Fwd: Re: tcpdump on any interface

[Riho Randla <riho () hot ee>]

Is there ANY developer who knows a little more about tcpdump, pcap and 
libcap?
As I am not a programmer but sysadmin, I asked a friend of mine, who is a 
good
assembler programmer and a Linux guru, to help me, but he didn't know 
anything about tcpdump. He did a little research and said it's extremely 
nonclear and difficult how libcap sends "device" back to tcpdump and how 
libcap handles "any".

PLEASE, anybody help me to get the device names back to the start of the 
lines!

I really wonder that the handy guys who have developed tcpdump and are 
doing it
now (and, of course, use it all the time) don't need that feature anymore!
How is it possible? I set up a vpn tunnel between our networks in the USA 
and
Europe yesturday, when I needed to debug some problems I tcpdumped the 
traffic
going through a very complex routes, I damned the missing this feature!! It 
was impossible to understand what device a package comes in and what device 
it comes out. Especially, if there are many network cards, aliases, and 
tunnel devices!

The last time I posted the message I got only one response - look man pcap!
Damned, what should I do with the DLT_LINUX_SLL if I'm not a programmer?! 
If even
my friend, who IS a programmer, can't do anything with it! These guys who 
are
dealing with developing tcpdump every day, could perhaps quite easily write
some code to get the devices names back. Please do it for all the admins 
who
you gave the best tool in the computer world for!

Thanks in advance,
Riho Randla

------- Forwarded message -------
From: Yuchung Cheng <ycheng () cs ucsd edu>
To: Riho Randla <riho () hot ee>
Subject: Re: [tcpdump-workers] tcpdump on any interface
Date: Fri, 5 Sep 2003 09:41:36 -0700

> On 09-05-2003, Riho Randla wrote:
> > Hello,
> >
> > When dcpdump didn't have the "-i any" option, it listened, if not 
> > defined, on all interfaces and outputed the interface name at the start 
> > of each line:
> >
> > eth0 > eth1 <
> >
> > Afterwards, the interface names had lost, and came the "-i any" option. 
> > I found it very helpful seeing the interface names before the packet 
> > data, especially if needed to debug some complicated forwarding or 
> > routing between servers with many interfaces. Why the developers removed 
> > that feature, I don't know. I didn't find any question nor answer about 
> > the issue, too, in newsgroups. Can anybody explain that? Is it possible 
> > to add the interface names at the start of the lines, as was early?
>
>
> linux "any" uses a special link header, man pcap and search for 
> DLT_LINUX_SLL
> you might need to patch tcpdump.c to print what you want.



-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe