[tcpdump-workers] -G and -C options
Hi, with -C option, the manpage says "Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile." So when I run tcpdump as root like this: # tcpdump -n -i eth0 -s 0 -C 3 -w /opt/tcpdump%F--%T.pcap I immediately get 'Permission' denied error - as expected. Now with -G, I think that the behavior should be similar but tcpdump drops root privileges after creating the first file: # tcpdump -n -i eth0 -s 0 -G 3 -w /opt/tcpdump%F--%T.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes tcpdump: /opt/tcpdump2019-09-16--07:03:32.pcap: Permission denied # ls /opt tcpdump2019-09-16--07:03:29.pcap So with -G I get just the first file created. -C and -G have a very similar rotation logic so perhaps the behavior should be similar as well? Or at least this could be mentioned in the manpage under -G - the fact that at least one file will be created. Thanks for any comments about this. Michal Ruprich ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] --immediate-mode in combination with -U
Hi, would you consider adding a mention of the --immediate-mode to the -U option in the manpage? For someone who is not familiar with how the packets are buffered before they are passed to tcpdump, it might not be obvious to use --immediate-mode together with -U to get the same behavior when writing to a file as when writing to stdout. Thanks and regards, Michal Ruprich ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -G and -C options
On 9/16/19 4:21 PM, Michael Richardson wrote: > Michal Ruprich wrote: > > with -C option, the manpage says "Note that when used with -Z option > > (enabled by default), privileges are dropped before opening first > > savefile." So when I run tcpdump as root like this: > > > # tcpdump -n -i eth0 -s 0 -C 3 -w /opt/tcpdump%F--%T.pcap > > > I immediately get 'Permission' denied error - as expected. > > assuming that your username has no permissions on /opt Actually no, the privileges are dropped every time - even when I run tcpdump as root, the privileges are dropped before the file is created and user tcpdump is used. But this is not the point, This behavior is expected, my concern was about the manpage that's all. > > > Now with -G, I think that the behavior should be similar but tcpdump > > drops root privileges after creating the first file: > > > # tcpdump -n -i eth0 -s 0 -G 3 -w /opt/tcpdump%F--%T.pcap > > That might be a reasonable behaviour, but it's not. > You'd generally want to switch to a username that has write permission. > > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > > 262144 bytes > > tcpdump: /opt/tcpdump2019-09-16--07:03:32.pcap: Permission denied > > > # ls /opt > > > tcpdump2019-09-16--07:03:29.pcap > > > So with -G I get just the first file created. -C and -G have a very > > similar rotation logic so perhaps the behavior should be similar as > > well? Or at least this could be mentioned in the manpage under -G - the > > fact that at least one file will be created. > > There a lot of considerations around this. > If you want to rotate files, then you need to keep permissions to write. > I'll try to review the man page, but any updates to document what *is* would > be welcome, even if what *is* makes little sense. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works|IoT architect [ > ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails > [ > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] --immediate-mode in combination with -U
Any thoughts on this? On 9/16/19 2:33 PM, Michal Ruprich wrote: > Hi, > > would you consider adding a mention of the --immediate-mode to the -U > option in the manpage? For someone who is not familiar with how the > packets are buffered before they are passed to tcpdump, it might not be > obvious to use --immediate-mode together with -U to get the same > behavior when writing to a file as when writing to stdout. > > Thanks and regards, > > Michal Ruprich > > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] Question about an uninitialized array in bpf_filter
Hi,
I was wondering, whether the mem[BPF_MEMWORDS] array in function
pcapint_filter_with_aux_data in bpf_filter.c should be initialized? If
the switch hits cases BPF_LD|BPF_MEM or BPF_LDX|BPF_MEM the variables A
or X are filled with random uninitialized data from the array. Is it the
case that this never happens before mem is filled with relevant data? In
all cases, setting it to mem[BPF_MEMWORDS] = {0}; could not hurt probably?
Thanks and regards,
Michal Ruprich
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
