Home page logo
tcpdump Mailing List

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives


Latest Posts

Re: select()ing on a pcap descriptor in Solaris Fernando Gont (Aug 18)
Hi, Guy,

Were you able to try this?

I did the following check:

I ran my code, and checked with truss that /dev/bpf was being opened...
So apparently I am running the BPF-based libpcap, but still the
underlying descriptor is never readable or writeable...

P.S.: I'm waiting for some feedback from a fellow solaris dev. I will
keep you posted.


Best regards,

Re: pcapng save files Vincent Lubet (Aug 18)
I'm going to check how we (Apple) can do that.

Yes, I'm on the pcap-ng list and will send there the description of our custom packet metadata information.


Re: select()ing on a pcap descriptor in Solaris Fernando Gont (Aug 14)
Hi, Guy,

fgont () solaris:~/ipv6toolkit$ uname -a
SunOS solaris 5.11 11.1 i86pc i386 i86pc

You wouldn't expect them to fail, or to work properly?

Seems like a long time since I last installed it... But I could try with
the CD they released circa 2009 -- that one was open source.

Point noted. I'll wait for your response above, and will proceed as
indicated if necessary.

Thanks so much (yet one more time)!

Best regards,

Re: select()ing on a pcap descriptor in Solaris Guy Harris (Aug 14)
Which version? Solaris 11 (in which pcap descriptors should refer to BPF devices), or earlier (in which pcap
descriptors should refer to DLPI STREAMS devices)?

I wouldn't expect that prior to Solaris 11 - select() and poll() Just Work on STREAMS devices, as I remember.

It could, however, be that Sun^WOracle screwed up with BPF; unfortunately, Solaris 11 is ClosedSolaris, so I can't just
look at the source and see what they did...

select()ing on a pcap descriptor in Solaris Fernando Gont (Aug 14)

While trying to select() on a pcap descriptor in solaris, I found the

1) It seems that pcap descriptors are never readable or writeable. (--
This is different from *BSD and Linux, where at least you seem to be
able to check for readability)

2) It would seem that even trying to select() on such descriptors causes
trouble. For example, I get a kind of random "Bad file number" error
from select when I try to check for...

mergecap problem? Julio Talaverano (Jul 28)

I wanted to merge two tcpdump capture files captured by tcpdump on

a checkpoint R70 cluster (two nodes).
I interrupted the capture after a while.
ThenĀ  I wanted to merge them in wireshark (I know, they are then not sorted by timestamp - was only a try).
By adding the second file Whireshark says here:

"<firstly loaded capture's file name> appears to have been cut short in the middle of a packet".

Here I don't...

Re: Linux mmap support and nonblocking mode Guy Harris (Jul 25)
Yes, that's ferociously bogus on the kernel's part.

As is that. I sent a mail to Chetan Loke about that in December 2013, but never got a response; perhaps I should poke
linux-netdev or whatever mailing list is appropriate.

If the event loop isn't under libpcap's control, I'm not sure there's much we can do about that, so the best we can do
is probably to suggest that the event loop needs a timer, and that, if...

buildbot failure in tcpdump+libpcap on Ubuntu-12.04-x64 buildbot-no-reply (Jul 25)
The Buildbot has detected a new failure on builder Ubuntu-12.04-x64 while building tcpdump+libpcap.
Full details are available at:

Buildbot URL: http://buildbot.wireshark.org/tcpdump/

Buildslave for this Build: ubuntu-12.04-x64

Build Reason: The Nightly scheduler named 'nightly' triggered this build
Build Source Stamp: [branch master] HEAD


Re: ICMP echo reply Rick Jones (Jul 24)
Please keep the discussion on the list - I don't have a monopoly on
knowledge in this area.

If you have tcpdump traces from both the client and the server I would
expect to see a total of four lines of trace. Two from the trace on the
client and two from the trace on the server.

Exactly *how* are the VM's clocks synchronized? If you are going to
want to know the time it took to get from the server back to the client,

Re: ICMP echo reply Rick Jones (Jul 23)
Questions, the answers to which will perhaps help lead you to the/an answer.

*) Do you have just the one tcpdump trace or do you have tcpdump traces
from both the client and the server?

*) Do the client and the server synchronize their clocks?

*) How large is the latency as reported by ping (I'm assuming ping is
the source of these ICMP Echo Requests and so triggers the ICMP echo

*) What do you know about the network path...

[pcap-ng-format] opsarea presentation? Michael Richardson (Jul 23)
{resending, because my address book was confused}

So, was pcap-ng well receives by opsarea WG this morning?

and the reply was:

Michael Tuexen <Michael.Tuexen () lurchi franken de> said:

ICMP echo reply French_christ (Jul 23)
I just have a question and i am suppose to answer it.
The question is :ICMP echo request was sent by the client,then ICMP echo reply was recieved by the client,both have
timestamps on the tcpdump output
The question is how long took the ICMP echo reply to be sent from the server to the client.

Thanks a lot for your efforts
Hayder abdulabbas abdulameer

Linux mmap support and nonblocking mode Aaron Lehmann (Jul 23)

I just spent a few days debugging unexpected packet loss in my
application. The first packet that passed the filter would often be
missed, but the response that came immediately after would always make
it through, as well as subsequent packets. This failure was inconsistent
and difficult to reproduce.

After trying several other things, I upgraded from pcap 1.1.0 to pcap
1.6.1. This made the issue much worse. With the new version, the first...

Re: Packet identifier Guy Harris (Jul 22)
The trunk and 4.6 branch support the "-#"/"--number" command-line option to print an ordinal number at the beginning of
the first line of output for each packet.

Packet identifier Aravindhan Dhanasekaran (Jul 22)

Is there a packet level ID support in current tcpdump code? A simple
non-decreasing integer for every packet (something similar to
Wireshark) would do.


More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]