Home page logo
/
tcpdump Mailing List

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
2014133846940
201312715755107
20121768453144
2011177235187215
201021713185141
2009220182186145
2008233140139269
2007154118251226
200620014871162
2004392374377208
2003315283259304
2002319

Latest Posts

Re: File rotation every x seconds AND max file count Wesley Shields (Oct 31)
I believe daemonlogger can do this. It's been a while since I looked at
it but I believe that is what I added support for years ago.

http://sourceforge.net/projects/daemonlogger/

-- WXS

Re: tcpdump: packet printing is not supported for link type PFLOG Guy Harris (Oct 27)
I.e., you're not building it on a FreeBSD 8.1, 8.2, or 8.3 system?

So I assume you're *not* building on one of those OSes, or on any other version of FreeBSD or OpenBSD or any other OS
on which there's a /usr/include/net/pfvar.h header?

If there *is* a /usr/include/net/pfvar.h header on your system, the configure script *should* have figured out that
it's there and configured the pflog printer in. However, it'll...

Re: tcpdump: packet printing is not supported for link type PFLOG Jason Pyeron (Oct 27)
Not even close.

Was hoping to use tcpdump instead of wireshark for visulization.

Nice job BSD people. Could there be a way to force support for a specific version? In my case FreeBSD 8.1-RELEASE-p13 /
FreeBSD 8.3-RELEASE-p16.

This may be off topic but how does wireshark deal with this issue?

-Jason

Re: tcpdump: packet printing is not supported for link type PFLOG Guy Harris (Oct 27)
Are you building on an operating system that supports PFLOG as a filter mechanism?

If not, then the option you missed is the "use an operating system that supports PFLOG as a filter mechanism, and that
provides the headers for PFLOG packets as a standard system include file" option.

I think the only OSes that support those options are OpenBSD and FreeBSD; if you're not building on those OSes, you
can't read PFLOG files,...

tcpdump: packet printing is not supported for link type PFLOG Jason Pyeron (Oct 27)
When I './tcpdump -r -' I get a:
reading from file -, link-type PFLOG (OpenBSD pflog file)
tcpdump: packet printing is not supported for link type PFLOG: use -w

I am using tcpdump 4ac7226 and libpcap 625575f.

Did I miss a configure option?

-Jason

Re: Handling Corrupted Packets Inside Pcap Files? Hei Chan (Oct 24)
Argh, nevermind.

I think the corrupted packet caused my application to have some invalid read/write, corrupting something pcap_next() is
going to use and so I thought it crashed inside pcap_next().

Sorry for the false alarm.

What is the exact message Wireshark reports?

Can you send us the pcap file or make it available for downloading?

Is it crashing in pcap_next(), or is it crashing in your application's code?

Could we see your...

Re: capturing the netlink socket on Linux Guy Harris (Oct 23)
The Wireshark dissector for those messages indicates that they begin with a LINKTYPE_LINUX_SLL-type header of the form:

2 unused bytes;

2 bytes of big-endian "hardware address type";

10 unused bytes;

2 bytes of big-endian netlink family values (NETLINK_ values from <linux/netlink.h>;

followed by a sequence of netlink messages, each of which has:

a Netlink message header, as per section...

capturing the netlink socket on Linux Michael Richardson (Oct 23)
Please correct my understanding.

The libpcap/pcap-netfilter-linux.c file is about capturing NFLOG
packets from the netlink socket, i.e. ones that came from netfilter's
--log target.

On the other hand, we have:
/*
* Link-layer header type for the netlink protocol (nlmon devices).
*/
#define LINKTYPE_NETLINK 253

which suggests that I can capture all netlink messages (which is what I want
to do) into a pcap file. I'm...

Re: What's the point of "oui Unknown"? John Hawkinson (Oct 23)
I have to say, the tcpdump output format has changed so much recently
that I think anyone with scripts has to keep pretty far on top of it,
but:

What really bugged me was I had to go source diving to figure out
why I was getting "oui Unknown."

I suppose we could improve the documentation on this, but I suspect
most people won't find it. That's why I'd rather it go.

--jhawk () mit edu
John Hawkinson

Re: What's the point of "oui Unknown"? Michael Richardson (Oct 23)
John Hawkinson <jhawk () MIT EDU> wrote:
>> In the interim, I suggest removing the word "oui", and also the
>> "unknown" string. We'll report the things in our table, and just
>> won't bother with bytes of output that don't help.

> That was my original proposal. Do you want a patch?

Yes.
If someone wants to integrate the ethercodes.dat file in a future patch,
great.

Re: What's the point of "oui Unknown"? Michael Haardt (Oct 22)
How about loading it from a local file that is updated externally? That's
how PCI and USB IDs are updated on many systems, and that's how arpwatch
gets its OUIs already (ethercodes.dat - vendor ethernet block list).
It is simple and allows local changes. Allowing to share the file between
tcpdump and arpwatch would be nice.

Michael

Re: Handling Corrupted Packets Inside Pcap Files? Guy Harris (Oct 22)
What is the exact message Wireshark reports?

Can you send us the pcap file or make it available for downloading?

Is it crashing in pcap_next(), or is it crashing in your application's code?

Could we see your application's code?

If it's crashing in pcap_next(), what is the stack trace from the crash?

Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
I suppose that might be marginally less annoying, but then I don't use
-e all that often in the first place. Still, when I have, I've not been
bothered by the oui unknown messages.

rick

Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
Rick Jones <rick.jones2 () hp com> wrote:
>> It seems to me that without more robust support this is just annoying
>> noise and, at the very least, the Unknown oui printing should be
>> removed.
>>
>> Thoughts?

> What would removing it do to scripts attempting to parse tcpdump
> output?

I'm thinking that we leave the () there, and just make it blank when we don't...

Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
What would removing it do to scripts attempting to parse tcpdump output?

rick jones

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]