tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

tcpslice Output Incomplete

From: "Steve Bonds" <pow7yec02 () sneakemail com>
Date: Thu, 27 Feb 2003 13:06:57 -0800 (PST)
When I use tcpslice to grab a chunk from any of several tcpdump files, I
only get 24 or 95 bytes of output.  I even see the problem on a tiny 994
byte capture that was pulled from a larger capture using the "-c" option
to grab the first 8 packets.

I originally noticed the problem reading from files captured on HP-UX, but
I have duplicated the problem on files captured locally on my RedHat 7.3
box.

I've also duplicated the problem using the current CVS version of libpcap
and tcpslice.  (I finally solved my little firewall problem that kept me
from using CVS versions when I looked at this problem last October.)

After spending some quality time with GDB I've traced the problem back to
the pcap libraries.  This doesn't necessarily mean there's a bug in pcap,
but once I saw the problem had reached that level I thought I'd try to get
some help from this list.  ;-)

The problem seems to be that the first call to get_next_packet fails.  
(Sometimes it's a subsequent call, but I haven't nailed down why on some
captures/capture params it's one versus the other.)

Within get_next_packet the line:

s->pkg = pcap_next(s->, &s-hdr);

returns zero.  The state structure "s" has last_pkt_time = {tv_sec = 0,
tv_usec = 0} after the call, so the do { } loop exits after one more call
to pcap_next.

In the midst of savefile.c's pcap_offline_read there is an ominous
comment:

        /*XXX this breaks semantics tcpslice expects */

This comment appears in the earliest CVS version I could find on
cvs.tcpdump.org (1.36, from Oct 1999), so it's not exactly news.  ;-)

Is this the cause of the problem?  If so, how might we adjust tcpslice's
expectations to function with this libpcap?

The command I use to generate the problem:

tcpslice -w /tmp/tcpslice.out 0 +60m /tmp/tcp.first8pkts.tcpdump

This produces a 24 byte output file "/tmp/tcpslice.out".

  -- Steve

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: