tcpdump Mailing List

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives

Latest Posts

Re: Accurate ECN support in tcpdump/libpcap Scheffenegger, Richard via tcpdump-workers (Nov 24)

Re: linktype files should repeat the DLT value Michael Richardson (Nov 22)
I brain-farted and typed DLT in the email when I should have typed LINKTYPE!

Guy Harris <gharris () sonic net> wrote:
>> I don't think that these files were generated, but I wanted to be sure before
>> I hand-edit them to include a number.

> They're not generated, except by copy-and-paste-and modify.

thanks for confirming.

>> I think that it should be an h3 header after the h2 title....

Re: linktype files should repeat the DLT value Guy Harris (Nov 22)
DLT_ number or LINKTYPE_ number? They're *almost* always the same, but they're not *guaranteed* to be the same.

And why the number, given that we're using LINKTYPE_ names as well as the corresponding LinkType number in the table?

They're not generated, except by copy-and-paste-and modify.

Rather than adding it to the h2 title and the page title, e.g. in parentheses after the LINKTYPE_ name?

linktype files should repeat the DLT value Michael Richardson (Nov 22)
--------

Guy, while debating the IANA instructions on the IETF list, I decided to use
an example. The first on the list was:
https://www.tcpdump.org/linktypes/LINKTYPE_APPLE_IP_OVER_IEEE1394.html

and a nit I just noticed is that none of the link type explanation pages say
which DLT they are for! Yes, there is a name... I'm just saying that I think
that the number should go in there somewhere.
I don't think that these files were...

Re: Accurate ECN support in tcpdump/libpcap Denis Ovsienko (Nov 22)
Hello Michael and all.

I have taken some time to study the specifications a bit better. You
are right, the IANA registry currently indeed spells all 12 bits as
individual flags/bits, which is consistent with Section 6 "IANA
Considerations" of RFC 9293. So I was wrong thinking this was never the
case. What led me to think this way is Section 3.1 "Header Format" of
RFC 9293, which includes a packet diagram with a single...

Re: Accurate ECN support in tcpdump/libpcap Vadim Goncharov (Nov 14)
Given that we do not know if they really will be flags, not the best variant.

[...]

This has advantage of not introducing new identifiers, but otherwise the last
variant is best:

For user, it will be shortest to type and look much more natural than
current tcp[tcpflags] approach. If curious for other approaches, FreeBSD's
ipfw firewall has the following syntax:

tcpflags spec
TCP packets only. Match if the TCP header...

Re: Accurate ECN support in tcpdump/libpcap Michael Tuexen (Nov 13)
Have a look at the IANA registry:
https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-header-flags
IANA handles them as 12 bits.

Best regards
Michael

Re: Accurate ECN support in tcpdump/libpcap Scheffenegger, Richard via tcpdump-workers (Nov 13)

Re: Accurate ECN support in tcpdump/libpcap Denis Ovsienko (Nov 13)
Hello Richard.

Please note that as far as the specifications define it, they never
were.

RFC 793 (published in September 1981) Section 3.1 says:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |...

Re: BPF ISA web page Guy Harris (Nov 13)
The NetBSD release in which BPF_MOD and BPF_XOR were added appears to e 8.0 and the FreeBSD release in which they were
added appears to be 12.0.

Npcap supports BPF_MOD and BPF_XOR in version 1.81 and later.

(I've submitted:

https://bugs.dragonflybsd.org/issues/3387

https://marc.info/?l=openbsd-bugs&m=176289237332698&w=2

https://www.illumos.org/issues/17746

to add them to DragonFly BSD, OpenBSD, and...

Re: Accurate ECN support in tcpdump/libpcap Scheffenegger, Richard via tcpdump-workers (Nov 13)

Re: Accurate ECN support in tcpdump/libpcap Denis Ovsienko (Nov 12)
Hello Richard and all.

Thank you for waiting. I am posting this response to the mailing list
rather than the pull request because syntax choices tend to have very
long-term effect on the difficulty of maintenance, thus it seems
appropriate to make a record of these considerations in the archives.

I have been thinking about the proposed changes whilst adding tests and
documentation for existing syntax features and making various code
clean-ups,...

BPF ISA web page Denis Ovsienko (Nov 08)
Hello all.

Whilst working on some recent improvements in libpcap, I often had to
cross-reference the source code with the 1993 BPF specification, which
still seems to be the most detailed definition of the ISA. The matter
is, there are various discrepancies between the spec and the code, and
not every discrepancy is a bug, and it became unwieldy to keep notes of
what is what, so eventually I decided to make a new resource to bridge
the 1993...

activities report for October 2025 Denis Ovsienko (Nov 03)
October 2025
============

The accounted activities in October stand for 162:45 working hours and
59 commits (3 in tcpdump, 51 in libpcap and 5 in tcpdump-htdocs). There
are 2 new tests in tcpdump and 5031 new tests in libpcap.

In tcpdump the main improvement is completing the earlier LWAPP work
from June. In libpcap the main improvements besides testing are in
filtering:
* "(arp|rarp) host NAME" no longer fails to compile if the...

Re: man page, usage text and filter expression formatting Francois via tcpdump-workers (Oct 26)

More Lists

Dozens of other network security lists are archived at SecLists.Org.