On 03/03/2011 03:52 PM, Jeff Sadowski wrote:
On Thu, Mar 3, 2011 at 1:31 PM, Eloy Paris wrote:
On 03/03/2011 02:48 PM, Jeff Sadowski wrote:
[...]
I tried "tcpdump ip6 and icmp" but it says im blocking all. How would
I do what I am trying to do?
I can't quite figure out
On 03/03/2011 02:48 PM, Jeff Sadowski wrote:
[...]
I tried "tcpdump ip6 and icmp" but it says im blocking all. How would
I do what I am trying to do?
I can't quite figure out tcpdump syntax.
"tcpdump icmp6", per pcap-filter(7), does not do what you need?
Cheers,
E
the firewalling
facility.
Hope this helps.
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
file (PCAP)
file, and then run the PCAP file through but tcpdump with -S and your
own application.
Cheers,
Eloy Paris.-
netexpect.org
17:53:35.347343 seq 113135041 ack 580300371 len 92
17:53:35.347348 seq 113118401 ack 580300371 len 156
17:53:35.367017 seq 100802387 ack 4147158977 len 40
17:53
large
sequence numbers as well, just as your application does.
Cheers,
Eloy Paris.-
netexpect.org
On 08/19/2010 06:23 PM, Andrej van der Zee wrote:
Hi,
Source port and dest number seem to be ok, so I guess this is not the
problem. Nevertheless, I tried the code below but it does not m
examples of those "weird seq and ack numbers"?
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
h
basically returns ENOSYS for all API functions :-(
I don't think it would be hard to add support for iptables, but I
haven't had a strong-enough need to want to tackle that myself.
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
t file. */
pdumper = pcap_dump_open(pd, "/tmp/capture.pcap");
while (1) {
/*
* Create fake IP header and put UDP header
* and payload in place
*/
...
/* write packet to savefile */
pcap_dump(pdumper, , );
pect uses libpcap for packet
capture and libwireshark (from the Wireshark project) for packet
dissection tasks. (GPL, BSD/Linux/OSX)"
Thanks in advance!
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
_activate(), use an autoconf(1) script or some other configuration
script to check whether the libpcap 1.0 APIs are available and use them
only if they are."
Guess that's what happens when you read the documentation once and never
go back to it after new library versions are release
ibpcap services have always been required to call
pcap_activate() then I'd be curious to know why things have worked
without doing so (at least for me). To be honest, the first time I heard
about pcap_activate() was when Jim and Guy brought it up in this discussion.
Cheers,
Eloy Paris.-
net
Hi Guy,
On 09/26/2009 09:31 PM, Guy Harris wrote:
On Sep 26, 2009, at 5:55 PM, Guy Harris wrote:
On Sep 26, 2009, at 3:09 PM, Eloy Paris wrote:
So it seems like the only option I have to fix the regression is to
convert the pcap_next() call to pcap_dispatch()/pcap_loop()
semantics. I don&#
ay to disable libpcap's use of mmap()
at run-time even if it's available? That would be a better workaround
than to re-write my application...
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
tml_node/Pure-Decl.html#Pure-Decl
Do we use Flex and Bison on all supported platforms, or we have things
setup so we use the original Lex and Yacc on some platforms to have
backward source code compatibility?
Cheers,
Eloy Paris.-
> - Original Message - From: "Behdad Forghani"
ay, an up-to-date Linux distribution like my Fedora 10?
I believe Flex has been able to generate re-entrant code for while now.
Fedora 10 shipped Flex 2.5.35, which is definitely able to generate
re-entrant code.
Even Fedora 7 has a Flex (2.5.33) capable of generating re-entrant code.
Cheers,
Eloy Paris.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
e went down this
path, I don't think that recompiling with the option to revert to
the shorter snapshot length by default will be that much easier for
administrators than editing legacy scripts to add "-s 68" to tcpdump
invokations.
Cheers,
Eloy Paris.-
> The default should b
Pv6
> > support)?
>
> Yes. People don't read man pages/documentation. IMHO, dropped packets
> is less of a problem then missing packet data in most real world
> situations.
I'm very used to running tcpdump with "-s 0" to get the maximum snapshot
length, but it&
;
> I had a look at
> http://penumbra.warmcat.com/_twk/tiki-index.php?page=packetspammer this code
> but in this the whole packet is generated in code.
>
> if there is any tool already do this job please give me the link.
Have you looked at tcpreplay? Maybe it already does what
t. In particular you
> can wait on multiple pcap_t handles by getting a waitable handle on
> each of them and then calling "WaitForMultipleObjects" on them.
>
> Hope it helps
This is very helpful; thanks for the info! It seems like there is hope
for a Windows port of my appl
t capture descriptors
on Linux...
> On Linux, I just use raw sockets, which are faster and easier to deal
> with than pcap..but my app is probabl different in nature from yours.
If portability is not needed raw sockets are nice. The nice thing about
PCAP is that it's portable.
Che
there's lots of data to be read from
the packet capture descriptors then high CPU is obviously expected. has
the user indicated how busy the network is?
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
ping
> constantly even when idle.
You're assumption is correct. I think you're on the right path with poll();
just do some troubleshooting to see what's causing the high CPU.
Cheers,
Eloy Paris.-
netexpect.org
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
e in Wireshark:
wireshark xx
Cheers,
Eloy Paris.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
supported platforms, with no change.
The bottom line is that the impact and benefits of libpcap are huge.
We're fortunate to have such a wonderful piece of software, especially
with that price tag.
Cheers,
Eloy Paris-
> --- On Wed, 6/11/08, Guy Harris <[EMAIL PROTECTED]> wrote:
&g
ng data to callback
functions.
Here's another example:
void
mycallback(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes)
{
int *counter = (int *) user;
printf("Packet #%d: %u bytes.\n", *counter++, h->caplen);
}
void
f(void)
{
int pktcounter = 0;
he real solution would be to move to
libtool, as Guy says) and no promises that it'll work but should give
you a starting point to play with.
Cheers,
Eloy Paris.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
filter expresion,
> which is what libpcap++ does internally. This is done without accessing any
> field of the pcap_t structure. More examples of this are get_promiscuous()
> and get_timeout() member functions of class PcapLive.
Seems to me like this is a useful wrapper; thanks for p
I've found the following page very useful for configuring monitor mode
on wireless NICs on different operating systems:
http://wiki.wireshark.org/CaptureSetup/WLAN
Lots of good information there.
Cheers,
Eloy Paris.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On Tue, May 29, 2007 at 07:53:20PM -0600, David Vos wrote:
> I am using libpcap-0.9.5 on Mac OS 10.4.9.
>
> I have a pcap_loop() handler which displays the packets I receive.
>
> If I call pcap_inject(), then shortly after call pcap_loop(), the
> injected packet is displayed by pcap_loop.
>
> I
On Tue, Apr 03, 2007 at 04:57:27PM +0100, roy hills wrote:
[...]
> What I find is that select() returns when there is any data received
> on the network interface; not just data that will match the pcap
> filter. In other words, just because select() returned indicating that
> the pcap file descr
e Solaris/DLPI equivalent to the
> > BSD/BPF BIOCIMMEDIATE ioctl.
>
> Do you happen to know what is the Solaris/DLPI equivalent to the
> BSD/BPF BIOCIMMEDIATE ioctl ?
http://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg02901.html
The code in that example did the trick for
Hello,
On Tue, Apr 03, 2007 at 02:49:14PM +0100, roy hills wrote:
> >I've also had problems with Solaris. In my opinion it's not the
> >best platform for capturing packets in real-time. In Network Expect
> >(http://www.netexpect.org) I am currently using the following code,
> >which I borrowed fr
for select()'s return value
and read data if there's something to read or go back to select() if
there's nothing.
As I said, Solaris behaves really weird when using select() on a libpcap
packet capture descriptor. I can't explain it.
Cheers,
Eloy Paris.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Hi Guy,
On Thu, Oct 26, 2006 at 03:20:35AM -0700, Guy Harris wrote:
> >How would one notice that select() is not working correctly on a BPF
> >device on some of the BSDs?
>
> By compiling and running the attached program (compile with -lpcap)
> in one window, with "-i" used to select an interface
Guy,
On Wed, Oct 18, 2006 at 04:12:04PM -0700, Guy Harris wrote:
[...]
> Note that in some systems with BPF (older versions of
> {Free,Net,Open,Dragonfly}BSD, current versions of Mac OS X), select()
> (and poll()) don't work correctly on BPF devices, and so you have to
> work around that.
that there's
> data ready, which would support the buffering theory that I mentioned
> above.
>
> Any insight into what could be happening here, and any possible
> workarounds/solutions, will be very welcome. Thanks in advance.
>
> Cheers,
>
> Eloy Pari
36 matches
Mail list logo
