Re: [tcpdump-workers] [tcpdump] New feature to limit capture file size (#464)

2015-06-10 Thread Wesley Shields
> On Jun 10, 2015, at 7:35 AM, Darren Reed wrote: > > On 10/06/2015 5:42 AM, Michael Richardson wrote: >> re: https://github.com/the-tcpdump-group/tcpdump/pull/464 Guy writes: >>> We have the -C option, giving a file size in megabytes (real megabytes, >>> i.e. 1,000,000 bytes, not 1,048,576 byt

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-18 Thread Wesley Shields
ers on how it is supposed to work so I can try and make sure that is true would be appreciated. -- WXS > On Feb 18, 2015, at 4:23 PM, Guy Harris wrote: > > > On Feb 18, 2015, at 10:18 AM, Wesley Shields wrote: > >> I've got a patch for this at >>

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-18 Thread Wesley Shields
I've got a patch for this at https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. Seems to work well but I would appreciate any testing anyone can do. I'm also going to make sure this is right from the capsicum perspective as I have no experience with that. Once I

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-18 Thread Wesley Shields
Looks like the call to pcap_dump_ftell() is always returning -1 and setting errno to 93 (ENOTCAPABLE). This makes sense since I can only trigger it on FreeBSD, and if I disable capsicum support in config.h and rebuild then -C works as expected. I'll take a look at this and send a PR, but you ma

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-18 Thread Wesley Shields
I don't have an answer to your original question other than to say I just duplicated it on a FreeBSD host but not on OS X. Smells like a bug to me. I've done something similar in the past using -G and writing to something like /packets/%Y/%m/%d/%H%M%S.pcap (assuming those directories exist). Thi

Re: [tcpdump-workers] File rotation every x seconds AND max file count

2014-10-31 Thread Wesley Shields
I believe daemonlogger can do this. It's been a while since I looked at it but I believe that is what I added support for years ago. http://sourceforge.net/projects/daemonlogger/ -- WXS On Thu, Oct 16, 2014 at 01:21:57AM -0700, Cosmin T wrote: > Hello, > > I wanted to create a pcap "buffer" of

[tcpdump-workers] Extend libpcap tcpflags definition

2013-06-08 Thread Wesley Shields
I've been trying to come up with a good way to finish the work done in this pull request: https://github.com/the-tcpdump-group/libpcap/pull/300 I've been having a hard time coming up with a way that works, and I'm curious if anyone else has suggestions. We can always commit the definitions for t

[tcpdump-workers] website not updated

2013-05-15 Thread Wesley Shields
If tcpdump 4.4.0 and libpcap 1.4.0 are done should the webpage be updated or are they in some kind of beta form? I'll happily fix it on github if that's the right place to do it. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org h

Re: [tcpdump-workers] tcpdump 4.4 release candidate 1

2013-03-27 Thread Wesley Shields
On Mon, Mar 25, 2013 at 02:42:07PM -0400, Wesley Shields wrote: > On Sun, Mar 24, 2013 at 05:52:51PM -0400, Michael Richardson wrote: > > > > >>>>> "Romain" == Romain Francoise writes: > > >> please expect a new release candidate on 2013-

Re: [tcpdump-workers] tcpdump 4.4 release candidate 1

2013-03-25 Thread Wesley Shields
On Sun, Mar 24, 2013 at 05:52:51PM -0400, Michael Richardson wrote: > > > "Romain" == Romain Francoise writes: > >> please expect a new release candidate on 2013-03-09, assuming I > >> can get enough Internet in St.Johns. > > Romain> Not sure if this was St John's in Antigua or S

Re: [tcpdump-workers] why the ethernet and ip header of packets, which are captured by libpcap function, are distorted

2013-03-21 Thread Wesley Shields
On Thu, Mar 21, 2013 at 01:03:56PM -0400, Bill Fenner wrote: > On Mon, Mar 18, 2013 at 11:08 PM, Wesley Shields wrote: > > On Fri, Mar 15, 2013 at 06:37:25PM -0700, Guy Harris wrote: > >> > >> On Mar 15, 2013, at 2:45 PM, Michael Richardson wrote: > >> > &g

Re: [tcpdump-workers] why the ethernet and ip header of packets, which are captured by libpcap function, are distorted

2013-03-18 Thread Wesley Shields
On Fri, Mar 15, 2013 at 06:37:25PM -0700, Guy Harris wrote: > > On Mar 15, 2013, at 2:45 PM, Michael Richardson wrote: > > > > >> "wen" == wen lui writes: > >wen> I used libpcap function pcap_next() to capture some tcp packets > >wen> I checked the bytes of the captured packets and

Re: [tcpdump-workers] Decoding the unencrypted part(s) of SSL/TLS?

2012-12-13 Thread Wesley Shields
On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote: > > > "Rick" == Rick Jones writes: > Rick> Is there a version of tcpdump in the works which will decode > Rick> the unecrypted > Rick> portions of an SSL/TLS session? Or do I need to look > Rick> elsewhere?

Re: [tcpdump-workers] Multifile patch

2012-09-13 Thread Wesley Shields
On Thu, Sep 06, 2012 at 02:46:30PM -0400, Wesley Shields wrote: > On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote: > > > > Wesley, is fopen("/dev/stdin") really the most portal way to > > get a reference to stdin? I'd have thought that doin

Re: [tcpdump-workers] Multifile patch

2012-09-06 Thread Wesley Shields
On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote: > > Wesley, is fopen("/dev/stdin") really the most portal way to > get a reference to stdin? I'd have thought that doing: > VFile=stdin; > > was the best way? I fixed this and your other comment about refactoring reading fr

Re: [tcpdump-workers] Multifile patch

2012-08-23 Thread Wesley Shields
On Thu, Aug 23, 2012 at 01:27:33PM -0400, Michael Richardson wrote: > > >>>>> "Wesley" == Wesley Shields writes: > >> Since pcap files have no end of file marker, and each file > >> has a header on it, do you look at the beginning of ea

Re: [tcpdump-workers] Multifile patch

2012-08-21 Thread Wesley Shields
On Tue, Aug 21, 2012 at 08:36:12PM -0400, Michael Richardson wrote: > > Wesley, it seems like a good idea. > I can't look at your patch from the cottage, since I squirt out bits > only once a day by walking down the road to where there is some wifi. No worries, I'm in no rush on this. Enjoy your

[tcpdump-workers] Multifile patch

2012-08-19 Thread Wesley Shields
I've added support to tcpdump that lets you do things like: find /pcaps -type f | tcpdump -V - -w out.pcap or: find /pcaps -type f > ~/pcaps; tcpdump -V ~/pcaps -w out.pcap When writing out to a file it makes sure the DLT of every subsequent file matches the DLT of the first file. It's in a fo

Re: [tcpdump-workers] post-commit emailing

2011-11-27 Thread Wesley Shields
On Tue, Sep 13, 2011 at 01:36:00PM -0400, Michael Richardson wrote: > > > "Rick" == Rick Jones writes: > >> I think that this is a bit low, so double it. > >> > > Rick> While that would be considerably higher than the current > Rick> tcpdump-workers email rate (as I perceive

Re: [tcpdump-workers] pcap anonymizer

2011-05-04 Thread Wesley Shields
On Wed, May 04, 2011 at 09:44:55AM -0400, Michael Richardson wrote: > > > "Aaron" == Aaron Turner writes: > Aaron> On Fri, Apr 29, 2011 at 12:20 AM, Andrej van der Zee > Aaron> wrote: > >> With tcprewrite you can change ips too. Not sure if it updates > >> checksums though...

Re: [tcpdump-workers] Fix print-pflog.c

2010-03-31 Thread Wesley Shields
On Wed, Mar 31, 2010 at 11:00:25AM -0700, Guy Harris wrote: > > On Mar 31, 2010, at 9:15 AM, Michael Richardson wrote: > > > Two questions: > > 1) is there anything preventing us from processing pflog > > format pcap files on any system (i.e. a header I'm missing > > on non-BSD system

[tcpdump-workers] Fix print-pflog.c

2010-03-31 Thread Wesley Shields
Looks like commit e8b523758959c1854689d71c7a4686c631e5501c broke tcpdump on FreeBSD (and probably any other system with PF). The attached patch fixes the build. -- WXS --- ./print-pflog.c.orig 2010-03-31 00:12:46.197152894 -0400 +++ ./print-pflog.c 2010-03-31 00:13:00.429070083 -0400 @@ -42,6 +42,

Re: [tcpdump-workers] Release schedule?

2010-03-30 Thread Wesley Shields
On Tue, Mar 30, 2010 at 03:21:50PM -0400, Michael Richardson wrote: > > > "Gianluca" == Gianluca Varenni writes: > Gianluca> What happened to the release? > > Oh, oops, I did'nt move the release from the /beta to the release dir. > > my bad. The links on http://www.tcpdump.org are brok

[tcpdump-workers] Patch to fix libpcap build on recent FreeBSD

2010-03-01 Thread Wesley Shields
Recent changes to FreeBSD broke libpcap building[1]. I've got a patch which fixes the build[2]. Is there any chance this can be committed? Technically speaking the patch is already contained in [1] but I broke it out to a separate piece to make things easier. [1]: http://svn.freebsd.org/viewvc/ba

Re: [tcpdump-workers] pcap_findalldevs() failing on FreeBSD 7.2

2009-10-28 Thread Wesley Shields
On Wed, Oct 28, 2009 at 10:57:33AM -0400, Wesley Shields wrote: > On Tue, Oct 27, 2009 at 12:00:04PM -0700, Aaron Turner wrote: > > On Tue, Oct 27, 2009 at 11:55 AM, Jung-uk Kim wrote: > > > On Friday 25 September 2009 01:18 am, Aaron Turner wrote: > > >> I

Re: [tcpdump-workers] pcap_findalldevs() failing on FreeBSD 7.2

2009-10-28 Thread Wesley Shields
On Tue, Oct 27, 2009 at 12:00:04PM -0700, Aaron Turner wrote: > On Tue, Oct 27, 2009 at 11:55 AM, Jung-uk Kim wrote: > > On Friday 25 September 2009 01:18 am, Aaron Turner wrote: > >> I've got a user of tcpreplay having issues where his interfaces are > >> not being returned via pcap_findalldevs()