On Mon, Jul 09, 2001 at 12:32:10PM -0700, Jim Mellander wrote:
> Might be worthwhile adding this exchange to the tcpdump faq...
It might be, although the correct place to send messages such as that is
[EMAIL PROTECTED], not [EMAIL PROTECTED], as the tcpdump FAQ
isn't part of the tcpdump or libpcap source, so changes to it aren't
patches to the tcpdump or libpcap source.
As such, I'm forwarding it to tcpdump-workers.
> > I'm running the tcpdump command below on xxxx & it seems to be leaking
> > memory (its been running since 7/2 16:09, and its up to 111M in size -
> > seems to be increasing by 4K every couple of seconds. Any suggestions?
> >
> > tcpdump -n -tt -i eth0 '(tcp[2] <4 or tcp[0]<4) and tcp[13] & 18 == 18'
> >
> > Looking for SYN/ACK packets, with src or dest port < 1024
>
> Run it with -S. Otherwise, tcpdump keeps track of all the connections
> it has seen so it can generate relative sequence numbers rather than
> absolute sequence numbers. This looks like a leak, but is in fact just
> state accumulation.
>
>
> --
> Jim Mellander
> Incident Response Manager
> Computer Protection Program
> Lawrence Berkeley National Laboratory
> (510) 486-7204
>
> Your fortune for today is:
>
> There is no fool to the old fool.
> -- John Heywood
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
