OS: Redhat 7.1 (kernel 2.4.2-2),
libpcap: 0.6.2.
tcpdump: 3.4-39.
libpcap is returning usecs in timestamp where the 3 least
significant digits are not changing (until reboot, where the
value changes).
Here is the tcpdump output:
# /usr/sbin/tcpdump -i ppp0
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram
packet socket
tcpdump: listening on ppp0
20:39:25.072678 > host213-123-18-31.btinternet.com.32768 >
imsdns06.ims.bt.net.domain: 59013+ AAAA? shell.sourceforge.net.
(39) (DF)
20:39:25.072678 > host213-123-18-31.btinternet.com.32769 >
imsdns06.ims.bt.net.domain: 58155+ PTR?
102.62.120.213.in-addr.arpa. (45) (DF)
20:39:25.292678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32769: 58155* 1/6/0 PTR
imsdns06.ims.bt.net. (207) (DF)
20:39:25.292678 > host213-123-18-31.btinternet.com.32769 >
imsdns06.ims.bt.net.domain: 58156+ PTR?
31.18.123.213.in-addr.arpa. (44) (DF)
20:39:25.482678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32769: 58156 1/3/3 PTR
host213-123-18-31.btinternet.com. (198) (DF)
20:39:25.532678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32768: 59013 1/1/0 CNAME
usw-pr-shell.sourceforge.net. (149) (DF)
20:39:25.532678 > host213-123-18-31.btinternet.com.32769 >
imsdns06.ims.bt.net.domain: 63740+ A? shell.sourceforge.net.
(39) (DF)
20:39:25.792678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32769: 63740 2/3/3 CNAME
usw-pr-shell.sourceforge.net., A usw-pr-shell.sourceforge.net
(216) (DF)
20:39:25.792678 > host213-123-18-31.btinternet.com.32770 >
imsdns06.ims.bt.net.domain: 58157+ PTR?
203.171.136.216.in-addr.arpa. (46) (DF)
20:39:25.792678 > host213-123-18-31.btinternet.com.32784 >
usw-pr-shell.sourceforge.net.ssh: S 2212832148:2212832148(0) win
5840 <mss 1460,sackOK,timestamp 56777 0,nop,wscale 0> (DF)
20:39:26.132678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32770: 58157* 1/2/2 PTR
usw-pr-shell.sourceforge.net. (162) (DF)
20:39:26.142678 < usw-pr-shell.sourceforge.net.ssh >
host213-123-18-31.btinternet.com.32784: S
2691837054:2691837054(0) ack 2212832149 win 32120 <mss
1460,sackOK,timestamp 121145885 56777,nop,wscale 0> (DF)
20:39:27.212678 < ics3.msg.yahoo.com.5050 >
host213-123-18-31.btinternet.com.1031: .
3847922480:3847922480(0) ack 1279639 win 33232
20:39:27.212678 > host213-123-18-31.btinternet.com.32770 >
imsdns06.ims.bt.net.domain: 58158+ PTR?
93.131.136.216.in-addr.arpa. (45) (DF)
20:39:27.542678 < imsdns06.ims.bt.net.domain >
host213-123-18-31.btinternet.com.32770: 58158* 1/2/2 PTR
ics3.msg.yahoo.com. (149) (DF)
20:39:28.792678 > host213-123-18-31.btinternet.com.32784 >
usw-pr-shell.sourceforge.net.ssh: S 2212832148:2212832148(0) win
5840 <mss 1460,sackOK,timestamp 57077 0,nop,wscale 0> (DF)
20:39:29.062678 < usw-pr-shell.sourceforge.net.ssh >
host213-123-18-31.btinternet.com.32784: S
2691837054:2691837054(0) ack 2212832149 win 32120 <mss
1460,sackOK,timestamp 121146182 56777,nop,wscale 0> (DF)
20:39:29.392678 < usw-pr-shell.sourceforge.net.ssh >
host213-123-18-31.btinternet.com.32784: S
2691837054:2691837054(0) ack 2212832149 win 32120 <mss
1460,sackOK,timestamp 121146215 56777,nop,wscale 0> (DF)
Notice the "678" digits repeated in the timestamps. Is this a
libpcap problem or a kernel 2.4.2-2 problem?
Problem can also be seen when running Snort (NIDS) and my own
development code PasTmon. All these products reported correct
usecs with Redhat 6.2 and kernel 2.2.19.
Kind Regards,
G.L. Bevan.
[EMAIL PROTECTED]
http://www.pastmon.org
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
