Re: [tcpdump-workers] proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Richard" == Richard Sharpe <[EMAIL PROTECTED]> writes:
Richard> That is, the ability to add textual comments to
Richard> frames. These comments would be ignored by tools that do
Richard> not understand them, but they would be displayed by tools
Richard> capable of understanding them.
struct pcap1_info_comment {
struct pcap1_info_container pic;
unsigned char comment[0];
};
Richard> It seems that there are two ways to deal with this:
Richard> 1. A packet type that indicates that the data contained in
Richard> the packet is a comment associated with the previous (or
Richard> next) packet in the capture.
The intention is that the packet headers can contain multiple objects,
of which the packet data is just one part.
Richard> 2. Some extra fields in each capture header that allows us
Richard> to tag the current packet with comment info.
From a syntactic point of view, no capture headers - just packet
headers.
Semantically, there might be things at the beginning of the file which
are often only at the beginning of the file - but let's not build that
assumption into any software which reads files.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGZaToqHRg3pndX9AQG/DAP/apd3QVYYKn5QppiDIPV2uul4SS56K2dS
hfivtsLkNsir81+RbrcM6ZEB2UBR2xwwynf/dXFEjg69nogmmngiPuL8U2QsuWcQ
6VzPwlwVncMPhcIXSk6CJKUcRe9pydwdgTiDTSqXFfqzljR+5XzN2nhggMA88CFe
eACVaf3qyk8=
=74F9
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> I suppose I'm not so much concerned about it being "private"
Darren> as it being unique.
Darren> Maybe a vendor field and vendor sub-type field would be
Darren> useful ? That'd give flexibility in an SNMP kind of way.
>> okay, divide the 32-bit space into two 16-bit spaces. vendor 0
>> will be reserved. tcpdump.org will be vendor 1.
>>
>> vendor 0x will be reserved (for the NSA).
{this was a joke, btw}
Darren> Why not make both 32bit ?
I'm note convinced that there are more than 30 vendors that need more
than 30 meta-data containers each. And that's really stretching it. If
we had 900 things, that would be an awful lot.
Darren> I say that because design requirements are different, today,
Darren> than they were 15 years ago.
I was contemplating saying something like "just use your AS# as your
vendor ID", or maybe saying your PPP vendor ID, or OID. But, I think
we have done okay with just issuing things, first-come/first-served.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGZVZIqHRg3pndX9AQHNmQP+Ocq9F2oEUsqKlz524YZpFVitJXKuyHpY
la56wRz0Hd7iMhapGNNU5atuBkk1Y7S2wGlU+JENkyrZHl7aa0scxaPZnD64Vy6H
FFzI57Iaj91kzM2w5GprxFr3LYnmD8UtmvgPrynddROtRqT6PEwwlt0jgc2By29j
+IfOWtSIIz4=
=PUa5
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Hannes" == Hannes Gredler <[EMAIL PROTECTED]> writes:
Hannes> | okay, but there is more than just in/out.
Hannes> |
Hannes> | enum pcap1_probe {
Hannes> | INBOUND =1,
Hannes> | OUTBOUND =2,
Hannes> | FORWARD =3,
Hannes> | PREENCAP =4, /* IPsec ? */
Hannes> | POSTDECAP=5,
Hannes> | };
Hannes> a question to PREENCAP and POSTDECAP is ENCAP/DECAP related
Hannes> to link-layer or network-layer
Hannes> rason that i am asking is that
Hannes> for hardware based routers where the kernel receives just IP
Hannes> payload b/c the link layer was stripped off by the fabric
Hannes> PREDECAP_L2 would make a lot of sense ...
Hmm... I think that yes, we need more designations of capture points.
So, there would have to be a multitude of them. So, I'm ever more
convinced that this all goes into meta-data, once per file, or as often
it makes sense.
The probe information will need to have a text component, perhaps only
text with some standard strings, and private extensions as people need
them.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGZXkoqHRg3pndX9AQErWgP/eZwkCGEid/cfiRLQtWJyaLZRiHSrliXA
1Rzx9arNX+QxyE/Dwoyq68ehrwEXxOPWsRyg7e5cdHPPkWJNcU5DlOE5VjjuJuS9
no0OHrkvbRDIou+dw4L2CDSM8lRApDEJhNq2BFFd85uo4Ny1xffhJodeVIUWR9S8
4cfTE20TV5c=
=beLF
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> On Mar 24, 2004, at 7:08 AM, Michael Richardson wrote:
>> okay, but there is more than just in/out.
>>
>> enum pcap1_probe {
>> INBOUND =1,
>> OUTBOUND =2,
>> FORWARD =3,
>> PREENCAP =4, /* IPsec ? */
>> POSTDECAP=5,
>> };
Guy> ...and perhaps, on at least some systems, for inbound packets, supply
Guy> "received unicast/received broadcast/received multicast/received
Guy> promiscuously" indications (Digital UNIX has broadcast, multicast, and
Guy> promiscuous bits - presumably if none are set it's received
Guy> unicast or it's outbound), IRIX has a "received promiscuously"
Guy> flag, and Linux supplies a
I think that these may be bits, and certainly are orthogonal to the
probe point. So, we need some kind of additional flags.
Do these need to be in every packet? Maybe it is just meta-data that
needs to be added at the beginning, perhaps along with the filter code.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGZWDYqHRg3pndX9AQEsywP/VzTE9rvDSs2jCfeVa+q1PtY+3m2qj0Mf
GD2p0FQBbaq9HE3ytIPm7amLC43SDSsB0W3PtbJOxoUhepny1pPalkj8nz7KB1fn
5ZA+itU/clGPmFZNazapHWoxTpW5vDUd9pm+LIMUnMYFe/Nbn2A4Pe+9gz6k4oOO
u0Vs5EEy3J8=
=c6Fk
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] movement of lists
>>>>> "Joerg" == Joerg Mayer <[EMAIL PROTECTED]> writes:
Joerg> Is it possible to add a List-id: header field? It would make
Joerg> maintaining the procmail rules easier.
I've added it.
List-Id:
is that okay?
Should be one this message.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] timestamps and timezone
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Jefferson" == Jefferson Ogata <[EMAIL PROTECTED]> writes:
Jefferson> Maybe I'm dumb but it's taken me five successive postings
Jefferson> to get past the impenetrably cryptic notifications ("The
Jefferson> postblock flag is set for...", "Duplicate Partial Message
Jefferson> Checksum") from the new list manager. And I'm assuming
Jefferson> that this time I'll actually succeed in posting a
Jefferson> message.
I would have taken care of that this morning :-)
Likely, I had a -nomail exception for your ID before.
Jefferson> Why would anyone want the time zone of the local system
Jefferson> to affect the timestamps in the cap file? If you want to
Jefferson> see what they would have been, just set TZ. And alex, you
If one had a program that started a new dump file each "local" day,
then it might be good to know why the file ends at 8pm or something each
time. That's a pretty big stretch, though.
Otherwise, I agree with you.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGhQYIqHRg3pndX9AQEA8wQAyLBH1Qv2UkdrWuVUadlgeyBap2bfibAG
63wDukwtobi8A2YbSlG862tw87qzK9ww2izU9cl5phDywXH5UJGrm71STEHl0HSz
f8MBIJk55e8pkNVyUV1Ra9sgBGul20CKw/KfC2qzN+o+Jq45ntSUsufCUXRKHE17
1HzIj6oUFuY=
=OWNc
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] tcpdump 3.8.2
-BEGIN PGP SIGNED MESSAGE-
At 4pm EST today I will cvs update the tcpdump.org web site with the
release information on tcpdump 3.8.2. Everything is in CVS, and the
new releases are in releases/ already.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGhkWoqHRg3pndX9AQGmygQA2TzioKB1kFgQhJnRRSxLkYsSbgHgSTeE
vovEzOSqiJYNV6AG2+rMS+tK74dxCu8AH8ng9G59nynl+nxFFOS6ra7UoQ5FNEBU
kyaR+i3y4chE/wiyDj+aBHw2amxgpCFnyh+3NiLwC16zOA2yWdv/h1XUFl7lTy0c
QltQzcPjw1E=
=DrRU
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] ADMIN
-BEGIN PGP SIGNED MESSAGE-
Some people (~200) were missing from the tcpdump list until today.
I'm uncertain how they went missing, but I added them based upon
discrepancy between wc -l on the old list and the stats from the
new list.
mj2 permits multiple moderators. If you are willing to help, let me
know.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGhnJIqHRg3pndX9AQEuPQQAzfP64dMHWq+zOIcpiPMccb9snxjVWppZ
oNruz4F6jhaOTDgLtfu75ukXj+W1GhDEgu/uQ72h1xY4OkcUwQz+2dDwlOhArzzW
KoqEAsG3qRTg9ELsbWJ6BC+H2igAzQJxTaRO6m5zlFPA2jLpL5F3cDL62DdWOLX7
eoczKLdQKD8=
=Gwl/
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> What's the _real_ list address? The web page still has:
Darren> [EMAIL PROTECTED] Some of my emails seem to go
Darren> missing rather to the list :-/ There's also
Darren> [EMAIL PROTECTED]
Darren> [EMAIL PROTECTED]
it should now be [EMAIL PROTECTED]
[EMAIL PROTECTED] should alias there.
[EMAIL PROTECTED] or @lists.sandelman should bounce.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] aclocal.m4 and openssl
-BEGIN PGP SIGNED MESSAGE-
It appears that we don't really do the right with:
./configure --with-crypto=/path
./configure --with-openssl=/path
./configure --with-ssleay=/path
(I'm uncertain which of these is right)
- --with-crypto=/path seems to actually kill crypto.
I want it to work like we look for libpcap.
Ideally, I'd like to include ${prefix} first. I think that this is easy
to do in configure.in.
But, my question is - about aclocal.m4 and the pcap checking stuff.
Was that hand written, or did something generate it?
Bill?
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQG8+ZoqHRg3pndX9AQHMtwP/QDbe4smVMeXcKnOd+KT2DWUd3S0m1FqZ
2Zx7QcPIuizbnB/aXvkofuXpDOnnqwemy8/PfuNQZ+6PhgnmTxAieUjW1WFNyoW4
YwMc3w6r+XTG5q6dPv5MganfFPvWGjWdAPUaPBdD1uoUqFVouDRlnh71VzW0foRF
AYi8aZopWIM=
=6Krx
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] print-esp, AES
Itojun changed print-esp.c to look up crypto routines using
EVP_get_byname() instead of having a table.
The problem with that is that the ivlen differs for different
algorithms. This is easily solved by calling EVP_CIPHER_iv_length(evp);
I'm commit this code to HEAD.
With that, I can decrypt AES256 packets generated by Openswan.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
Loris had previously written up an ID on a proposed pcap format.
It is similar, but not identical to what I had proposed.
It is in xml2rfc (rfc2629) format.
I can't say if the IETF would or should ever consider publishing it.
I think it is likely out of scope for IETF. (maybe Bill can comment).
I have placed it into:
libpcap/doc/pcap.{xml,txt,html}
and
http://www.tcpdump.org/pcap/pcap.html
http://www.tcpdump.org/pcap/pcap.txt
I'd like to ask Loris if he'd consider being our scribe.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHHAjoqHRg3pndX9AQGa0AQAifVj0p/4b7tf+w1elFBoOXiz86AtsrSS
wADye9QwLL4FjBVgP3r84TgyCOsbM9VgxiaAaT5zV5ES3LA4MOblpauNtEgTQkUx
6mO+nSckpay7wnd99gC/j8AGe+W2zy6Wz+3JBlaIxyM4ELeMD/AWi3lNyeI93Ffc
VYqNGP5f56s=
=dYZQ
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] print-esp, AES
-BEGIN PGP SIGNED MESSAGE-
{My appologies for the Reply-to: nonsense. Trying to fix it}
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> Itojun changed print-esp.c to look up crypto routines using
>> EVP_get_byname() instead of having a table.
>>
>> The problem with that is that the ivlen differs for different
>> algorithms. This is easily solved by calling
>> EVP_CIPHER_iv_length(evp);
>>
>> I'm commit this code to HEAD.
Guy> Should that go into the 3.8 branch as well?
yes, assuming that we do a 3.8.4.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHHF84qHRg3pndX9AQG87gP9GmIR0w9Cq10TBeYQiJZpwO73ZNkGXCqs
6Pqa8d4JhXuJ+KnuR2SCk1160oZ6ap7QCreFi1FhWPb5gup0Ej+sfN8v3AvlvQZQ
Vh/nf67q9mzFnhr/fOUtMyzzCwZgk/a0sYP637cMqwVW+Y2IHXBloxS72kO2ONj/
8sXoqKPV/5c=
=6kH3
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Bill Fenner: Did this message ever make it to the tcpdump list?
From: Bill Fenner <[EMAIL PROTECTED]> Subject: Re: [tcpdump-workers] aclocal.m4 and openssl Date: Mon, 5 Apr 2004 11:05:36 -0800 To: [EMAIL PROTECTED] I've been meaning to revisit aclocal.m4 and the autoconf setup for a long time. Much of it was hand-spun to get around bugs or limitations in autoconf 2.9. Unfortunately, I don't have access to many of the "funny" systems to make sure that I don't delete something that looks like cruft but is actually needed. I'd start with a modern check for libcrypto - use AC_ARG_WITH to add -L$with_libcrypto/lib to LDFLAGS and -I$with_libcrypto/include to CPPFLAGS if $with_libcrypto is not "yes" or "no", then if $with_libcrypto is not "no", use AC_CHECK_LIB with either "main" or a more modern function than the current autoconf check uses (the one that autoconf currently uses was turned into a compatability macro in OpenSSL 0.9.7, I think, which is why it usually fails). I dunno if we want to try to keep compatibility with older systems with sslEAY. Bill - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Loris" == Loris Degioanni <[EMAIL PROTECTED]> writes:
Loris> It depends on what "our scribe" means: I'll be around the
Loris> world during the next month, and I'll not be able to work
Loris> regularly on the document. Moreover, I'll like to understand
It means keeping track of what we think we have agreed upon and
putting it into the document. Just like an IETF document editor does.
Loris> if the list agrees with the idea of proposing an Internet
Loris> Draft that defines a standard network trace format.
a) I think that the INCH WG has done some work in this area.
b) It isn't clear that file formats are within the IETF purvue.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHqsNYqHRg3pndX9AQH/oQP9GQqvWh/Fo1QPdwGE+2c/5FGwVQvrRGin
xWp90cWpQu5sHI/6tLzqGyv3nrTr6XdCMdmd8hQAEAzRCGNpprxhjLTPTiHredbr
OGGPzARKA7JoGWexh9B1YcIyX2KOq5/FA561cMBAYDx4kC+ZOeixhGwefOkIeLRf
aWpV9GEh5bg=
=nTkB
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] bpf/pcap performance
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> In some email I received from Guy Harris, sie wrote:
>> On Sun, Apr 11, 2004 at 03:15:30AM +1000, Darren Reed wrote: >
>> And there's also BPF_MAXBUFFERSIZE. I see pcap_getbuff() as
>> being > essential to getting code to work without trial and error
>> by passing > different sizes to read() to find out what the right
>> size to read > is, if you're not setting the size yourself.
>>
>> But if you're using libpcap, you're not passing anything to
>> read(), you're letting libpcap do that.
Darren> Not necessarily.
Darren> The interface exposed by libpcap is not conducive to good
Darren> use by C++ applications - main culprit here is
Darren> pcap_dispatch() but none of the others really help. Unless
Darren> all your classes are static classes (which kind of defeats
Darren> the purpose, in my book.)
Dareen, can you suggest a better interface? One that is friendly to
C++ without requiring that we drag in any C++ code?
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Christian" == Christian Kreibich <[EMAIL PROTECTED]> writes:
>> That's a nice feature, and one we should try to maintain if
>> possible.
Christian> There's another thing I'd like to point out: the new
Christian> scheme, in its current state, doesn't provide the snaplen
Christian> value that the old pcap_file_header provides. I think a
Christian> *lot* of applications use that value to allocate a buffer
Christian> to store packet data before starting to read packets.
At most, it could be a hint of a likely size, if we support any method
of concatenating files.
We could perhaps have a "ranlib"-like tool that walked a pcap file to
optomize the hint at the beginning.
Christian> I agree that the ability to cat together trace files
Christian> would be nice. However if that's the only benefit, while
Christian> otherwise every packet-iterating application becomes a
Christian> whole lot more complicated because it must find a way to
Christian> deal with pure metadata without any packet data at random
Having every part of the file being identical in structure has a lot
of benefits in my opinion.
There are numerous times when I wanted to do stuff like:
( tcpdump -r file1 -w - filespec1;
tcpdump -r file1 -w - filespec2 ) | analysis-program
Often this occurs for me in writing test cases, but also in trying to
understand what has broken in a network.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHqry4qHRg3pndX9AQFIdwP9HZYJr2FGc4KICi1GH5C0WbzomWsfdVx1
xMeRM8mWuCXsqKexR+Dx99Ldc1MBFUbznErtSHtBfSUJcXrv2eefawrMNo0jxHJ2
KQj/+JHGgaKN6x/en+K3HpatDk/9iMuHO5NXqO0CzHUIAow2eY+IaKMAl91ry4/9
RhyE9Fj4nVQ=
=AMsR
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
>> Oh, I forgot.
>>
>> Another useful thing to have is an option for the packet block
>> where one would store a reasonably collission-safe 8-byte hash of
>> the packet data.
>>
>> This would make it much easier to compare two different capture
>> files to see where packets are missing etc.
Darren> I'll agree that this, as part of the per-packet header,
Darren> would be a useful addition to the pcap format. No need for
Darren> chained hashing, just per-record.
a) how strong do we need to make this?
8-byte implies it won't be CRC32. A longer CRC? MD4? MD5? SHA1?
b) how much performance can we afford?
(clearly, it could be left as 0 and filled in later on)
c) do we include this in every packet header? Or as an extra
meta-attribute?
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHqtQIqHRg3pndX9AQEcigQA1IyZsAVoZPrF5L5I32GDhHDuBXwyNRLa
waK8bKlz4XmLt84J2rbmgg2J4Gz3pOKRH+KoENvdY2Zs+b01QAcMIMRPhjozGuGn
XgR4ilOHBrgCSwFCX0/Kx+jeSMC1xCBW3/Z7IPXdtMNnQoPF0yrizowhM/oJHbAR
/W4xXXko7Ig=
=myaW
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> Today, some people might want MD-5, others SHA-1 and in the
Darren> future, there may be other hashing algorithms that are
Darren> better to use. And there are times when we might want it
Darren> off (algorithm 0, for example.)
okay, meta-data.
I think that one might want to emit the meta-data header, but not fill
it in in some cases, and calculate the hash later on, poking it in.
Darren> As such, I believe this option should be a (type,value)
Darren> pair, if we can agree that the hash value in the option
Darren> header is a hash over the entire record returned by the
Darren> kernel (with the value of the hash set to 0.) And yes, the
Darren> kernel computes the hash.
Huh? really. You want the hash over the entire packet, or just the
part that was received by pcap?
I wondered about that part. This makes the hash very interesting.
But, the kernel boundary is abstracted from the point of view of the
the pcap file format.
So, it we are including anything other than the packet data, we need
to define things.
I can see some people wanting a hash over the layer-3 only, with
mutable fields set to zero (a la IPsec AH), such that they can compare
captures from different points. Is this your desire?
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHqumoqHRg3pndX9AQE6uQQAtRxlD862wj/O5fJVxOFe1jrH/sLFs+kJ
OB8r902gToI70DnOLfMsTdU6yvWEA21mC/tUqIi4ViN17I3XEAd1jYQM5db7RfsV
6z1GK70R1ejrvrvZ5w0YRCYQSNCPvUvbIJlmLxhRrZK5SM1truh2imy6uDE2VCQn
YtqgbDzrzB0=
=6M7y
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Fulvio" == Fulvio Risso <[EMAIL PROTECTED]> writes:
Fulvio> Personally I don't like to transform the Section Header
Fulvio> Block from a MARKER to a CONTAINER. I don't like to rewind
Fulvio> the file in case of large capture in order to update such a
Fulvio> value. And what about if the application crashes before
Fulvio> updating that value? The format of the file is wrong,
Fulvio> because the section length is set to a wrong value.
I agree.
Fulvio> Personally, I would like to keep the SHB a marker, and add
Fulvio> and option that says "the size of this section is XXX",
Fulvio> where XXX is a 64 bit number.
Yes, with 0 meaning "guess"
We have a program, "pcapopt" or some such can go through and add
appropriate data later on. Maybe it can do after-the-fact hashing as well.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQH/siYqHRg3pndX9AQGW8QQAvIN7172P1L38gEX+2BjHBklrA53z4Jyb
ANWpit9uzIEZFwZI52L2rBDNWALpOreh08vkb/bZEQn7dAvLKPg3PxdLzcV9qwhs
2PayqGWeucCAo8gyYbEMMFVz/FYwyzsy3ZrLjLYTm2pCopVB/Is8g9hLqOc1dMeA
nD0mge88O0Y=
=f7Qy
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> What I'd like to see hashed, by the kernel, is the data it
>> provides to the user application. Depending on the purpose, this
>> has better trustworthiness, I feel. libpcap may decide to throw
>> away that hash and include its own in the dump file.
>>
>> I'm not suggesting this just for a quick comparison point of view
>> (as are some others) but from a data reliability perspective. If
>> you have a multithreaded application interacting with libpcap, it
>> would be nice if the pcap data that you considered sensiive could
>> be hashed by the provider (the kernel), as is the case with other
>> data streams in life.
Guy> I.e., there are two features being considered here:
Guy>1) a mechanism by which the kernel can provide a hash of
Guy> the packet to ensure some level of trust in the packet data;
I don't understand this.
Are we worrying about corruption of the packets between the kernel and
the userspace application? Or what? Yes, the PCI bus is now among the
more error-prone (relatively speaking) parts of the system. So, unless
the hash is computing my the MAC/PHY, I don't see a point in this.
Guy> So I'd see those as separate items for discussion. The
Guy> mechanism in 2) needs to be sufficient to handle the hashes
Guy> from 1) as well as other hashes people might want to provide,
Guy> but that mechanism itself is somewhat decoupled from the
Guy> hashing in 1).
On this I agree.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQH/uEoqHRg3pndX9AQFTMgP8DqiNNjLEdSGgzCHG7y0WjjOOAOG/I8B3
m1rqV6l1SWwNDxxDzq4uq9oTl8txBKsywSScgRAXjeHpvHCYfRm655zTL9X5E5Xi
hFzEkbvGXDEpy+jEfUHJlqWSvhlHmlBOZgTASG+GaMmLfFoncog69WdOSZLZFIco
Uf+/y3nOC0k=
=vTcv
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Fulvio" == Fulvio Risso <[EMAIL PROTECTED]> writes:
>> I agree, but since we a are trying to define a standard,
Fulvio> I don't think the IETF is willing to define a standard for
Fulvio> this. I feel better to say "we would like to document the
Fulvio> new file format used by libpcap". There are already
Fulvio> examples of this in the IETF (e.g. RFC 1761 "Snoop Version 2
Fulvio> Packet Capture File Format").
Yes, we can try for informational RFC.
I'm not opposed to doing it this way - I just suggest that the bar is
much higher in 2004 than it was in 1995.
Fulvio> In IETF usuully there is an option which is "mandatory"
Fulvio> (often the simplest one), while the remaining are
Fulvio> "optional".
Only for standards track :-)
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQH/tJYqHRg3pndX9AQHBOgQAnMTaUTD6nVJubnEQkMaSyr5tm8pzQZsI
XXVZcII30K+YT9/9b6bn0/tIm8sQRgAiMAMnvafJMx4LzjoLtrlzTWN64dtKGJpb
bXfJpv20zIxVHPYyKwJY+xRzmNl/ozKc+Hp9E8AliKsLXtE4L2J+ZDhQh/1O+q76
sX87kX87yQo=
=fg8V
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> In some email I received from Guy Harris, sie wrote:
>> On Apr 13, 2004, at 3:38 PM, Darren Reed wrote: > In each case
>> the specification defines support for a number of > different >
>> hashes, of varying strengths and the choice is left to the end
>> user to > decide on what they wish to use. I don't see why
>> libpcap should be any > different.
>>
>> If the hash value is generated by the application, that's the
>> case.
>>
>> If it's generated by the kernel or libpcap, then the end user
>> might not have much of a choice - they're stuck with what the
>> kernel or libpcap provide.
Darren> I'm thinking, here, that when the user turns this on via an
Darren> ioctl, they can request which hash algorithm to use. The
Darren> worst that can happen is the kernel says "sorry, don't
Darren> support that algorithM" and the user tries again with
Darren> another. Similarly, the user should be able to query this
Darren> setting.
Darren, I'm still not sure that I understand why the kernel should do
this. I thought at first it was because you wanted a hash of the entire
packet, rather than just the snaplen.
(To me, this made a LOT of sense, so I don't understand why you
wouldn't want the kernel to hash the entire packet)
Now I don't understand - why should the kernel do this? On a
uniprocessor the effort is the same, except that the real-time
latency will go up if the kernel isn't pre-emptive. (*BSD isn't,
2.4 Linux isn't, etc..). On a multiprocessor, it seems that having the
kernel do the work is a further loss vs having a possibly-thread-safe
libpcap do the work.
The only benefit that I can see is if you have hardware that can do it
(vs special instructions in your CPU). I'm not aware of any MACs that do
this kind of thing, although I imagine a number of them have upgradable
(by the manufacturer) firmware. It doesn't seem worth the PCI
transactions to have a hardware crypto chip do the work either.
Instead, it seems to me that this is something which can even be done
offline in non-real time.
>> I think Loris is saying that, for hashes generated by the kernel
>> or libpcap we probably aren't going to provide the full panoply
>> of hashes
Darren> Does this mean they don't get enumerated or just not coded ?
In the context of this meta-data container, we/you can enumerate as
many as you like.
Darren> In terms of code, I think I'd like to see three available:
Darren> none, a weak/cheap one and a cryptographically secure one.
okay.
>> That might not require us to choose a default, however, as long
>> as the kernel can tell libpcap which hash value it's providing
>> (if any). It might, however, mean that we should choose a hash
>> value that, for kernel hashing, is considered "adequate", and
>> recommend that capture mechanisms implement it.
Darren> Yes, I like that approach. My objection is to their being a
Darren> "default" (aside from not having one) that everyone is
Darren> expected to use/support, regardless of others.
Since the file could be re-processed, I'm not sure if we need a default.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQH/sDYqHRg3pndX9AQH9zgQAmYKLSX4ALrsfU1ShMRIRdapI/JHgjpNj
cwnPB37fZGTGeHtr6d+gpyMVUMJHReePQhIixAAE/y9K/Pzyjze3Qr1tgjF0WLzC
SuqxC+aX//Bb90G+L6JRzU+8C6Vi0pXGGoe8tKw3U2yi8mgskmxZlHLWpGajHtY7
GLHE8uIst4o=
=tdH7
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Proposed new pcap format
-BEGIN PGP SIGNED MESSAGE-
{Darren, you are sending to tcpdump-workers-owner, from the SMTP
envelope. I think my MTA is canonicalizing something in a way I don't
want it to. It isn't the lists' fault}
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
>> Are we worrying about corruption of the packets between the
>> kernel and the userspace application? Or what? Yes, the PCI bus
>> is now among the more error-prone (relatively speaking) parts of
>> the system. So, unless the hash is computing my the MAC/PHY, I
>> don't see a point in this.
Darren> I suppose, ideally, the kernel would digitally sign the
Darren> captured packet.
Prooving what? that you aren't being lied to? By whom?
What is the thread model for this? What does having the kernel digital
sign stuff gain you? Who would lie to you in such a way that they
couldn't also have the kernel lie to you?
For that matter why would you even trust the NIC to not lie to you?
(This is a very serious question for devices that include IPsec in the NIC!}
Darren> The question I want to be able to answer is: "how do I know
Darren> what's in the program's capture buffer represents what was
Darren> received by the computer from the network with any degree of
Darren> reliability?"
Reliability implies bit-errors somewhere, not malicious attacks.
Darren> btw, is it at all easily possible to get the 802.3 checksum
Darren> into captured data ?
On some OSes you ask for that. Not on BSD AFAIK, yes, with PF_PACKET
on Linux.
Darren> If there are corruption problems, then it's more likely to
Darren> be within the program itself than PCI (I imagine) and this
Darren> is something else I'd like to protect against, especially
Darren> where the program is not 100% trustworthy.
Okay, you say "trustworthy" rather than "reliable" here. They don't
mean the same thing.
And with GbE encoding, ECC memory and parity protected L3 cache buses,
the PCI bus *is* the least reliable interface in a typical PC. I believe
that people who do TCP checksum offload have experienced this problem
already.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQIXLfYqHRg3pndX9AQHeFwP/X5lhA4w3ZA8qgk3reXomvtMI9hKyyzUt
5MS6xvsw3y52fWLwkvvhZn9DpEqILKKy2yeY/nhFjIllf7oK+PgaJ6pe8mIsZsnO
0AjI009VQeauk4B09wHEyB/8OileJGjfLcH/KsJQy5W87rqVUT1QyH5WXTT64+jO
hs+aytzmCys=
=O8wB
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] little fix for print-esp.c
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Francis" == Francis Dupont <[EMAIL PROTECTED]> writes:
Francis> ESP decryption should not be performed on the
Francis> authentication trailer...
Good point. Thanks.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQIXJHoqHRg3pndX9AQFNjwQAnxVrKF1cP8wZycwxZAzY4bG6mebbZSSV
fg0+MODfNKBmb23RD9P8oNlvcFKso5esqdlpZwV06Rcl20ScAuCZzxgJdlo64Ous
ajx2YXriBjQvcHRxeauMD1xuDveDXCOG3k0+lqPQ8q3UVs04gQGIDQ5GUtyVgUlO
PyL36BBQkY0=
=XJQw
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] proposed new pcap format
>>>>> "Stephen" == Stephen Donnelly <[EMAIL PROTECTED]> writes:
Stephen> Instead of trying to store the number of significant
Stephen> figures in some base, how about storing the effective clock
Stephen> timestamp frequency in Hz? This gives an indication of
Stephen> resolution as opposed to precision.
I'd like to say that we adopt this proposal.
Stephen> For example if we assume timestamps are stored as
Stephen> microseconds, but we have an older computer that only has a
Stephen> millisecond resolution clock, then the microsecond part of
Stephen> the time would increment by 1000 microseconds per 'tick' of
Stephen> the 1kHz (1 millisecond period) clock. The stored
Stephen> resolution value would be 1000 for 1000Hz.
Stephen> If the clock resolution on a newer computer/OS was actually
Stephen> 1 microsecond, then the microsecond timestamp would
Stephen> increment by 1 each tick of the 1MHz clock. The stored
Stephen> resolution value would be 100 for 100Hz.
Stephen> To find the number of significant digits to print, you
Stephen> could take the ceiling of log base 10 of the clock
Stephen> resolution (in Hz). log base 10 of 1000 is 3, log base 10
Stephen> of 100 is 6.
Stephen> This method allows for clock frequencies that are not
Stephen> powers of 10, provided that they are an integer number of
Stephen> Hz. For example a clock resolution of 16777216Hz (log base
Stephen> 10 of 2^24 is ~7.2) is representable, but 666.67Hz is not.
Stephen> With a 32-bit unsigned field, frequencies up to 2^32-1 are
Stephen> representable, which is more than sufficient for a 1ns
Stephen> (1GHz) resolution timestamp clock. Is anyone running a
Stephen> time-stamping clock over 4GHz? The Pentium II architecture
Stephen> TSC counter may surpass this soon, but if the stored
Stephen> timestamp precision is only microseconds or even
Stephen> nanoseconds then the effective stored resolution is limited
Stephen> to that anyway.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] ADMIN - checking
okay, my stupid. List should be alive again.
I can't tell you how much grief switching from lists.sandelman.ca ->
lists.tcpdump.org has caused.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] ADMIN - checking
This is a test of the list.
My appologies for the problems.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] netdissect.h
-BEGIN PGP SIGNED MESSAGE-
To switch a file to "netdissect.h" interface, do the following:
1) change #include "interface.h" -> #include "netdisssect.h"
2) add "netdisssect_options *ndo" as the first argument to the print
routine.
3) move the prototype for the routine in netdissect.h from out of the
#if 0, and remove it from interface.h
4) change all calls like
(void)printf(STUFF);
to:
ND_PRINT((ndo, STUFF));
5) change all calls like:
default_print(A,B)
to:
ND_DEFAULT_PRINT(A,B);
(later has implicit reference to "ndo" variable)
6) change all places that call blah_print() to call it as:
blah_print(gndo, ...)
(later are easily found by compiling and looking for mis-matches
against prototypes)
Except is that if the call is already in a netdissect.h'ified
routine, then it should be "ndo" rather than "gndo".
Once we are done all of the files, there will be some dead code in
tcpdump.c that we can get rid of, and then we can refactor some of the
remaining code a bit more.
I hope everyone can see the point of this effort.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJKjQ4qHRg3pndX9AQHmuAP+O0CgIO3hQn7XaiAwoXTIpvpwWAkdxJ82
xbfnn6Gn6SLpMASAvZMW5uQpyOtlRwGn8gUdDgMhnNd0XJe1CgVl1qrYi1NmrQIm
Sf6Ol4axeVpfeegNJrkiT7aqbpKmWLTVE7sibltRMjh5vQHsiHZQATXN4tc7XJul
NioY0BeOfA0=
=riAM
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] IGRP
-BEGIN PGP SIGNED MESSAGE-
Hannes,
ipproto.c has IPPROTO_IGRP, but ipproto.h doens't define it.
Is this supposed to be protocol=9 ("IGP"), which you have as
IPPROTO_PIGP, or???
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJBii4qHRg3pndX9AQFaLgP+OZKDVN13H7ZtZKa7+9gRhVnu+58aH/qD
hdbWCrqLizubLo0AA3dJgPrY9jHcEz3vXH4zlG8IFcQhAl94sKYrBExdkUFmZNrO
qxvnrCOUeNLlLQqT3UGkeUPz2SnCLvwVLwcROClNvd1AdcX0mPUMzeogdOFcHdnN
Q2wcHkViXUU=
=uNJU
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tok2str() patch
-BEGIN PGP SIGNED MESSAGE-
I noticed that the tok2str() patch was applied.
I modified it slightly. Instead of just rotating buffers, I introduced a
new API that provides the buffer itself. I changed tok2str() to allocate
a new buffer as it did before, and call tok2strbuf().
Please use tok2strbuf() in all new code. I did print-bgp.c.
I will be doing the netdissect changes to more files in the next few
weeks. I will write an email giving a cookbook on what is going on.
The goal here is to be able to use the tcpdump dissectors as a library,
sending the output to an arbitrary place. Perhaps we can trivially use
this initially as part of a priveledge seperation effort.
Are there major concerns about performance while printing stuff? I am
thinking that the best way to get packets *to* the printer is to
allocate X-many buffers and put the data there. I think that some pcap
drivers support doing this. One would just inform the child which buffer
is active by writing a single byte down a pipe. In this case, the child
would just fprintf() to a shared stdio, I think.
My opinion is that we should not privsep for -w option. Since -w causes
no printing at all, it shouldn't be an issue, I think.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJD/ooqHRg3pndX9AQGeBAQAwfZd165lOjEkxC8JxBEpwFALVtH8euSS
+Wlfo+YFfVO8cp4/FUp9yD37uDF4tZkgeCu2qTOqJ34XFpD1KrVzbcYA8af5z6ur
6nOtN/D02nLzAt8Ayoe5YgLzOo9KEAZEWME5b42ZAnTbSPXvJC8SVvVJKiCvGAE7
9Jp6VHoPiak=
=KYHo
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] IPv6 dependency
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Motonori" == Motonori Shindo <[EMAIL PROTECTED]> writes:
Motonori> Please find attached a patch to remove IPv6 dependency
Motonori> from print-tcp.c to make it successfully compile under
Motonori> IPv4-only environment.
Hi, we don't do things that way.
Your patch means that one can not decode v6 packets in a v4-only
environment.
We have strived to provide replacement headers whenever possible such
that the dissectors are fully features on all platforms.
I was my understanding that tcpdump already supported v4-only
environments.
Perhaps if you could tell us a bit more about your platform and
provide the ./configure output, we could better understand why it is
failing for you.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJFCpIqHRg3pndX9AQGC+gP+MRlWqJErXQrbkoaeXFPW5tEcr64NDCYm
IJCDEal9KtSeYUxIPZlgCrDv1xx52IlhsBeg9tWEK6XK9siy9tcFtPsK3NcA65S2
ntQ/erFBrM9I7IZdswKD6EupzVZriBPo6xQeqRqQ/ATZaU7TzKuvaSPioirqK/qC
ieGurIigw28=
=3FP3
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] IPv6 dependency
Okay, it has been years since I was on a v6-crippled system, so I didn't
know that we weren't OS independant.
Can we extract some in6_addr code from one of the BSDs and include
that if we need it?
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap1.0
-BEGIN PGP SIGNED MESSAGE- I hosted a BOF on Saturday morning about libpcap 1.0 at bsdcan.org. Here are the notes that I took. A lot of people were very interested in helping with this. I hope they will soon be on the list. LINKTYPE enumeration. - metadata about linktype in file. MUST put a meta-data packet about a particular link type before you use that LINKTYPE. - - string saying name. - - offset to IP header? - - framing type. (SNAP) - - linktype # itself. Name resolution flag - timestamp of request and resolution - whether it was done in real time (?) could be derived from time of resolution vs of capture - DNSSEC status - output of tcpdump in RDF-XML (not relating to libpcap format!) XML serialize of RDF. Resource Description Framework (w3c widget) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQKfqn4qHRg3pndX9AQHviwP+OO0Iq2jOS/NiERun6cjkeRH4/3zUUejR w0KKTxyiFeAjXKPxL0fYoYeoRcbg2O/Rrw03Lx9fYPjDYmKkhK6yHCIiAWhpw0mm joamxviaNnCD9GslNzNrbLlWfJEw7lbVH6KJ9LcACPnAh/oHmJw7T5spXEtGMM0m iWqHvjCcaoA= =aNIR -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap1.0
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> LINKTYPE enumeration. - metadata about linktype in file. MUST
>> put a meta-data packet about a particular link type before you
>> use that LINKTYPE.
>>
>> - - string saying name.
Guy> Is the name one thing assigned to it when a new link-layer type
Guy> is registered?
The idea is that if one has a pcap file with a LINKTYPE that isn't
known, then something useful can be displayed.
>> - - offset to IP header?
Guy> What if it's variable?
>> - - framing type. (SNAP)
Guy> What if it's variable? (For example:
Exactly. Discussed at length.
Likely it won't be useful in many cases. In some cases, it might be
offset to SNAP... needs more discussion.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKgKMYqHRg3pndX9AQEH5gP+JKxo9uDlqu/boB0s6nFBxFKPP7kdtugU
aBlNChonanOO062n6mXy2XNsVjnQwGgVqiFOCQddytu/VKOYyCs6Mn6hGT6HasDF
wSIqLeHaQW38pNtkVa6vwKowQjCcJmuLJ3SLBnIkAULYIvX0u0NZdeoX3qy2x5rq
3Z7ONrsIz2I=
=48fT
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap_stats
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Gary" == Gary Portnoy <[EMAIL PROTECTED]> writes:
Gary> ../libpcap-0.8.3/pcap-dlpi.c: p->md.stat.ps_drop = sbp-> sbh_drops;
Gary> ../libpcap-0.7.2/pcap-dlpi.c: p->md.stat.ps_drop += sbp->
sbh_drops;
static int
pcap_stats_dlpi(pcap_t *p, struct pcap_stat *ps)
{
/*
* "ps_recv" counts packets handed to the filter, not packets
* that passed the filter. As filtering is done in userland,
* this does not include packets dropped because we ran out
* of buffer space.
*
* "ps_drop" counts packets dropped inside the DLPI service
* provider device device because of flow control requirements
* or resource exhaustion; it doesn't count packets dropped by
* the interface driver, or packets dropped upstream. As
* filtering is done in userland, it counts packets regardless
* of whether they would've passed the filter.
*
* These statistics don't include packets not yet read from
* the kernel by libpcap, but they may include packets not
* yet read from libpcap by the application.
*/
*ps = p->md.stat;
return (0);
}
http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/pcap-dlpi.c?r1=1.84&r2=1.85
1.85 Wed Feb 19 8:06:26 2003 by guy
Diffs to 1.84
According to the bufmod man page for Solaris 2.4 and 9 (meaning it's
probably true in all versions), "sbh_drops" is "the cumulative number of
input messages that this instance of bufmod has dropped due to flow
control or resource exhaustion."
"Cumulative" presumably means "don't add it to the count of drops, as
it's *already* a count since the capture started; just set the count of
drops to the value". Do so.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKwKOIqHRg3pndX9AQEqcgQA2Drhh4QJlEVUJM0s7Y07/6Xg9a3jzamu
tIcMeorX8YRIKG1QsHaKovrfYZoMHwa25P7wDpT/xdoTaVCVkNtHxgkm8AjMzN24
ztwYRmaPjWUYwsgaK0650t7WD0rcX9v888PqTpZpyAcT5imEH3OYLoVhQRZ/C2uB
cRCIg5+ID6Q=
=jm4V
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] anon cvs problem??
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Motonori" == Motonori Shindo <[EMAIL PROTECTED]> writes:
Motonori> I'm experiencing a problem in accessing
Motonori> cvs.tcpdump.org. Pinging to cvs.tcpdump.org
Motonori> (205.150.200.186) succeeds, but when I try to anon cvs to
Motonori> it, the server immediately responds with TCP RST. Is there
Motonori> anybody else who is experiencing this?
Yes, sorry.
I turned off anoncvs because of the vulnererability, and I forgot to
upgrade it yet... I'll get it fixed tomorrow.
The dailies still exist if you want CVS head.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQLqA7IqHRg3pndX9AQEMagQAqWgyk/3GYfI68/Fcsm/O8MSXZY9rm6ll
BNffn8Nik0EwBNgr4v1NYlJGn9LCpu6smAblvMg9qgOAsbbZXfIn/ox7pU9dwdVD
v3GRVEMkTP3BZOuEstevQIiz3DpdfsFUgw85uuj1MFK3GFVPDhb5PL8114XM5w1E
E9sqbyM4lI8=
=pAht
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] web stats
Is there a volunteer that might want to collect the apache logs from all the various tcpdump.org mirrors, combine them and summarize things every month or quarter? A typo in my /etc/newsyslog.conf just filled the /tcpdump partition with the log file (it wasn't getting rolled). - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] anoncvs
-BEGIN PGP SIGNED MESSAGE-
the pserver is updated to 1.11.16, and has been re-enabled.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQL/SmYqHRg3pndX9AQGqQgQAsApMJUJsQE4drO7a2He3iNkP2vmxd8Co
rEPsmYfhH84+ztPMS6Qlk/U9XUU4xxp9VUoANin9gaHFurGiRzemPFKE1SIAD2fO
8Ni5MAeSi4g7gKM8OVgvFbDTH6FX+nPpwbjzvt4bZl8DkzLI3HGq+5iDMOzzA5WB
kmYGQWVqB6E=
=s5yG
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] [PATCH] Drop unneeded capabilities
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Pekka" == Pekka Savola <[EMAIL PROTECTED]> writes:
Pekka> Have you checked the code in the CVS? It already includes a
Pekka> "droproot" option.
Pekka> Yours is slightly different, though, as it uses
Pekka> (Linux-specific?) capabilities. I'm not sure if it's
Pekka> necessary when we already drop the root privileges.
Yes, they are Linux specific.
We should have a file:
droppriv-FOO.c
and put all relevant instructions there.
Dropping things like the ability to call connect(2) means that an
attacker can't get out again, even if they are non-root.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQNsDPYqHRg3pndX9AQFj2wP8CCMkwEc/EwgyAKGhXS8IoQzQjmI/pwf7
6ZDZ5+DBnbdHFAgc0qADP5RMFNYn12NwUWavCnz5umbEapPs4SULJupc2GCNjk0F
HCNsN/81AzC23BT1R4Q9FEq+P76RT7UvBtoR0/UY4okq8lFOl0Zn6CLfQkwzSK2F
vd+n0pozSbg=
=vVaN
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
-BEGIN PGP SIGNED MESSAGE-
Let me just say that I have been bit by the chances to tcpdump in
my own work. Fortunately, it is being compared against previous output
with diff, so updating is much easier.
For those that need to have in a digestable format, we need to have
another solution. A type=value output. Whether in XML wrapping or,
done up to make Perl happy ($thing=value;), I don't know or care.
To do this we need to seperate collecting the values from printing them.
At this point I begin to wonder if doing it all in C is even a good
idea.
Maybe embedding perl (or guile, or tcl, or python) is smarter, and do
the unpacking with unpack(). It likely won't be much slower (and, if
speed is a concern, what are you doing printing stuff in real time
anyway!), and it certainly will be safer. New dissectors might just
become new strings in a config file.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQNxIYIqHRg3pndX9AQHG7AP/VwwDGUC8y88IvlV8kkLfS2m3rAuS4K8l
P69qk/OGID2loE7SgScGKV4lTKaQzdo/IEbOZGOB7+H8nMT4cqkXLvYUAvCOj7jW
+qjP8Xb8Sbe5YoYTJKD/yq3lLPSxtln12wX/EUm9JD5BqfSnZXZ47Pkjw0vgOi5M
1m1yvioXS0Y=
=I0JA
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] anoncvs
-BEGIN PGP SIGNED MESSAGE-
Over the weekend cvs.tcpdump.org accumulated 15 pserver processes, in
'R' state. I don't quite know why. The network connections had long
since gone away.
I killed them. I have disabled anon-cvs for the moment.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOCAVYqHRg3pndX9AQH5agP7BAIiwmhjzAI/slBE2vqvCUbP1fjE1oY5
+dqYM0/T2lM7h451CT2LqbbIMYjaj1OkJQC3Zn/T4DRLr/uqbsB3d8BR5peWkoaa
dLZoDxrd13DMrcOMSzSnErjxXu9XY/XBXtuLz65UghlyiQsLWqwkU5jDrE1DWXDg
J603Eo12fSo=
=cHnx
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] new capture file format
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Christian" == Christian Kreibich <[EMAIL PROTECTED]> writes:
Christian> A few months ago this list saw a discussion of the future
Christian> capture file format (what's the latest on that btw), and
I've been going around inviting various users of libpcap to come and
take a look.
Other than that, we just need to find someone willing to take notes
and issue revised proposals. There is no point in writing code until
then.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOMYoIqHRg3pndX9AQEPrwP/a0Hr0bDPvvwpfHXkpYRRQtwZ5pjJHmmN
fcGuol4kPsNfiUkUCT1mpe3FXwW5Ady44f+oMkAEYDCC2vQCLo56PJeLSL1OJZxd
R6fHNQ4eyFr/OIIjQgfeoY3qEafZXbftG5qoad59rPdxPwTfydzUS8s00U7nCZkR
JUwK+izcyvM=
=A991
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Eddie" == Eddie Kohler <[EMAIL PROTECTED]> writes:
Eddie> These changes should not have been implemented globally,
Eddie> without some flag or option to preserve the old behavior.
Eddie> Such a flag should be added.
It is really hard to do that -- there are a lot of files involved.
But, feel free to send patches!
Eddie> Why change the way 'cksum' is spelled? Why print out the
Eddie> checksum when it's valid? Why not leave the IP addresses at
Becuse checksums are not calculated unless the capture is complete,
so one can't tell the difference between:
1) invalid
2) valid
3) not enough data
Again, if scripts want a stable format, then we need a field=value format.
Anything else is going to change at some point.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOMYH4qHRg3pndX9AQFamwQAhRk/Sltm6U+d2Lnvbjt7czkYjcVaSPWj
d1tvpp/+kP78UfGlkoqfF+d/7BXFyY6F3E/Q7zDyPjrSA0KXP9i5NXEIjNXT3CkG
ff+P84ElEJ7ClrAbudeBnqKPOoqppUHgT4Ov9mUxSwDqC+I3L4DaMOXGbTN12F3O
wGeRhGAMkjA=
=h1bG
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] XML dissector output
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Christian" == Christian Kreibich <[EMAIL PROTECTED]> writes:
Christian> proposal that while I personally think an XML capture
Christian> format is not the right idea, an XML based tcpdump output
Christian> would be great in the long term -- it would certainly
Christian> eliminate a lot of parsing ambiguity.
I am not a fan of XML, but I could live with this kind of thing.
My opinion is that we need a code structure change:
- dissectors would not call printf() directly.
- dissectors would call some kind of thing=value function
that has a table for the current packet only.
- at the end of dissection, an appropriate thing=value->OUTPUT
converter would occur.
I think that this can work very well for XML or $thing="value";
or { "thing" => "value" } format. The question is -- how to retain what
we have now?
Does each level of dissector register a "print" function as well?
(with XML output all using the common XML print function?)
Or is some other structure that someone can think of.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOMZgoqHRg3pndX9AQHTDgQAknqmHRwfvCS4H36sI3u9BMiTcZTFn0it
tSE5X6dOHVedvLVsjQk9BIJISBp3QUSaGfUbcRDPNrE7z4x1YWt42u8jLVI885ZE
if+u8o/cZQhiCZu8UF4Ty2+5kzKmRXIvqFIwe8o8fcw43/Hl+bPuVM1EcTBbTfzv
Z2G9AQMUgqU=
=Y5xc
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> Along those lines, Tethereal currently offers the ability to
Guy> output either one-line summary information, a detailed
Guy> multi-line parse, *or* PDML XML-based dissection for packets.
Guy> See
Guy>
Guy> http://analyzer.polito.it/30alpha/docs/dissectors/PDMLSpec.htm
Guy> for the PDML specification.
I think it is an abuse of XML... nothing is actually marked up.
Everything seems to be given as attributes, i.e.:
rather than:
0x45
It does use the container mechanism to do sub-structure, but I'm not
convinced that I like it this.
It is worth looking at.
How widespread is PDML?
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOMbXoqHRg3pndX9AQFraQQAsLtSGHDqsspYb1l6K7ysaX6zJ4u02nNl
RZ+g/FKc3oFtCmj0qKi7+Q4phgd9Qj0RJ7Wz7JaYgZbX6/iZtY2GO46BVRqbPxU6
8o0VaqIVSjgPsOr/xupwOSgmQkEhd37sEsTqkr2JmI1ZdJtnYgDhhw5Y6Tzju2hp
muDJNgZssGo=
=zdsq
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump-current.tar.gz
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:
Darren> Seems frozen on 2004.06.28 ?
Sorry.
The current checkout is via pserver so that the CVS/* files will be
useful. I'm leaving this off for a bit, but if you need pserver, I've
turned it on again, but limited it by hosts.allow.
I'll rejig stuff a bit.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOcE7oqHRg3pndX9AQEPqwQAwHBREoySdMgvP8BMBMfmn4MAv08tI+OU
Y3dAcvpIERvuIYr9K/Ab4IDy/PsqbcF+8jaJjSrzaEj2/vEI/nDoMk7lJSIZD2Iv
FiYKfpauCrEBSYrIb8yENCcBKKPeGwvy/IefxxSCcQx/YSZcYlpm5yNm3ohJgpDk
J0KWlmV1IEg=
=j0qE
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] spam to tcpdump-announce
-BEGIN PGP SIGNED MESSAGE-
Sorry, I noticed that tcpdump-announce was open to spammers.
It is closed now.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQOyWCIqHRg3pndX9AQE1RwP/bS6M83Bn7tBbWN3Vd28zo97835RRuoD1
oP8MFElgQamyA/mrWRS14A0ho3u3mnF9YE/oAx7f7sjFJi9gm0N98UG2wwdf49ui
1CEOiFGJh/Z3cJFyqk0NyI2KTpT2Pn1YGCLvWhYB3WkqWTYYdgwN/GGaBO8lxJ5Q
PHW2UWa50I4=
=NpfC
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Building tcpdump 3.8.3 undex Solaris 2.9
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> I have had a problem building tcpdump 3.8.3 under Solaris 2.9.
>>
>> >>>> Unable to build inet_aton.o.o
>>
>> I changed configure and removed .o from the inet_anon.o${ac}
>> line nad was able to perform a compile. I was not able to get
>> autoconf to build a working configure file properly.
>>
>> Is this a known problem?
Guy> Yes.
Guy> It's fixed in the current CVS tree.
Guy> Michael, should we put out a libpcap 0.8.4/tcpdump 3.8.4
Guy> release with the fixes that have been added since then?
I guess.
Are there other things that should be slipped in?
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQP1xjoqHRg3pndX9AQEAbwQAiCkbQpMykqshnCbSmqC0Y3YekUNFUPlI
qEbD/NZ2JOTBzM15Oq+ejV5lUO0pBdfe8UV/UUDa7+qEVKANrI+v0Ytphpvb1Czc
0NYidswdOmBkmeHbq+GyZnles2g09obvWs8xWi5LRtZXe5yIX4bfOeITNv+pl0hg
wh5ophKJxWo=
=5Kyi
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] anoncvs down?
-BEGIN PGP SIGNED MESSAGE-
>>>>> "David" == David Young <[EMAIL PROTECTED]> writes:
David> cvs.tcpdump.org does not seem to work any longer. It has not
David> worked (for me) for a long time. Help?
Tell me your IP address, and I will add it.
That goes for everyone.
there have been repeatedly multiple CVS-pserver's using 100% of the
CPU when anon-cvs was on. The sockets that started them were gone, so
I have no useful way of tracking things down (and not the time to start
looking through logs).
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQP7tmoqHRg3pndX9AQH//QP/cilvB3QJP/u6iSxJ6K15X09+XuVMOqpV
2XQwWgHEGFLe2slqoZAYYGFFmajUHZAlzf9/J4G1n+Hr5OM00vndsj59e4kNg6bM
2GUNamgSj8p22R0u1EDJKYHTJWmRzH7zJgqPeiTEPAWxlvSi5QE7lULCBpwYK31i
wh8XL7D7CX0=
=APUr
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Tcpdump time discrepancy (vs ethereal/tcptrace)
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> If that's still valid, we should probably have it set
Guy> "thiszone" to "gmt2local(time stamp of first packet)" after
Guy> reading, but before processing, the first packet, so the offset
Guy> from UTC is appropriate to the time of the first packet, not to
Guy> the time when tcpdump called "time()" in "gmt2local()".
I think your analysis is right.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQQBoH4qHRg3pndX9AQH9cgP8DsjZNQcTWQWynkjEL0uSnkJoJI7fRBYB
2kZ/hHrfBEgRrfWGRShLH3G948Z5oFjTnkpYZeSjUQBF/5U1jB0bPpWjVQ+J6M3J
prCkDD9mhLhenc5/i7pZcIP7lb2vyxs3Ds1U9oJuViuBfDsGRGGkRs2JiVqwqGvl
DFSRMrf7r/c=
=mMMg
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers]
>From [EMAIL PROTECTED] Fri Jul 23 15: 06:15 2004
Return-Path: <[EMAIL PROTECTED]>
Received: from noxmail.sandelman.ottawa.on.ca (nox.sandelman.ottawa.on.ca
[205.150.200.181])
by lox.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with ESMTP id i6NJ4Jp01025
(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified FAIL)
for <[EMAIL PROTECTED]>; Fri, 23 Jul 2004 15:04:20 -0400 (EDT)
Received: from polito.it (terra.polito.it [130.192.3.81])
by noxmail.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with ESMTP id i6NIvMX19798
for <[EMAIL PROTECTED]>; Fri, 23 Jul 2004 14:57:22 -0400 (EDT)
Received: from [207.71.241.1] (HELO nelson)
by polito.it (CommuniGate Pro SMTP 4.1.8)
with SMTP id 6201350; Fri, 23 Jul 2004 20:57:13 +0200
Message-ID: <[EMAIL PROTECTED]>
From: "Gianluca Varenni" <[EMAIL PROTECTED]>
To: "Guy Harris" <[EMAIL PROTECTED]>,
"Loris Degioanni" <[EMAIL PROTECTED]>
Cc: "Fulvio Risso" <[EMAIL PROTECTED]>,
"Michael Richardson" <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Subject: Re: new file format
Date: Fri, 23 Jul 2004 11:57:07 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Spam-Status: No, hits=-16.8 required=4.0
tests=BAYES_01,QUOTED_EMAIL_TEXT,QUOTE_TWICE_1,RCVD_IN_ORBS,
REFERENCES
autolearn=ham version=2.52
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)
Resent-To: [EMAIL PROTECTED]
Resent-Date: Sun, 25 Jul 2004 02:46:51 +0300
Resent-Message-ID: <[EMAIL PROTECTED]>
Resent-From: Michael Richardson <[EMAIL PROTECTED]>
Hi.
This morning I tried both the sequences "0x1a2b0d0a" and the reversed one
"ox0a0d2b1a" into a test file. Unfortunately, the second sequence is not
changed when the file is transfered from windows to unix, but the file DOES
change. The problem is that while transferring from windows to unix, "\r\n"
becomes "\n", but the sequence "\n\r" does NOT get changed into "\n".
The best solution that comes up into my mind is to leave the original
solution of using \r\n\n\r as the block type, and 0x1a2b3c4d as byte order
magic.
If the file is transfered from win to unix in ASCII mode, the file should
become
\n\n\r .. In this case we recognize the first three characters
"\n\n\r", try to convert the first 12 bytes from unix-ascii to win-ascii,
and check the byte order magic at bytes 8-11.
If the file is transfered from unix to win in ascii mode, the file should
become
\r\r\n\r\n\r ... In this case we recognize (for example) the first three
chars "\r\r\n" and try to convert the first n characters (24 chars??) from
win-ascii to unix-ascii, and check the byte order magic at bytes 8-11.
I think this will both recognize a correct dump file downloaded in ASCII
mode, a wrong file, and the byte order.
Have a nice day
GV
- Original Message -
From: "Guy Harris" <[EMAIL PROTECTED]>
To: "Loris Degioanni" <[EMAIL PROTECTED]>
Cc: "Fulvio Risso" <[EMAIL PROTECTED]>; "Gianluca Varenni"
<[EMAIL PROTECTED]>; "Michael Richardson"
<[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 3:54 PM
Subject: Re: new file format
>
> On Jul 16, 2004, at 4:17 PM, Loris Degioanni wrote:
>
> > The solution that we propose is to use the proper value as the block
> > type of
> > the Section Header Block. For example, \r\n\n\r should solve the byte
> > order
> > problem (it's palindromic and so it allows to detect the block both on
> > a
> > big-endian and on a little-endian machine) and *sould* allow to detect
> > end-of-line problems.
>
> Well, it'd let us detect them, in the sense that code would refuse to
> read a file that got corrupted by being transferred in ASCII mode.
>
> However, we can't distinguish, for example, between a capture file
> FTP'ed from a Windows system to a UN*X system and a random file that
> happens to begin with "\n\n\r{random byte that happened to be the first
> byte of the section header block's total length}", so we won't be able
> to tell the user "this looks as if it started out as a valid file, but
> it was probably transferred in ASCII mode" rather than "this is not a
> valid file" - and, given that the reason I wanted that string in there
> was because people were reporting corrupted files on the Ethereal lists
> and, in at least some of those cases, that w
[tcpdump-workers] anoncvs for tcpdump.org.
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Hannes" == Hannes Gredler <[EMAIL PROTECTED]> writes:
Hannes> correct, michael requires you to have a valid PTR entry ...
Hannes> assume at your employer there must be some workstation with
Hannes> a valid PTR entry ;-)
Here is the problem.
a) someone/something connects to anon-cvs, disconnects the socket
(so I don't see anything in netstat), and then seems to leave
a dozen cvs-pserver's R-unning, consuming 99% CPU.
b) I then set up hosts.allow to permit only people who wanted to
connect to do so.
However, cvs.tcpdump.org is an alias on the machine, not its
primary IP, and this seems to upset NetBSD (1.6)
hosts.allow/libwrap/inetd.
{It is libwrap that wants a valid forward/reverse PTR}
I haven't had time to debug through this and determine if this
is a real problem, or what.
I guess, if you do anon-cvs to lox.sandelman.ca, it may work.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQSTAuIqHRg3pndX9AQHE6AP+J5wFBSehwOM7bpF9/YkNV8216Iuklc5F
RafiXCef7oqUWtilegeJVJxvjbhS8BABu+do11D+LCwUaSlgSjapHnsi+IqSrwGZ
TmDui9DZOCAkX30sMtAXJu72lqhKwGsLwyv7lPjk6Gt3NbAJB3fjL6A4mj7zzMOg
B5bfZOe1R6M=
=N/Lb
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers]
From: [EMAIL PROTECTED]
>[1. text/plain]
>drugs? ...
>
>[2. application/x-zip-compressed; regid_object.zip]...
>
>[3. text/plain]
Henceforth, only text/plain will be permitted on the list.
--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Trace conversion.
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Paul" == Paul Berube <[EMAIL PROTECTED]> writes:
Paul> Ok. I have a couple traces in tcpdump format. What I
Paul> actually need is just a list of destination addresses for the
Paul> trace. I might be able to use a timestamp if I got really
Paul> fancy, but it's not required. So, precisely, for each packet
Paul> in the trace, in chronological order, I want a
Paul> pair. That's it.
"tcpdump -n -r file"
You can probably very quickly write a sed or perl script to pull out
the data you want.
Paul> I suspect this wouldn't be too hard if the tcpdump format was
Paul> specified, but if it is, I can't find such a document.
get libpcap source, and read pcap.h and pcap.3
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQUvDAIqHRg3pndX9AQGTxwP/R+vkTaRP3AAyaH6nb/4qzeTUyAMCTLkO
0WlBlvDHFZNqoBjB6vlr6eg+ICF3JIImeHg9rtl77CW36m1vFfQQN5CXtcgdwKJw
j/5FW7ifEociYjMwrurP9lS4n/fl8SFRlHroxtP8VBRVsWZiBLrGjrhMMZDxhJ6b
287NchFLy+A=
=Lr/w
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] ello! =))
I don't have a clue what I can do about this... other than
putting lots of never-really-works RBL junk in. It was
sent from a valid From:
Received: from lox.sandelman.ottawa.on.ca (IDENT:[EMAIL PROTECTED] [205.150.200.178])
by noxmail.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with ESMTP id i8L8SPc16542
(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified FAIL)
for <[EMAIL PROTECTED]>; Tue, 21 Sep 2004 04:28:39 -0400 (EDT)
Received: from kts-ibu7guc4j4q (ts2-a165.Angarsk.dial.rol.ru [195.239.203.165])
by lox.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with SMTP id i8L8YYp12405
for <[EMAIL PROTECTED]>; Tue, 21 Sep 2004 04:34:35 -0400 (EDT)
Date: Tue, 21 Sep 2004 17:27:03 +0800
To: [EMAIL PROTECTED]
Subject: [tcpdump-workers] ello! =))
From: [EMAIL PROTECTED]
--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] "final" radiotap patch for tcpdump
>>>>> "Bruce" == Bruce M Simpson <[EMAIL PROTECTED]> writes:
>> >Looks good to me, at least for the top-of-tree (where we require
>> that >the platform support 64-bit integers, and where we define
>> u_int64_t to >be an unsigned 64-bit integer type).
Bruce> It would be nice if we could get this committed and rolled
Bruce> into the next tcpdump point release. Currently I'm carrying
Bruce> around a diff in the FreeBSD ports repo for radiotap support
Bruce> and it would be good to be back in line with mainline
Bruce> tcpdump/libpcap again.
Okay, so can it get integrated into CVS HEAD, and I will
arrange to do a 3.9, 0.9.
--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] importing libpcap 0.8.3, UPDATE
-BEGIN PGP SIGNED MESSAGE-
>>>>> "David" == David Young <[EMAIL PROTECTED]> writes:
David> I have resolved all conflicts on libpcap-0.8.3. This was
David> easy except for lib/libpcap/gencode.c, which contained a lot
David> of NetBSD-private patches from thorpej, itojun, and others.
itojun at least, is on this list.
Can we get all of these things into HEAD, if they aren't there
already?
David, you have the power.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQVMN5IqHRg3pndX9AQFHMwQAln2CNrYd+fVgj86H+O99GjZTDJpbzvOR
yxPSMva4xtk2lhvXumqvEc1IJn1ZuXBDP6ercJORcE2G8NA6Lqv65WWZMGe9Gdp+
1e9XDVbj+tiMmT3DaMyZUDw+7MENEfEH8AfZ3oTZ1X5TKhVPt/r81ZOQIMRYQm8d
d+6XoRT3ijo=
=7UQT
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] "final" radiotap patch for tcpdump
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> Michael Richardson wrote:
>> Okay, so can it get integrated into CVS HEAD, and I will arrange
>> to do a 3.9, 0.9.
Guy> HEAD, or HEAD and x.8 branch?
You tell me.
We didn't do a 0.8.4 yet, but this sounds like significant enough to
warrant 0.9, but maybe I'm wrong.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQVMe4oqHRg3pndX9AQH8SgP9EhGk9yDIFdq/oTRfejeGCH5i7niyxhUi
RtgFy36PdeLQgjiqJ+cgJSNt0RRyQaqHMkNhSNyC9LIpguKj+USnsNW+C1iQrFvc
ymIc7acMJQxS3EFfFsVZUxalrHAWev/nQZHe0BPX4Xf3fhr2vUy6vBJq1vCL3Gov
s2lujF+6JZE=
=e24h
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] x.9 branch
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> any suggestion for a x.9 branch date ? what about 31-oct-04 ?
Guy> Speaking of "x.9 branch", should the VERSION files in libpcap
Guy> and tcpdump change to "0.9-PRE-CVS" and "3.9-PRE-CVS",
Guy> respectively?
okay.
--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Dropping Packets
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Jonathan" == Jonathan Smith <[EMAIL PROTECTED]> writes:
Jonathan> Hello, Does anybody know if the pcap library supports
Jonathan> dropping packets? (As in, blocking them, like a firewall)
Jonathan> Also, if not, what other libraries can I use? (And how
Jonathan> :D)
It does not.
pcap can use kernel or userland filters to limit which packets are
passed up, but it does not affect what packets the kernel receives.
use a firewall system appropriate to your OS.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQWHnJIqHRg3pndX9AQFuygQA7NITPWEbaH+/urHgkgfHSVuNcAUXZDSB
uQeU9A8iPfHw6toxIFMCWvVowADk34ouOdt5M82KZSBRK2O04ncQrPeSsr7pRpyk
V7eppxGG1U5Ch+QcuFCliFArzkmMHq81BLJO2VJhnKYbLcY346Mk+7T9z07VCyJy
hw54RUP2EtE=
=Bgyb
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump with Linux 2.6 and ipsec/ESP
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Michael" == Michael Mueller <[EMAIL PROTECTED]> writes:
Michael> Is this a Linux or tcpdump / libpcap problem? Does anybody
Michael> have some further details about it? Is there a more
Michael> appropriate Linux list to send this question to?
On Linux 26sec code, there is no interface equivalent to "ipsec0" on
which you can see packets.
The -E option really doesn't help much in real use, because the keys
are not easily divulged.
BSDs running KAME stacks have had the same problem, some of the BSDs
have created a special tap point which tcpdump can attach to which is
prior to encryption, and after decryption.
You will discover that there are other issues with 26sec -- you have
now effectively 3 firewalls (iptables, advanced routing/QoS, and SPD),
and the SPD one is unaware of the other two.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQWKi44qHRg3pndX9AQHZsgP9EhYg3E0DdD2vDVpr7xezWA5ueadgO/No
Ru7PUPEVxTPHk/sQCnssJ0lVf0oIOsBRtI5xXfrXAvXd65z4LiFl/LxCHsF4/erJ
vjo/srUIDsDAsUZk7d82aID3ZdwMHTstT215jCTbxGNdy9Fkg2tf7XFN6nIOoCSq
XzCHpzn3cVI=
=MqZA
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump -E doesn't work for 3des-cbc/hmac-md5
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> Are there any positive or negative reactions to this? Will
>> somebody fix it?
Guy> I'd check in the patch if somebody resolved the issue
Guy> either by saying that 12 is the right authlen for all
Guy> encryption algorithms, saying it's not and supplying a way
Guy> (including a patch) to figure out what the right authlen is, or
Guy> saying it's not, saying you can't determine it from the packet
Guy> contents, and supplying a patch to add the authentication
I was puzzled by the report, since I wrote the code and use the code
in a zillion test cases, but willing to accept it that maybe I never
cared if the end of the packet was correctly determined.
Well, actually, you can't find the next-header value if you don't
remove the authentication data.
The test case tests/esp1.sh does:
tcpdump -t -n -E "[EMAIL PROTECTED]
3des-cbc-hmac96:0x4043434545464649494a4a4c4c4f4f515152525454575758" -r
02-sunrise-sunset-esp.pcap
I'm confused about the statement that the authlen isn't set.
Perhaps it is really that the algorithm has not been set correct by th
reporters.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQWKj/4qHRg3pndX9AQGlKQQAhBAE+iVPn0qA5xHN0TRirFK+GBAfFYFQ
t1/Ilp9rTQBVgzg6NyKAmT9NZbgFrU7tqjcV4FSRr8l/MQjLJkmIQhTFOELPqMqZ
Y9G5Qf7Kwaey9WKJ2dA0KTUx9BN2aP+2H2kv2tPF+pjHZA5qX3x+7VrR6hXX79Qa
Gs1Od8uvE+4=
=y0SG
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump -E doesn't work for 3des-cbc/hmac-md5
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Michael" == Michael Mueller <[EMAIL PROTECTED]> writes:
Michael> Are you sure you tested 3des-cbc with hmac-md5 or with some
Michael> other authentication algorithm? I don't doubt that for some
Michael> other authentication algorithms where authlen is set
Michael> correctly your code works fine.
every night, 170 different test cases for Openswan.
please:
marajade-[~/src/tcpdump/tcpdump] mcr 1003 %cd tests
marajade-[src/tcpdump/tcpdump/tests] mcr 1005 %sh esp2.sh
test esp2...reading from file 08-sunrise-sunset-esp2.pcap, link-type EN10MB
(Ethernet)
passed.
If this doesn't match what you are trying to do, then please provide
a new pcap file that does. I think you just missed the "96" at the end
of the algorithm name.
That may be a bug that we go ahead without it.
(96bits = 12 bytes)
Michael> For *-cbc algorithms the problem seems to be that
Michael> decryption starts at the end of the encrypted area and
Michael> works its way backwards to the start. If authlen is wrong
Michael> everything is decrypted into garbage. This is because the
Michael> encrypted blocks are chained and a block can only be
Michael> decrypted if the previous block (the one behind) was
Michael> decrypted sucessfully.
No, that's not correct at all.
Encryption and decryption proceed in the same direction.
The problem is that the last two bytes of the plaintext are special
in ESP. Last byte is the next-protocol (usually 4), and next to last
is the number of pad bytes.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQWMHsoqHRg3pndX9AQF6CQQAvKniMYSmTvfVWA1b1bebeRXCU6l6eLBw
PLN+AyB3AfxrWkN7SE/XztJzIcMaPBucVo6gSkq4w5toqcTorGXTLgQffZjvOh1x
xhU90hgKabAw3x5v5C0OnpO6kt6S3JesOIcmO0bWxyWoZL73g/qfyPYYkQSFzCyB
ykzbr5zfRu4=
=NnsY
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Bad PGP signatures
-BEGIN PGP SIGNED MESSAGE-
I think you got a bad download.
The originals are fine.
lox-[/tcpdump/htdocs/release] mcr 1066 %gpg tcpdump-3.8.3.tar.gz.asc
gpg: Signature made Tue Mar 30 09:33:50 2004 EST using DSA key ID 89E917F3
gpg: Good signature from "tcpdump.org (SIGNING KEY) <[EMAIL PROTECTED]>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0227 54EB 4C30 9185 FD31 33A3 464D 3CEB 89E9 17F3
lox-[/tcpdump/htdocs/release] mcr 1067 %gpg libpcap-0.8.3.tar.gz.sig
gpg: Signature made Tue Mar 30 09:33:48 2004 EST using DSA key ID 89E917F3
gpg: Good signature from "tcpdump.org (SIGNING KEY) <[EMAIL PROTECTED]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0227 54EB 4C30 9185 FD31 33A3 464D 3CEB 89E9 17F3
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQWisiIqHRg3pndX9AQGodwQAiQUhfpRPoBdhCnQGw/a48ObY7yhsa7K7
Gagm5Aa/7k+X0/LbrEpeNgMT/eVYNw/7PTHGQLisLmdt5r4IMznTQn5NS3dlhcOM
V/LsCaYK1qzJpFVZ7wf7hwP2tfT/ZzaemPvG2jQrbNZ3dhDqTrqpq+PJrtcjYN79
vB5QlI6CbkU=
=lA3T
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] IPSEC question
>>>>> "Narayanan" == Narayanan S RAMABHADRAN <[EMAIL PROTECTED]> writes:
Narayanan> Is there an option to tcpdump or windump to handle the IPSEC
Narayanan> authentication header (AH) appropriately? There is no
Narayanan> encryption, so the issue issimply whether this is an
Narayanan> option to skip the AH header and parse the higher layer
Narayanan> headers (e.g., TCP) as usual.
Narayanan> Any help is appreciated.
There is no option, it should just happen.
Did you try it?
--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] dealing with collisions, dropped packets
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Matt" == Matt Van Mater <[EMAIL PROTECTED]> writes:
Matt> Recently I've been investigating why tcpdump on my IDS shows
Matt> quite a few packets as being dropped. I think this is because
Matt> my traffic to the IDS is fed through a hub where I know there
Matt> are many collisions (there may be too many packets per second
Matt> for the little soho 10/100 hub to handle). I'm not sure how
Matt> tcpdump handles collisions, and so I don't know if this is
Matt> even a problem or not.
neither tcpdump nor your NIC card even see the collision.
AFAIK, only transmitters see them, and it causes them to back off and
retransmit.
Matt> Is there a way to get more fine grained statistics on why
Matt> packets are dropped, and would collisions coming in off a hub
Matt> be shown as dropped? I'm seeing a traffic feed of roughly
Well, you need to ask your operating system about that.
tcpdump runs on about a dozen different systems.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQYat7YqHRg3pndX9AQGL3QQApYNeH5nC2/19yhrYFI3yHeqoEEXVKZC7
CwX9AZ34GgyoGY3HLx+G3bLwSoREuOMlK8srGJQqzsTEA7UMGR7lIhsaQk7N9i2g
q9sUbj5jkPYUf2E3Nq/ltOcbEBTBkOBU5nJBkeBj3QslYT4QRtqCpI0np13DPcLd
CJnVBbOvZW0=
=F5+J
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] dealing with collisions, dropped packets
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Aaron" == Aaron Turner <[EMAIL PROTECTED]> writes:
Aaron> 2) You can check the number of collisions on most Unix/Linux
Aaron> boxes using ifconfig. You'll see a collisions counter which
Aaron> will increment over time. Other errors and statistics are
Aaron> also available.
Those are transmit side collisions.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQYau6YqHRg3pndX9AQEb6gQAmMrg4JivUszRgJOsSeOJSe8Tg1EoBDwc
AHPdSnXdmmDHhEmkPBMlPYBYrgBXxAU1ok+ywHZ2SXGuatuFKhGU7PxqWnnnilkx
YV4o9aJyIFs7tkgKwtqweA/7gStoB/YiwSvQOehTj8Lc/brI6BJcy/RD/tzbxOkW
uUlQpNC/ivU=
=v6Qt
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Adding my own IP layer protocol interface to
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> linux lover wrote:
>> Actually i am in implementation of new protocol like IPSEC
>> protocol which adds NEW IP header in front of AH Header
>> i.e. consider packet structure of ipsec TCP+IP1+AH+IP2+ETHERNET
Guy> Right-to-left is a bit odd there - do you mean that the packet
Guy> begins with an Ethernet (or PPP or 802.11 or...) header,
Guy> followed by an IP header, followed by an AH header, followed by
Guy> your added IP header, followed by the payload of that IP
Guy> header?
Based upon what he wrote above, it is just AH in tunnel mode.
Guy> You'd have to modify the IPv4 and IPv6 dissectors to recognize
Guy> that case and call the IP dissector.
Guy> What indicates that there's an IP header after the AH header?
Guy> A special value in the "next header" field of the AH header? -
maybe he has to edit print-ah.c.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQef7tYqHRg3pndX9AQEJJgQAvMyTx/9C+CbecnCA1nx5ufyFRq8eHtPe
FjweU6HSl4dRkYhMD3aUhrjPIgh5F4TZ7cx8pECs2Ol0mpHJ6fGm8zYx6nQcqg3H
zbDE+hLCtQlJ9X1s8NpC3oLGczLL5LzuqRPmdbLzEVF6eoCfX05J9+Zv5+o8QxVA
VDFm9Pe9T4o=
=ShlU
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] can't do CVS checkouts/updates anymore
-BEGIN PGP SIGNED MESSAGE-
Gert, the problem with the anoncvs was that it got into situations where
there was a cvs --pserver running (often four or five) with no network
socket attached (I guess it closed down), consuming 100% of the CPU on
the box.
I have a new box waiting to take over CVS duties, but I have been too
busy to get it going.
So, I restricted the cvs pserver in hosts.allow, since I suspected that
it might have been people abusing the service.
If you (or anyone else) wants to send their IP address, I can insert it
into hosts.allow. I'll even take /24s if you don't have a static.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQggXMoqHRg3pndX9AQGw9gQA3h2lJ9jd8wv/6+KP1ytQUWTlf97r97C1
smSE6FHWXO5JlfolPgsdEE7c5Twerq8NEmPKIkTpilo6qBjMHQ3Fblh2/aMwB+64
Y/PqK9fLh0KK/HaK7lpf5wgXQGTiYpxDVQyjAUEk1DJhI6kTZ+rQQtGORsqmOGoe
715vs861pvE=
=5uJW
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] displaying package content only
>>>>> "sascha" == sascha pohflepp <[EMAIL PROTECTED]> writes:
sascha> human-readable way possible. i.e. stripping away all the
sascha> technical overhead like IPs and timestamps and the
sascha> like. preferrably it should just display the HTML-content of
sascha> a website for example.
sascha> can anyone help me in tweaking?
Use snort or dsniff.
--
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] TCPDUMP version 3.8.3
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Manoj" == Manoj Kumar <[EMAIL PROTECTED]> writes:
Manoj> libpcap does not have "exit()" and libc "exit()" cannot
Manoj> release the memory allocated in heap.Only "free()" can
Manoj> release memmory from heap. Memory allocated via "malloc" is
Manoj> accounted in heap section of process memory, and
Manoj> "pcap_complie()" does "malloc". Thus with "malloc" , "free"
Manoj> is necessary.
On a Unix (POSIX?) system, when the process exits, then the operating
system reclaims all resources. If you aren't running on such a system,
then yes, you probably have a problem.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQkAuJIqHRg3pndX9AQHNCwQAxRWh3BuPT8GLE0yxj9ixojpQobXHwPBk
oVRz6XAS7Q+GBuirnD50Id7k5IrGk4FLzVbf76OGQkifysGhJWtbaA/eKd7Bbay+
Kbfe8NED4yguj93T65Txaufv2FeguwapqKqsZ2lyW9W8T9o8FzO3Wis5ULW5vCsQ
RyD7LutlqVo=
=lppq
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] FYI: I'm lame
-BEGIN PGP SIGNED MESSAGE-
Just to let everyone know that I haven't died.
I still care about tcpdump, but I've just been way overworked, and
over-spammed. I've started to sort my mail in different ways,
eliminating most lists, and alas, this means that tcpdump mail is not in
my face anymore, so I may not read it in a timely way.
I'm not reading tcpdump-workers via gmane.org.
I try to catch up once a week, so if it is critical, please email me.
Please try to PGP sign, as that gets my highest attention.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQkA774qHRg3pndX9AQHpoAQAqvABXOrU7fDqZt5vF6Mr5jZItAFpNjbQ
jL9lZX7ABi68R6U1czSS0lnN2+5rDjoNFUJCT3p6S4YHrmOv1jVEPiLb/qNTWJcI
m0Mu4tkz9KcmneJQrl+7YTbGFslyus83g4SX5STp0oVMtU/X4uqcPi3kic2D1BAD
AJlaC3uwPaA=
=5Dp3
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] HTTP Auth filter
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Julio" == Julio Cesar Ody <[EMAIL PROTECTED]> writes:
Julio> I'm trying to build a filter for intercepting the HTTP
Julio> Authentication (basic) bit of the POST payload using tcpdump,
Julio> but so far I have no clue on where to start.
google "dsniff"
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQktXDYqHRg3pndX9AQEUkQQAvTg4MsTs4Y5uKKKfQntOFxhrzCaCb1fv
pKEzxq19UgrErmgK6k2Lxnm5jj/71bQLwaKN4obL2hy/xrrV1qmkc4OfanA5PM5L
P97C6hEo3ZNmwb3/v2QpfbvepccwKun6KsbtzfSpWjev56criEdXlTNQ2shNagPn
yBXxMsKec9o=
=dXC2
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] preperation for 3.9 branch
-BEGIN PGP SIGNED MESSAGE-
I would like to plan a 3.9 branch and release for April.
I would propose branching on April 10, with the release around April 25.
How does that sound?
TASKS:
a) make sure CREDITS are up to date
b) make sure ChangeLog is up to date
c) verify builds on various platforms
d) gather any updates from distro maintainers
e) update freshmeat.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlFdy4qHRg3pndX9AQG+VgP5AZtxnzAa0U6TTmwfsY71T9sqlMpjPaX0
vfMYcgbafFsJNqs9l7sQH9FLM1PK2yF/W1ui7SbbaCU1g9Q0AmdaTtMV1VaanDlL
TJuIFJhV3+snKM9PVRHuq68itziIT1X9iwOAG+hMIhcEy3YBt9G9WkS1VX0Cd5Zu
kh38kNlzreo=
=pyvZ
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] fddipad on NetBSD
-BEGIN PGP SIGNED MESSAGE-
I'd like to make sure that libpcap 0.9.1-096 compiles on NetBSD 1.6.
It appears that the test for fddipad says defined(__NetBSD__),
but that member must have been introduced in a post-1.6 version of
NetBSD.
Can we fix this to depend upon a NetBSD version macro? If so, how new
does it have to be?
This worked, but may not be correct:
istari-[~/src/tcpdump/libpcap] mcr 1061 %cvs diff pcap-int.h
Index: pcap-int.h
===
RCS file: /tcpdump/master/libpcap/pcap-int.h,v
retrieving revision 1.68
diff -r1.68 pcap-int.h
246c246
< #if defined(ultrix) || defined(__osf__) || defined(__NetBSD__)
- ---
> #if defined(ultrix) || defined(__osf__) || (defined(__NetBSD__) &&
> __NetBSD_Version__ > 10600)
I'll pull this up into the next beta, unless someone has a better idea.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlSJVoqHRg3pndX9AQGm7QQA2nOwtFjxi4xxqkqXx6N/2cxtUb3/Uxu6
cr+1mUFPjXRv7XCBffDk1s4r5JB0ycIzgmQpURuMcIj/eUuA9CnEcBz0wqFPR0os
xp+mDrrnfYv8H1EFMbnJGV0se7nrnhNg55U8i0OF5vKI+lgMvC23zV4N6lSlcLHg
Lx1Y5tdotU4=
=eRzV
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] libpcap Patches and Release Cycle?
-BEGIN PGP SIGNED MESSAGE-
>>>>> "GSE" == GSE GCSM writes:
GSE> I'm finalizing a small patch to pcap-dlpi.c for HP-UX systems
GSE> and I have two questions:
GSE> 1) What is the preferred format for patches?
unidiff.
GSE> 2) The main website says 0.9.0 went alpha today (the link to
GSE> the source is broken btw). What is the normal delay before
GSE> formal release?
I said we'd branch on April 10, release around the 30th.
The branch is early, for self-interested reasons :-)
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlSqFoqHRg3pndX9AQF3NwQAnbqTg7OsVmA6iA4RvfoI4/QrPz1/Ev6D
4k8Ju2Ey7KQvYf3VEQnFnc8FKP5umEJdiiz0ypq/N6klc//FIcCCzbLu7B/vFLBp
pO4+p0z3ICFQKSzDylqNEpnmJtUg+UyLwLYdKfgXAwgkah6kg/O4oUb4VowSVC0i
3aWR5jC+Zf8=
=M9Hv
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] fddipad on NetBSD
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> I'd like to make sure that libpcap 0.9.1-096 compiles on NetBSD
>> 1.6. It appears that the test for fddipad says
>> defined(__NetBSD__), but that member must have been introduced in
>> a post-1.6 version of NetBSD.
Guy> Actually, the problem appears to be that PCAP_FDDIPAD is
Guy> defined in pcap-int.h *after* it's used, so that the fddipad
Guy> member isn't #defined into the pcap structure even if
Hmm. okay... maybe. I didn't look as close as that, which is why I
asked.
Guy> If all versions of NetBSD put those 3 bytes of padding into
Guy> FDDI packets supplied to BPF, then the definition of
Guy> PCAP_FDDIPAD shouldn't be based on the NetBSD version - and if
Guy> not all of them do, a run-time test using the result of
Guy> "uname()" should be done.
I can't find FDDIPAD in anything under /usr/include on my system.
Guy> elsewhere (or perhaps the code didn't even compile on those
Guy> versions - did you try it on 2.0, for example?). - This is the
I have yet to upgrade anything to 2.0, which is on my todo list.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlSqw4qHRg3pndX9AQFcYAP+KXln6V2HdHWXEpSBAbUb/9Dz3v7wEA0t
gpJmI67URy23FYhNEWnkTVVq1YY73hRO9hSWeh1Lv1R4EVaa7mWfNAPhPh+O7boI
SwRqPLxFYJHrR7UiPKA/19r+UB0o6LBdqGlO+4emnFHMTCF/32EPGbbFSErn4IkD
l7ieFVJZ58c=
=Th50
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] preperation for 3.9 branch
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> Michael Richardson wrote:
>> I would like to plan a 3.9 branch and release for April. I would
>> propose branching on April 10, with the release around April 25.
>> How does that sound?
Guy> It sounds reasonable.
Guy> (It turns out I might be able to get gencode.c to handle
Guy> radiotap - *all* filter expressions other than the link[M:N]
I leave you to advise what and if code should be pulled up.
>> is up to date c) verify builds on various platforms
Guy> I'll ask Albert Chin of The Written Word to try that on the
Guy> platforms they use (they don't offer libpcap or tcpdump as
perfect, since libpcap is really the part that is most OS-dependant.
Guy> packages, but they do offer Ethereal, which depends on
Guy> libpcap).
>> d) gather any updates from distro maintainers
Guy> "Distro" presumably including the various BSDs as well - This
Yes.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlSri4qHRg3pndX9AQFw5wP/bLfub5MIN/gaOrtrJygtatDovwAAbpiz
8uI8P1y4cRGbi2j6+Gwk9mXZU8z7HzJHfXOUAXXj9iL5l2TNjXgaHFF7GRzyFhay
IHLrQNNrvFK8vAzfi9CJPWFkHdVFEeA5gJpljT3OA00it46qoR7mL8w733Z42uda
eHZm+V25Bdg=
=zpPj
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap next gerneration / adding communication
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Hannes" == Hannes Gredler <[EMAIL PROTECTED]> writes:
Hannes> i typically use the following command for remote capturing:
Hannes> ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -" >
Hannes> capture-file.pcap
Yeah, this is probably the best thing.
Use the tools to build a good system.
The sudo can be made passwordless for certain groups, and can force
the command, or in the case of systems with BPF devices, the device can
be chgrp'ed.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlfyDYqHRg3pndX9AQFM1AQAz4sfUKAhHT6eRX7XNPzywGOQQL2R2isJ
+FAOnVe8SahwkRVq27MCexyvW7RM9DGBMPbM7fDDzdX9lcKCZ5dDuhmQIWdrKTbb
q/5Hcq/ifYcVKBPWOMwXixoE4sW1SuJyPPcXY3J81YPxLjb7pK/KIJl88LGqXx4K
tRrqF7WfDXk=
=jtZ0
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Welcome to the tcpdump-workers list!
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Dug" == Dug Song <[EMAIL PROTECTED]> writes:
Dug> incidentally, libdnet also supports sending on a few more
Dug> platforms than libpcap, i can try to provide diffs at some
Dug> point.
Since libpcap doesn't have sending packets as a goal, I'd say that
libdnet supports sending on an infinite more than libpcap.
Use the right tool for the job.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQlxMhoqHRg3pndX9AQF4CwQArgGpQ0maEH1a8aZXo08jZAoAj+HBJqXm
5w2ZfSe3YEb8MpEdo/rXe5omKCIkBgVU/dE72fBpl+dI9Wxa2yxcK/N82gr4TQbr
R7nKK52G0dKilwxfxQgUVT75HzIWou88XKy3bzU6fxanDrqTKKmCvyJ+3iPkugX3
k8A6K1V99LY=
=+GYl
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] spam on tcpdump-workers list
>>>>> "spammer" == torsten <[EMAIL PROTECTED]> writes:
spammer> See the attached file for details.
Well, the good news is that the list software removed the attachment.
The bad news is that spammers have a legit From: with a legit list To:,
so the messages go through. I hope it isn't a trend.
--
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
pgp3mI4vq7fq9.pgp
Description: PGP signature
Re: [tcpdump-workers] Mailing List Info/Procedural Questions
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Jeff" == Jeff Terrell <[EMAIL PROTECTED]> writes:
Jeff> Are there archives for 2005 of this mailing list? I couldn't
Jeff> find any at the archive page:
Jeff> http://www.tcpdump.org/lists/workers/ I'd like to avoid
Jeff> repeating questions that you all might have just answered last
Jeff> month.
Hmm. looks like something broke.
visit lists.ox.org, and select lists.tcpdump.org, login with your
list password, and you can see the archives there.
I'll have to fix that.
Also, gmane.org has everything.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQmAYBIqHRg3pndX9AQHtVgQAyFoyU2cioaCt1eRZxedyMdstNj3Ydc9z
hifEmg8D+b6MgqWag8hgDJ5gNoVZCOifph3iJUQeoJFxyu/CHseWm/XG+qEe1h6A
ivQvOGFZwZEw9R+6Eai2qdk130ctOfBZBe38+EW9j6A5ZTi5TmhxPSdggejl94oL
+XQmjpP5w9g=
=6W/u
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] preperation for 3.9 branch
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> When were you planning on doing the 0.9/3.9 release?
I had planned to issue another beta today or Tuesday, and if there
were no issues, do the release on Saturday. (May 1).
I am behind on email, but I gather that there is some new
vulnerability that needs to be addressed.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQm0nAoqHRg3pndX9AQEhxQQA5ww9EbtX+nGGCo8Q9iso3AYWIOue15e2
L4AsDk8BXB1jNL3M1rjaq7vxE1pcdAUj2zNQ9M7QO7QN2floVfNL0pkCUcoIyrJR
63hlJHGkOh/5Qa29UmwFRcvj2ZwRkjnUwsti0O74WgbjXNtjhWeBRVdAwHfZr2aM
v2IkVIBwzCw=
=12tf
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed
-BEGIN PGP SIGNED MESSAGE-
>>>>> "Romain" == Romain Francoise <[EMAIL PROTECTED]> writes:
>> for software [3.9,cvs] that has not even been released yet ?
Romain> All the exploits mention tcpdump 3.8.x as being affected. I
Romain> didn't run them to check that it's really the case,
Romain> though... did you?
btw, do we have exploit packets in CVS yet?
(under tests/)
I'd like to see them as regression test cases...
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQm0o8IqHRg3pndX9AQFvVgP9FqsXx0jNzFByK+M7EemI78IAC7G6d4ha
Z2YmBQrFJY9ye2Z0JAKMlrJYT5smIS3SJPhEhcM8QlbR4NvcU7keWihs9hDmgiRQ
IdtnGh5nNmyW3KV6ix+Uc5/bpWXVFtt1ecf6O6qMvwILBTFxENToO5CvUBZm4ecI
zvFXJDlIF5o=
=Um97
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] hold up on 3.9
-BEGIN PGP SIGNED MESSAGE- The only thing left to do for 3.9 is the Changes file. At: http://www.tcpdump.org/changes/2005-05-27.18:25:04.html is the summary of all commits since 3.8. If someone wanted to go through that and condense it down to 10-30 lines... I have these wet diapers to change... - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQp9unIqHRg3pndX9AQGTDgQAqsIzuZiiqq3F3xp6qCue6Tm8VSeGMS9G XMprKnNG7+kj/DcVve3aFj6toZY0XA3FN6ovQq8HzKEgdYCvB7m4DZRhWG0NNUzN LRhGmP25Okv+qR0kUGTW+U6YdxvNWWOQc2zvgIZOimYUi21KMCrVaEo+yjUg32BJ GoaKeTRhs9M= =LiUJ -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] any objection to -P flag -- exit after packet limit
-BEGIN PGP SIGNED MESSAGE-
I added the -P flag, which takes a positive number, and has tcpdump
exit after capturing that many packets.
It can be combined with the -C flag, but it doesn't cause it to cycle
after that many packets, rather the two work independantly. I found I
wanted this to help me with some automated tests.
Index: netdissect.h
===
RCS file: /tcpdump/master/tcpdump/netdissect.h,v
retrieving revision 1.16
diff -u -r1.16 netdissect.h
- --- netdissect.h 7 Apr 2005 00:28:17 - 1.16
+++ netdissect.h4 Jun 2005 16:52:01 -
@@ -106,6 +106,7 @@
int ndo_Cflag;/* rotate dump files after this many bytes */
int ndo_Cflag_count; /* Keep track of which file number we're writing */
+ unsigned int ndo_Pflag; /* exit after capturing this many packets */
int ndo_Wflag; /* recycle output files after this number of files */
int ndo_WflagChars;
const char *ndo_dltname;
Index: tcpdump.1
===
RCS file: /tcpdump/master/tcpdump/tcpdump.1,v
retrieving revision 1.167
diff -u -r1.167 tcpdump.1
- --- tcpdump.1 28 Dec 2004 22:31:25 - 1.167
+++ tcpdump.1 4 Jun 2005 16:52:01 -
@@ -40,6 +40,9 @@
.B \-C
.I file_size
] [
+.B \-P
+.I packet_limit
+] [
.B \-F
.I file
]
@@ -256,6 +259,10 @@
currently larger than \fIfile_size\fP and, if so, close the current
savefile and open a new one. Savefiles after the first savefile will
have the name specified with the
+.TP
+.B \-P
+exit tcpdump after \fIpacket_limit\fP packets have been captured.
+.TP
.B \-w
flag, with a number after it, starting at 1 and continuing upward.
The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
@@ -416,6 +423,9 @@
mode for some other reason; hence, `-p' cannot be used as an abbreviation for
`ether host {local-hw-addr} or ether broadcast'.
.TP
+.B \-P
+exit tcpdump after \fIpacket_limit\fP packets have been captured.
+.TP
.B \-q
Quick (quiet?) output.
Print less protocol information so output
Index: tcpdump.c
===
RCS file: /tcpdump/master/tcpdump/tcpdump.c,v
retrieving revision 1.253
diff -u -r1.253 tcpdump.c
- --- tcpdump.c 27 Jan 2005 18:30:36 - 1.253
+++ tcpdump.c 4 Jun 2005 16:52:01 -
@@ -496,6 +496,16 @@
error("invalid file size %s", optarg);
break;
+ case 'P':
+ {
+ int packet_limit = atoi(optarg);
+ if(packet_limit <= 0)
+ error("invalid packet count %s", optarg);
+
+ gndo->ndo_Pflag = packet_limit;
+ break;
+ }
+
case 'd':
++dflag;
break;
@@ -1041,8 +1051,12 @@
*/
info(1);
}
+ if (status == -2 && gndo->ndo_Pflag>0) {
+ (void)fprintf(stderr, "%s: terminated with fewer than %d
packets: %s\n",
+ program_name, gndo->ndo_Pflag, pcap_geterr(pd));
+ }
pcap_close(pd);
- - exit(status == -1 ? 1 : 0);
+ exit(status < 0 ? 1 : 0);
}
/* make a clean exit on interrupts */
@@ -1162,11 +1176,18 @@
--infodelay;
if (infoprint)
info(0);
+
+ if(gndo->ndo_Pflag > 0 && packets_captured > gndo->ndo_Pflag) {
+ pcap_breakloop(dump_info->pd);
+ }
}
static void
dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
+ struct dump_info *dump_info;
+ dump_info = (struct dump_info *)user;
+
++packets_captured;
++infodelay;
@@ -1180,6 +1201,10 @@
--infodelay;
if (infoprint)
info(0);
+
+ if(gndo->ndo_Pflag > 0 && packets_captured > gndo->ndo_Pflag) {
+ pcap_breakloop(dump_info->pd);
+ }
}
static void
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQqHZ/YqHRg3pndX9AQEIyAQArNajMP2mMiytc45I4g3Do3D5qtd3kHuB
al97Hng4+uifV7GLnfwJqfDdKvU1GdhHaMFUFFtu+xCAFjKOMx2cVJp0CEC78pm9
SjFosP1N69NPbWkDUPjmb2cnf/K2DbeeFNSfNBis0b++LnJwetCPxDijgsM2g+r6
tct/5xH2eTc=
=mAQZ
-END PGP SIGNATURE-
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Any news/updates for the release libpcap 0.9?
-BEGIN PGP SIGNED MESSAGE- >>>>> "Gianluca" == Gianluca Varenni <[EMAIL PROTECTED]> writes: Gianluca> We (WinPcap team) are ready to release WinPcap 3.1, so we Gianluca> are interested in knowing the schedule for libpcap 0.9. If Gianluca> it's a matter of a couple of weeks, we can wait for your Gianluca> release. Otherwise, we will use either a snapshot of Gianluca> libpcap, or libpcap 0.9 alpha (dated April 6, 2005). We just need a volunteer to colate the CHANGES file from libpcap and tcpdump. If one of you could do that, it would permit the release to go out. It is about 2-3 hours of work. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQrhsaoqHRg3pndX9AQGZ8wP/SJAUb2G1yLs2tjR7C3PDqScA4/h/8XkH v4rEysk8oWwWzm7ShPJ4mUXCbMPhdvuFIPCi3j5LuqEA4q7VJ5+zEvXb1/oHTcUN X2GYQ0jSzmuQcpGvADWy9JYzqJqChWSU8RCJwaPYY1x73CBG3sLEVRDLxTy0GJhD 5OqbqjyLprk= =DnBa -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] 3.9.1
-BEGIN PGP SIGNED MESSAGE- Thanks to Ken Bantoft, who summarized the Changes between 3.8 and 3.9, we now have a release. It is signed, etc. Whoever it was that has the freshmeat login, please update stuff. $Header: /tcpdump/master/htdocs/tcpdump-changes.txt,v 1.8 2005/07/05 21:23:44 mcr Exp $ Tue.July 5, 2005. [EMAIL PROTECTED] Summary for 3.9.x tcpdump Option to chroot() when dropping privs Fixes for compiling on nearly every platform, including improved 64bit support Many new testcases Support for sending packets Many compliation fixes on most platforms Fixes for recent version of GCC to eliminate warnings Improved Unicode support Decoders & DLT Changes, Updates and New: AES ESP support Juniper ATM, FRF.15, FRF.16, PPPoE, ML-FR, ML-PIC, ML-PPP, PL-PPP, LS-PIC GGSN,ES,MONITOR,SERVICES L2VPN Axent Raptor/Symantec Firewall TCP-MD5 (RFC 2385) ESP-in-UDP (RFC 3948) ATM OAM LMP, LMP Service Discovery IP over FC IP over IEEE 1394 BACnet MS/TP SS7 LDP over TCP PGM (RFC 3208) LSP-PING G.7041/Y.1303 Generic Framing Procedure EIGRP-IP, EIGRP-IPX ICMP6 Radio - via radiotap DHCPv6 HDLC over PPP @(#) $Header: /tcpdump/master/htdocs/libpcap-changes.txt,v 1.8 2005/07/05 21:23:44 mcr Exp $ (LBL) Tue.July 5, 2005. [EMAIL PROTECTED] Summary for 3.9.x tcpdump Fixes for compiling on nearly every platform, including improved 64bit support MSDOS Support Add support for sending packets OpenBSD pf format support IrDA capture (Linux only) - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQsr4ZoqHRg3pndX9AQGZ1wP/WCFyhIwkSs9NZJtEyQA6FkyiIuNjEK6U HrCFYQJW6KVSP1D1VoivNkumBturMmFFm6ovrCY7w5cqGTTUi2vNJBlNyDk1fS+3 H0AwVJ7Bb74GDVcnQHTmadH0xLavvHfQW0dHyVDlV7WFUcAqeorn0zHxjYlfZggN LqdSUOjtGwo= =VYvj -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1 -A flag broken
-BEGIN PGP SIGNED MESSAGE- >>>>> "dean" == dean gaudet <[EMAIL PROTECTED]> writes: dean> the -A flag prints hex rather than ascii-only... i think the dean> following patch is necessary. dean> case 'A': - ++xflag; ++Xflag; ++Aflag; break; - Guy added that line 19-Dec-2002. Guy, can you defend this change? - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQss0CoqHRg3pndX9AQE0eQP+PISuXtMMvAJdURiKrK89M6z2GGRL0fH5 1GGU5zdaQNZ4T0iR+IU9XhIMYkA22dcBlIDmla5Nc4weZSM4n51Ar3r6nGqgyHNN gRPRimVvl2y8hEOAaymPXzQuzUuk/Y1AEDsdRXgobiCicb/xEeDH8Y4ghtvyg9dJ W0ISTBSyKwk= =9WN2 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1 -A flag broken
-BEGIN PGP SIGNED MESSAGE- >>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes: >> -BEGIN PGP SIGNED MESSAGE- >> >> >> >>>>>>> "dean" == dean gaudet <[EMAIL PROTECTED]> >>>>>>> writes: >>>>>>> dean> the -A flag prints hex rather than ascii-only... i think the dean> following patch is necessary. >> dean> case 'A': - ++xflag; ++Xflag; ++Aflag; break; - >> Guy added that line 19-Dec-2002. Guy> The "++xflag;" line? Yeah, I didn't look too closely, just did a cvs annotate... Looks like the problem is elsewhere, in the printer. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQstB84qHRg3pndX9AQF2YwQA7BtSx0hgMbbsSFy64bprWLYKCIkKvaaJ odL3vHWpqLeK6tGhN8KwuVY/drnCHx/lSvOfTv/MpKUlFy5DSvrTV7o80kFNoWmk ilQRrZgNfuAXjCdnq+KfiYUa0K5Rwr0fRQg0Sb+tGMUYVrfWpJwNI7+37CwFrJOF vrCnw02oc1o= =MRFf -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1 -A flag broken
-BEGIN PGP SIGNED MESSAGE- dean> the -A flag prints hex rather than ascii-only... i think the dean> following patch is necessary. >> dean> case 'A': - ++xflag; ++Xflag; ++Aflag; break; - oh, a regression test would have shown this. Can you submit a patch done with 3.8.x that shows what you want, and put it in the tests subdir? I.e. same input, each possible -x,-X,-A combination, and your expected output. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQstCUYqHRg3pndX9AQHkxAQA54uNKAnPW7hGDye19V5TOq3E6j7YDvAU NMHEonyXhfZKM8Bwbt73K9YgpTDBDPE4WyApvA/0/fWytn95GywbgaGE0aOeei+P TFhucxmdAfRcrLpInINjW62G8+uNG0gX7UXEuaIVLj00wKMiX4MYrubWFNAZzNK/ DvtK7x657K0= =Wxj8 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1
-BEGIN PGP SIGNED MESSAGE- >>>>> "Romain" == Romain Francoise <[EMAIL PROTECTED]> writes: Romain> The CHANGES file in libpcap-0.9.1.tar.gz is... strange: Romain> Looks like the entry got mangled. Yeah, I merged my start the file with Ken's work. Oops. Fixed in CVS. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQswtboqHRg3pndX9AQHOpAP+PQDSdp1CNNoM+stNN79uxfDuppTtEtFM tKuXKzYSzyb4R2Win/qIagWjgErqpGUZEEfrA/G8CcJW1s6rWVkebcd6WTR6UrZg Y2V+fxUMZCzdsVb1PzPiX/SuILktvLtMKWHm/7pFgeVHrsEc2GB7zuXIbwsuy84K +WlCP3ygQO0= =9Ex8 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1 -A flag broken
-BEGIN PGP SIGNED MESSAGE- >>>>> "dean" == dean gaudet <[EMAIL PROTECTED]> writes: dean> heheh cool, you seem to have come to the same conclusions as dean> me... and i've got a regression test at dean> http://arctic.org/~dean/patches/tcpdump-3.9.1-test-print-flags.patch I committed those files to HEAD. Now, we need to commit the fix :-) - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQswuVoqHRg3pndX9AQFyWAP/Y32ftvollgwu1kI8J5WSNDfhYjm+DJSW IUfOJ52kpoy2aVOr8LIumy+AIzpeCAbc1NbOAKzoIYphZc1npXHfVxRi4ydNLGCH +tTs1gGZVL4KDYc+zh/oM3Nmbeuk38zlxD/lH+Dggbn531qPzbdOAEw8f8NJi/zg k3mUzB003yo= =p1s9 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 3.9.1 -A flag broken
-BEGIN PGP SIGNED MESSAGE- >>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes: Guy> I guess that explains why *neither* of my messages had the Guy> patch. Guy> OK, it's at Guy> http://www.sonic.net/~gharris/patch The list filters out non-text/plain mime types. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQswujIqHRg3pndX9AQE9+wQAywEnz9O7k8DJnWBWQVwdoLdWXOornAAC yGDfhbNoi4Oxq3qDr8IMLTABhb1u79VKh4JX2RAmaJ9QXxUTZfCRWvNxh9Noymgz v7lJ2Kqkbzd8RSF6XR1KpQ0J1JUW0q9yWbY+Y3tt2NtUa5jadMy9An6ykCU5pNrG R+NRRX8KLCo= =pYLa -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] detecting libpcap 0.9
-BEGIN PGP SIGNED MESSAGE- >>>>> "Romain" == Romain Francoise <[EMAIL PROTECTED]> writes: >> Unfortunately, that happened after the 0.9/3.9 release, so, for >> better or worse, we're stuck with the old names; I've backed out >> the aforementioned change. Romain> It's not too late to release 0.9.2 with these API changes Romain> and encourage people not to use 0.9.1... If it happens this week, I'm fine with that. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQswus4qHRg3pndX9AQHojgQAt1lGQEVaetJuBqoJRHZ3x7zfPwWcsB5g MBbpklEVh4DuVlHJv5HeykKkLJiXUCzKep+xRhrNsWgUopMauHgpE9B+75fNKzrt hIRmF/F1Mxwo+dodLLgDEbxJbfb86IekfsizGPnJ4PSFSqAsYerr32QgWjvURpEh B2e6Rjfz0XM= =MW53 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump 3.9.1 under Windows
-BEGIN PGP SIGNED MESSAGE- >>>>> "Loris" == Loris Degioanni <[EMAIL PROTECTED]> writes: Loris> There is an issue compiling 3.9.1 in Windows. The problem is Loris> that my last patch to win32\prj\windump.dsp (2005/6/4) was Loris> not propagated to the tcpdump_3_9 branch, and therefore the Loris> CVS snapshot compiles, but 3.9.1 fails in print-dhcp6.c. Loris> If you're planning to do a subrelease to fix the -A flag Loris> problem, we can fix this too. Otherwise, I'll have to release Loris> a version of WinDump with a small patch in the dsp. I expect a 3.9.2/0.9.2 to go out on Sunday, if we can do that. Please pull up what you need to the branch. - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQswu6oqHRg3pndX9AQEG+wP/TJMdliE8CVhWVWP44f83UcmjSXlJ2Mrc 1iGccu+8BhShncaYJw2daxBdi9c1hIuPbI4vj5xv4Mck95Xv0uoOUM/cCbvN6JHB X8tEoE8xCgB3AOSUwjyyxfsMDFyzxSJzQH1tuknd/0bdhzdVrWta1o07hkPUf7/E 2LWNoZxad+s= =w/Hk -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] 0.9.2/3.9.2
-BEGIN PGP SIGNED MESSAGE- Any objection to 0.9.2 going out in the next 20 hours? - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQtGWqoqHRg3pndX9AQEIcQQA1EJtKs3hwNYMI1AstLDkdhymB9jQImR6 3P/Kr2zLtbJdwDsR9ul16rN6ORVId7glTlRQtOOjNJlRxbUagJ4l5jIWjDwm+XIM IBdauaa+ZpLQgU2TPAeoGzGykmT6zBQ3Ot/lxdYl5Rp7fS9mYVpQFHOsuRCylku9 8VQGf0b1duA= =fjVt -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 0.9.2/3.9.2
-BEGIN PGP SIGNED MESSAGE- >>>>> "Loris" == Loris Degioanni <[EMAIL PROTECTED]> writes: Loris> No objection. Me and Gianluca still checked in a couple of Loris> fixes in the Win32 code, and from that point of view we Loris> should be ready. So you are happy with what is on the branch? - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQtJ6sYqHRg3pndX9AQGaJgQAwoPSXWWBu1wDlirPyTUY+ivXoQm9J8Z3 hmJbxXzTusBy6kiUc6VQ8CkAkLcEq1X40qxdScbqPDfVqIOiqTgNh43C0EgFfGjQ EXFFi2pdj6q5GiMNkZS+i2yLIYhXiZYnTg1bVC/vR8sTpQ8Nl+/n4TI/USMgNeqi F4rEM6spkpc= =Jg+8 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] release 0.9.2/3.9.2
-BEGIN PGP SIGNED MESSAGE- libpcap/tcpdump are tagged and are tar.gz. I will sign them when I get home, and update the web site. In the meantime: http://www.tcpdump.org/release/tcpdump-3.9.2.tar.gz http://www.tcpdump.org/release/libpcap-0.9.2.tar.gz marajade-[/mara7/tcpdump/3.9] mcr 1044 %md5sum *.tar.gz 36d310c1266e6e6a34295c2e0afd3e10 libpcap-0.9.2.tar.gz 65dcb4d5eff136f66a221416cb1c2054 tcpdump-3.9.2.tar.gz - -- ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [ ] mcr @ xelerance.com Now doing IPsec training, see |net architect[ ] http://www.sandelman.ca/mcr/www.xelerance.com/training/ |device driver[ ]I'm a dad: http://www.sandelman.ca/lrmr/ [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQtK95IqHRg3pndX9AQE9yAQAu3tfEc3oXccXZLfZip5jLtm8m9MKT0jn 79z2S7GmAoE7wn242M3pMslXGtf1P5qtMfjXSrr2ne12Pj239dA3dWVe7teVe0kH dYhkOeFLttNKjJbHulsY460VCNqnE5qQCxHSewgUZc6Z6OyFREJNk4qFqWwJsue0 rnopBs9uz90= =whuk -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
