[tcpdump-workers] Couldn't parse filter scr port 22000: syntax error
Hi, all I used the following filter rules to capture packets, tcpdump -i eth0 src port 22000 it works fine, however, when I used it libpcap functions pcap_compile() and pcap_setfilter() it output an error: Couldn't parse filter scr port 22000: syntax error what is wrong with this? thanks! ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Couldn't parse filter scr port 22000: syntax error
> it output an error: Couldn't parse filter scr port 22000: syntax error "scr port 22000" (mind the typo) -- Denis Ovsienko ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Research on tcpdump
> "Raymond" == Raymond Borges writes: Raymond> Specifically we are studying how versions fixed Raymond> vulnerabilities by diffing the code functions where the CVE Raymond> states the vulnerability was. We're also wondering why Raymond> there are no listed CVEs after 2007 for tcpdump. Raymond> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump There would be no CVEs prior to 3.5, because CVEs didn't exist. I am unaware of a CVE against tcpdump since 2007. That's good, right? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Research on tcpdump
On Mar 18, 2013, at 11:13 AM, Michael Richardson wrote: > >> "Raymond" == Raymond Borges writes: >Raymond> Specifically we are studying how versions fixed >Raymond> vulnerabilities by diffing the code functions where the CVE >Raymond> states the vulnerability was. We're also wondering why >Raymond> there are no listed CVEs after 2007 for tcpdump. >Raymond> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump > > There would be no CVEs prior to 3.5, because CVEs didn't exist. Actually, CVE-1999-1024 is against "3.4a": http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1024 (What happened with 3.4? Did the LBL people not say "hey, we've released the final 3.4 version, no need to keep using the 3.4a alpha version" loudly enough, or did nobody notice? I've seen places where people though "3.4a" was the final 3.4 version) > I am unaware of a CVE against tcpdump since 2007. That's good, right? I.e., perhaps there are no listed CVEs after 2007 because there aren't any serious vulnerabilities in tcpdump any more. I'm not naive enough to *assume* all the problems have been fixed and no new ones have been introduced, but perhaps, either because they haven't looked hard enough or because they're not there, nobody's found any vulnerabilities since 2007. (Michael, have you gotten Coverity Scan set up to do either nightly or post-commit runs on libpcap and tcpdump? http://scan.coverity.com That's one way of getting the code checked. I also did a Clang Static Humiliator run on both of them a while ago, and fixed some issues it found.) ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Research on tcpdump
> "Guy" == Guy Harris writes: Guy> (Michael, have you gotten Coverity Scan set up to do either Guy> nightly or post-commit runs on libpcap and tcpdump? Guy> http://scan.coverity.com Guy> That's one way of getting the code checked. I also did a Clang Guy> Static Humiliator run on both of them a while ago, and fixed Guy> some issues it found.) Coverity was doing this, may still be doing this. Someone else was taking care of that interaction... it fell off my radar. If someone wants to take this on, that would be great. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] why the ethernet and ip header of packets, which are captured by libpcap function, are distorted
On Fri, Mar 15, 2013 at 06:37:25PM -0700, Guy Harris wrote: > > On Mar 15, 2013, at 2:45 PM, Michael Richardson wrote: > > > > >> "wen" == wen lui writes: > >wen> I used libpcap function pcap_next() to capture some tcp packets > >wen> I checked the bytes of the captured packets and notice that the > >wen> ethernet and ip header of packets are distorted, in a mess with > >wen> a lot 0's but the TCP header is fine > > > >wen> what are potential reasons for this? > > > > if you capture on Linux with the cooked mode interface. > > That probably won't happen if you're capturing on an Ethernet device, > but it *will* happen if you capture on the "any" device. > > However, yes, *NO* program using libpcap/WinPcap should simply > *assume* it's getting Ethernet packets; if it's looking at the > packets, not just blindly writing them to a file without examining the > contents, then, if it doesn't need to handle 802.11 and PPP and so on, > just Ethernet, it should at least call pcap_datalink() and fail if the > return value isn't DLT_EN10MB. (If it's writing them to a pcap file, > pcap_dump_open() will call pcap_datalink() for you, to put the right > link-layer header type in the file header.) > > (Should we change libpcap so that if pcap_datalink() isn't called at > least once before calling pcap_next(), pcap_next_ex(), > pcap_dispatch(), or pcap_loop(), it prints a message to the standard > error saying "you're probably assuming all the world is Ethernet, > aren't you?" and calls abort(). :-)) As I'm not sure if you're serious or not I decided to look into this to satisfy my own curiosity. In case you are serious: https://github.com/wxsBSD/libpcap/commit/70cbe36e2bd12498ca1622349ecb1716a874c376 If you are serious and want this I'll submit a pull request. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
