Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
Bad form to reply to my own mail, I know, although the output of tcpdump -V is as follows if it helps: tcpdump version 3.9-PRE-CVS_2008_10_27 libpcap version 0.9-PRE-CVS Thanks. On Thu, Oct 30, 2008 at 12:33 PM, Tyson Key [EMAIL PROTECTED] wrote: Hi again, Guy. I've just been doing some strace-ing, and it appears to doing a open(/dev/usbmon2, O_RDONLY|O_LARGEFILE) = 3. Not sure if the script log will be of use to you, although I'll attach it anyway. Going to try the printf() kludge soon. Tyson. On Thu, Oct 30, 2008 at 12:27 AM, Guy Harris [EMAIL PROTECTED] wrote: On Oct 29, 2008, at 1:16 PM, Tyson Key wrote: Also, is it considered normal for Linux 2.6.25 and above (or libpcap, although I'm not sure exactly what to blame) to truncate large numbers of USB packets? (I assume this has been hashed to death on the list in the past, though). Paolo? Could it be using the text interface rather than the binary interface? I think I remember you indicating that the text interface doesn't supply the full packet. Tyson, you said you were using the CVS version of libpcap (presumably meaning top-of-tree CVS, the pcap-usb-linux.c of which is identical to 1.0's pcap-usb-linux.c), so presumably you built it from source. You might want to stick some debugging printfs into usb_activate() to see whether it uses mmap access to the binary interface, non-mmap access to the binary interface, or the text interface. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. -- Fight Internet Censorship! http://www.eff.org ~ Open-Source Community, and Technology Testbed: http://www.house404.co.uk/ -- Fight Internet Censorship! http://www.eff.org ~ Open-Source Community, and Technology Testbed: http://www.house404.co.uk/ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
Hi again, Guy. I've just been doing some strace-ing, and it appears to doing a open(/dev/usbmon2, O_RDONLY|O_LARGEFILE) = 3. Not sure if the script log will be of use to you, although I'll attach it anyway. Going to try the printf() kludge soon. Tyson. On Thu, Oct 30, 2008 at 12:27 AM, Guy Harris [EMAIL PROTECTED] wrote: On Oct 29, 2008, at 1:16 PM, Tyson Key wrote: Also, is it considered normal for Linux 2.6.25 and above (or libpcap, although I'm not sure exactly what to blame) to truncate large numbers of USB packets? (I assume this has been hashed to death on the list in the past, though). Paolo? Could it be using the text interface rather than the binary interface? I think I remember you indicating that the text interface doesn't supply the full packet. Tyson, you said you were using the CVS version of libpcap (presumably meaning top-of-tree CVS, the pcap-usb-linux.c of which is identical to 1.0's pcap-usb-linux.c), so presumably you built it from source. You might want to stick some debugging printfs into usb_activate() to see whether it uses mmap access to the binary interface, non-mmap access to the binary interface, or the text interface. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. -- Fight Internet Censorship! http://www.eff.org ~ Open-Source Community, and Technology Testbed: http://www.house404.co.uk/ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
Hi, thanks for the tip (it was probably an oversight on my part, since I didn't know about that limitation). It seems to work fine now, although I could probably do with automatically setting the snaplen somehow. Thanks. On Tue, Oct 28, 2008 at 11:54 PM, Guy Harris [EMAIL PROTECTED] wrote: On Oct 28, 2008, at 2:05 PM, Tyson Key wrote: Hi, nice to see a shiny new release of libpcap and tcpdump so soon. Out of interest, is the tcpdump: unsupported data link type USB_LINUX bug/issue resolved when trying to capture USB traffic on a Linux box? If you mean if I try to capture USB traffic on a Linux box, and don't give the '-w' flag to get it to write the raw traffic to a file, will it print 'tcpdump: unsupported data link type USB_LINUX'?, the answer is yes, because nobody's written a USB printer routine for tcpdump, so it *can't* handle USB traffic in that case. If that's the problem in question - which is more of a lack of a feature than a bug - it's still there. if you mwan if I try to capture USB traffic on a Linux box, and *do* give the '-w' flag to get it to write the raw traffic to a file, will it print 'tcpdump: unsupported data link type USB_LINUX'?, the answer is no, because it just dumps the traffic out without interpretation, regardless of whether it has a printer for the link-layer type or not, and thus can handle USB traffic or any other type of traffic. If that's the problem in question, it's fixed. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. -- Fight Internet Censorship! http://www.eff.org ~ Open-Source Community, and Technology Testbed: http://www.house404.co.uk/ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
On Oct 29, 2008, at 10:48 AM, Tyson Key wrote: It seems to work fine now, although I could probably do with automatically setting the snaplen somehow. I.e., defaulting to the maximum (65535) rather than the current default of 64 (without IPv6) or 96 (with IPv6)? At least one OS that distributes tcpdump has considered making the default 65535. Should the default be 65535, especially given that, the tcp in tcpdump nonwithstanding, it's used to do more than just look at TCP behavior? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
On Oct 29, 2008, at 1:16 PM, Tyson Key wrote: Also, is it considered normal for Linux 2.6.25 and above (or libpcap, although I'm not sure exactly what to blame) to truncate large numbers of USB packets? (I assume this has been hashed to death on the list in the past, though). Paolo? Could it be using the text interface rather than the binary interface? I think I remember you indicating that the text interface doesn't supply the full packet. Tyson, you said you were using the CVS version of libpcap (presumably meaning top-of-tree CVS, the pcap-usb-linux.c of which is identical to 1.0's pcap-usb-linux.c), so presumably you built it from source. You might want to stick some debugging printfs into usb_activate() to see whether it uses mmap access to the binary interface, non-mmap access to the binary interface, or the text interface. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
Hi, nice to see a shiny new release of libpcap and tcpdump so soon. Out of interest, is the tcpdump: unsupported data link type USB_LINUX bug/issue resolved when trying to capture USB traffic on a Linux box? (I'm using Fedora 8 at present, with the CVS version of libpcap, although I'm about to try this release). Thanks, Tyson. On Tue, Oct 28, 2008 at 2:24 AM, Ken Bantoft [EMAIL PROTECTED] wrote: Hi, Thanks to last minute checkins from Guy, tcpdump 4.0.0 + libpcap 1.0.0 are now released and available at http://www.tcpdump.org Release Notes: tcpdump 4.0.0 - http://www.tcpdump.org/tcpdump-changes.txt libpcap 1.0.0 - http://www.tcpdump.org/libpcap-changes.txt As always, please check the signatures with the Signing Key (available from http://www.tcpdump.org/tcpdump-workers.asc, or your nearest GPG Keyserver) Bugs/comments/complaints to tcpdump-workers@lists.tcpdump.org please. Ken - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. -- Fight Internet Censorship! http://www.eff.org ~ Open-Source Community, and Technology Testbed: http://www.house404.co.uk/ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 4.0.0 + libpcap 1.0.0 Released
On Oct 28, 2008, at 2:05 PM, Tyson Key wrote: Hi, nice to see a shiny new release of libpcap and tcpdump so soon. Out of interest, is the tcpdump: unsupported data link type USB_LINUX bug/issue resolved when trying to capture USB traffic on a Linux box? If you mean if I try to capture USB traffic on a Linux box, and don't give the '-w' flag to get it to write the raw traffic to a file, will it print 'tcpdump: unsupported data link type USB_LINUX'?, the answer is yes, because nobody's written a USB printer routine for tcpdump, so it *can't* handle USB traffic in that case. If that's the problem in question - which is more of a lack of a feature than a bug - it's still there. if you mwan if I try to capture USB traffic on a Linux box, and *do* give the '-w' flag to get it to write the raw traffic to a file, will it print 'tcpdump: unsupported data link type USB_LINUX'?, the answer is no, because it just dumps the traffic out without interpretation, regardless of whether it has a printer for the link-layer type or not, and thus can handle USB traffic or any other type of traffic. If that's the problem in question, it's fixed. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
