM +1000, Darren Reed wrote: In some email I received from Fulvio Risso, sie wrote: Darren, could you please give us some numbers? If you take a look at this paper: F. Risso, L. Degioanni An architecture for high performance network analysis

Re: [tcpdump-workers] advice for heavy traffic capturing

2004-08-08 Thread Guy Harris
On Sun, Aug 08, 2004 at 08:29:33AM +0200, Fulvio Risso wrote: If you take a look at this paper: F. Risso, L. Degioanni An architecture for high performance network analysis http://ieeexplore.ieee.org/iel5/7446/20240/00935450.pdf?tp=arnumber=935450;

Re: [tcpdump-workers] advice for heavy traffic capturing

2004-08-08 Thread Guy Harris
Also, speaking of capture speed and memory-mapped devices, there was a freebsd-hackers thread discussing a netgraph module providing memory-mapped access to captured packets: http://docs.FreeBSD.org/cgi/mid.cgi?20040614124708.A22679 and other messages with the subject memory mapped

Re: [tcpdump-workers] advice for heavy traffic capturing

2004-08-08 Thread Guy Harris
On Mon, Aug 09, 2004 at 12:21:18PM +1000, Darren Reed wrote: I did some similar work for bpf mmap with NetBSD. Yes, I saw those. The guy doing the FreeBSD work appears to be claiming that he dropped fewer packets with his mapped access, but that might just be a result of not time-stamping

Re: [tcpdump-workers] mac os x buffering packets?

2004-08-09 Thread Guy Harris
On Aug 7, 2004, at 12:41 PM, Carter Bullard wrote: On mac os x 10.3.4, using libpcap-0.8.3, opening pcap with pcap_open_live(dev, 96, 1, 1000, errbuf) and reading packets with pcap_loop (pd, 1, callback, user), packets are queued until some magic number (looks to be 200) of packets is reached,

Re: [tcpdump-workers] localhost on Solaris

2004-08-24 Thread Guy Harris
ury segal wrote: OK... Assuming I insist on enabling localhost sniffing on Solaris to the benerfit of all: You might want to rephrase that as insist on *attempting* to enable... - there's no guarantee that you'll succeed, no matter how beneficial it'd be, as the Solaris networking code might not

Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?

2004-08-25 Thread Guy Harris
On Aug 25, 2004, at 11:05 AM, David Front wrote: 11:33:55.601653 IP lxfs5623.cern.ch.32962 lcgmon002d.cern.ch.12509: UDP, length: 1637 UDP, length: 1637 means that the *UDP* packet length is 1637 bytes. That doesn't mean that the *Ethernet* packet is 1637 bytes, as you note later: IP message

Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?

2004-08-25 Thread Guy Harris
On Aug 25, 2004, at 11:09 AM, Guy Harris wrote: Note, however, that the reassembly is *NOT* done at the low-layer capture level, so a capture filter of port 12509 will only capture the first fragment of a fragmented datagram, and Ethereal and Tethereal will *NOT* be able to reassemble

Re: [tcpdump-workers] undesired promiscuous mode toggling

2004-08-26 Thread Guy Harris
On Aug 26, 2004, at 3:43 PM, Chris Reining wrote: I am running into an interesting promiscuous mode issue on Redhat Enterprise WS 3, kernel version 2.4.21, libpcap version 0.7.2 and tcpdump 3.7.2. The issue is unanticipated toggling of promisc state. I am running Snort version 2.1.2 which itself

Re: [tcpdump-workers] Bug Fix in tcpdump 3.8.3

2004-09-03 Thread Guy Harris
On Sep 3, 2004, at 3:48 AM, Sebastien Vincent wrote: So I made changes into ./tcpdump.c and it now works fine. Checked in. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] [PATCH] Add ioctl to disable bpf timestamping

2004-09-09 Thread Guy Harris
(Noise to defeat the duplicate-message detector for [EMAIL PROTECTED]) Guy Harris wrote: This is probably a pointless optimization, This referring not to Bruce's proposed change, but to my proposed change to have one time stamp call per packet. - This is the tcpdump-workers list. Visit https

Re: [tcpdump-workers] How to use the non-promiscous mode?

2004-09-09 Thread Guy Harris
On Sep 9, 2004, at 1:10 AM, fullc0de wrote: When I searched, I've not been able to find a function pcap_open_log() in pcap.h. Sorry, that should have been pcap_open_live(). The following code is used in my program. pcap_open(d-name, 65536, 0, 1000, NULL, errbuf) I Thought I am using the

Re: [tcpdump-workers] performance considerations

2004-09-12 Thread Guy Harris
(Noise to trick the duplicate post recognize. Noise to trick the duplicate post recognizer. Pack my bag with five dozen liquor jugs.) Shaun wrote: Or get a DAG card? Not sure if they support FreeBSD though. http://www.endace.com/faq.htm#linux Q: Do you support any other operating systems

Re: [tcpdump-workers] compilation status of current (2004-09-13) on HP-UX 11.11

2004-09-13 Thread Guy Harris
On Sep 13, 2004, at 4:24 PM, Rick Jones wrote: For other nefarious porpoises I downloaded libpcap and tcpudmp currents on 2004-09-13 and did straight-up ./configure;make on HP-UX 11.11 (aka 11i v1) using the HP compiler. This system did not have the TOUR installed to get IPv6 functionality.

Re: [tcpdump-workers] compilation status of current (2004-09-13) on HP-UX 11.11

2004-09-13 Thread Guy Harris
On Sep 13, 2004, at 7:24 PM, rick jones wrote: thanks. the end goal is to look at NFS over TCP traffic where the traffic may have nfs messages split across segments, several in a segment, that sort of thing. If look at implies dissect as NFS, Ethereal or Tethereal might be the way to go (they

Re: [tcpdump-workers] performance considerations

2004-09-14 Thread Guy Harris
Shaun wrote: Or get a DAG card? Not sure if they support FreeBSD though. http://www.endace.com/faq.htm#linux Q: Do you support any other operating systems than Linux? Do you support BSD or Solaris? A: Linux is the primary platform for the DAG product range, with robust support. A device

Re: [tcpdump-workers] compilation status of current (2004-09-13)

2004-09-14 Thread Guy Harris
On Sep 14, 2004, at 10:33 AM, Rick Jones wrote: well, with the link in place, i did the make dist clean then the configure then the make and did get the duplicate symbols. so, here is the config.log ... configure:8312: checking for local pcap library configure:8420: result:

Re: [tcpdump-workers] compilation status of current (2004-09-13)

2004-09-14 Thread Guy Harris
On Sep 14, 2004, at 4:38 PM, Rick Jones wrote: no datalinks.o: LOCALSRC = print-smb.c smbutil.c GENSRC = version.c LIBOBJS = strlcat$U.o strlcpy$U.o strsep$U.o But you got duplicate symbol errors? What's the output of make? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to

Re: [tcpdump-workers] possible pcap-bpf.c uname usage bug

2004-09-15 Thread Guy Harris
On Sep 15, 2004, at 12:37 AM, Matthew Luckie wrote: There is code in pcap-bpf.c to set the selectable fd to -1 if it is detected the OS is FreeBSD 4.3 or 4.4 I don't think the check actually successfully detects 4.3 or 4.4, as the osinfo.release parameter will have something like 4.3-RELEASE or

Re: [tcpdump-workers] Trace conversion.

2004-09-17 Thread Guy Harris
On Sep 17, 2004, at 3:20 PM, Paul Berube wrote: One question, though. I see h.m.s:ms, a.b.c.d.x:, and I'm wondering what the 'x' is? By the frequent occurences of 80, I'm guessing these are port numbers, but I'd like to be sure :) Yes. this won't work with icmp though... That's fine, I'm only

Re: [tcpdump-workers] final radiotap patch for tcpdump

2004-09-19 Thread Guy Harris
(Blah blah blah work around duplicate message detector blah blah blah someday I'll figure out if I can configure Thunderbird to know that all tcpdump-workers mail should come from my alum.mit.edu address blah blah blah.) David Young wrote: Here is support for radiotap, an extensible radio

Re: [tcpdump-workers] final radiotap patch for tcpdump

2004-09-19 Thread Guy Harris
(blah blah blah duplicate posts blah blah blah thunderbird blah blah blah multiple accounts blah blah blah) Guy Harris wrote: Looks good to me, at least for the top-of-tree (where we require that the platform support 64-bit integers, and where we define u_int64_t to be an unsigned 64-bit integer

Re: [tcpdump-workers] Wrong tcp sequence numbers???

2004-09-22 Thread Guy Harris
Claudio Lavecchia wrote: 3. How do you calculate size_ip? int size_ip = sizeof(struct sniff_ip); Do any of the packets have IP options? If so, then that's *not* the size of the IP header. You should get the IP header length from the header length/version field from the IP header (and should

Re: [tcpdump-workers] [PATCH] Add ioctl to disable bpf timestamping

2004-09-25 Thread Guy Harris
Matthew Luckie wrote: The motivation for this patch was to obtain something resembling the timestamp closest to when a packet I generated and transmitted hit the wire, to infer a more accurate RTT with an associated response packet. That's certainly a worthy goal, but the patch might not help

Re: [tcpdump-workers] x.9 branch

2004-10-11 Thread Guy Harris
On Sep 24, 2004, at 6:02 AM, Hannes Gredler wrote: any suggestion for a x.9 branch date ? what about 31-oct-04 ? Speaking of x.9 branch, should the VERSION files in libpcap and tcpdump change to 0.9-PRE-CVS and 3.9-PRE-CVS, respectively? - This is the tcpdump-workers list. Visit

Re: [tcpdump-workers] pcap_compile and tcpdump syntax

2004-10-13 Thread Guy Harris
(Blah blah blah defeat duplicate detector blah blah blah once again I forgot to send with my alum.mit.edu address in the from line blah blah blah Thunderbird blah blah blah time to pester Bugzilla.) Travis wrote: Is it not correct that pcap_compile takes in a filter program with tcpdump

Re: [tcpdump-workers] Buffer size question

2004-10-13 Thread Guy Harris
Ed Maste wrote: 1) Add a new pcap API function pcap_set_bufsize that can be used to set the size used for following pcap_open_live calls (by setting a libpcap global variable). The global variable is a bit ugly. If you're going to have API changes... 2) Add a new function like pcap_open_live

Re: [tcpdump-workers] Buffer size question

2004-10-14 Thread Guy Harris
Gianluca Varenni wrote: ...like pcap_setbuff(), as implemented in WinPcap... ...and which I already know about. Unfortunately, given that, on systems with BPF, you cannot change the buffer size after a BPF device has been bound to a network interface, pcap_setbuff() is unimplementable on those

Re: [tcpdump-workers] Buffer size question

2004-10-15 Thread Guy Harris
On Oct 15, 2004, at 6:19 AM, Hannes Gredler wrote: shouldn't we have upper/lower boundary checks for such a buffer ? i.e. minbuffer 1.5K maxbuffer 128K I think the BPF kernel code in most of the BSDs already impose upper and lower bounds; are you suggesting that libpcap impose its own

Re: [tcpdump-workers] Newbie user question: Getting packets from

2004-09-27 Thread Guy Harris
(blah blah blah wrong from address blah blah blah duplicate message dissector blah blah blah time to see whether I can configure Thunderbird to automatically set the from address for tcpdump-workers messages blah blah blah) KEVIN ZEMBOWER wrote: www:~# tcpdump src host centernet.jhuccp.org and

Re: [tcpdump-workers] Newbie user question: Getting packets from

2004-09-27 Thread Guy Harris
KEVIN ZEMBOWER wrote: As you can see, I'm still getting packets from ns1.jhmi.edu on the DNS port. What does the command tcpdump -d src host centernet.jhuccp.org and \( ip proto \\tcp or \\udp \) print? If it helps, I'm using bash 2.05 on a Debian woody (stable, 3.0) distro running kernal

Re: [tcpdump-workers] Broken behavior in savefile.c

2004-09-27 Thread Guy Harris
On Sep 27, 2004, at 5:17 PM, Joshua Blanton wrote: One could also check to see if the file handle is stdin. That's what sf_close() does, so I checked in a fix to do that in pcap_open_offline(). - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] tcpdump -E doesn't work for 3des-cbc/hmac-md5

2004-10-05 Thread Guy Harris
Michael Mueller wrote: Are there any positive or negative reactions to this? Will somebody fix it? I'd check in the patch if somebody resolved the issue Tcpdump -E doesn't work for 3des-cbc encryption with hmac-md5 authentication (tested with tcpdump-2004.09.22 on Linux 2.6). The reason is that

Re: [tcpdump-workers] Fw: new file format

2004-10-06 Thread Guy Harris
Sorry I didn't get around to this until now, but On Jul 30, 2004, at 1:09 PM, Gianluca Varenni wrote: There is another issue related to these block types. Fulvio's proposal: a shb (even corrupted by the ftp transfer) can begin with the following strings: \r\n\r\x1A - 1 reserved block type

Re: [tcpdump-workers] Buffer size question

2004-10-18 Thread Guy Harris
On Oct 18, 2004, at 3:04 PM, Alexander Dupuy wrote: Guy Harris writes: Unfortunately, given that, on systems with BPF, you cannot change the buffer size after a BPF device has been bound to a network interface, pcap_setbuff() is unimplementable on those systems, so it's not a candidate

Re: [tcpdump-workers] help needed for sniffer in c++

2004-10-05 Thread Guy Harris
akshar SNIFFER wrote: I am writing a sniffer in C++ , Then this is a question that belongs in the tcpdump-workers list, not the ethereal-dev list, so I'm redirecting it there. I have included the pcap.h header file .While compiling i get the following error

  1   2   3   4   5   6   7   8   9   10   >