I recently came across some packets which tcpdump appears to display incorrectly.
Is tcpdump incorrectly invoking some heuristic dissector, or is there another reason? $ tcpdump -n -r tcpdump-error.pcap reading from file tcpdump-error.pcap, link-type EN10MB (Ethernet) 08:35:24.570337 vlan 506, p 0, IP 10.143.146.4.22966 > 10.36.62.45.7098: UDP, length 311 08:35:24.570387 vlan 179, p 0, IP 85.254.4.128 > 223.117.196.0: at-#182 673 08:35:24.570393 vlan 506, p 0, IP 85.254.4.128 > 223.117.196.0: at-#182 673 08:35:24.570399 vlan 179, p 0, IP 10.143.146.4.31200 > 10.36.69.80.6988: UDP, length 189 $ tshark -n -r tcpdump-error.pcap 1 0.000000 10.143.146.4 -> 10.36.62.45 UDP Source port: 22966 Destination port: 7098 2 0.000050 10.143.146.4 -> 10.36.53.122 UDP Source port: 8756 Destination port: 16622 3 0.000056 10.143.146.4 -> 10.36.53.122 UDP Source port: 8756 Destination port: 16622 4 0.000062 10.143.146.4 -> 10.36.69.80 UDP Source port: 31200 Destination port: 6988 $ tcpdump -V tcpdump version 3.9.8 libpcap version 0.9.8 $ tshark -v TShark 1.0.99 (SVN Rev 25740) Compiled with GLib 2.16.3, with libpcap 0.9-PRE-CVS, with libz 1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.4, without SMI, with ADNS, without Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos. Running on Linux 2.6.24-12-generic, with libpcap version 0.9-PRE-CVS. Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7). Any assistance appreciated. Stephen. -- ----------------------------------------------------------------------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 ----------------------------------------------------------------------- - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.