--- Begin Message ---
On Fri, 4 Jul 2025 13:05:01 -0700
Guy Harris wrote:
> On Jul 4, 2025, at 8:55 AM, Bill Fenner wrote:
>
> > We may know that we will be using this code on a kernel that
> > requires BPF_SPECIAL_VLAN_HANDLING, and so I'd like to be able to set that
> > flag on a "dead" handl
to have a proper version tag ?
Agreed, seems like a simple fix. Better now than later?
Stephen
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Hi,
I see 1.9.0 is up to rc2 as of 25th June, how is it going? Is there anything we
can do to assist?
This fixes a serious bug in 1.8.1 for us, so keen to see a new release!
Regards,
Stephen
___
tcpdump-workers mailing list
tcpdump-workers
rebase and separate the items? Has development moved to a
different tree somewhere?
I notice there quite a few open pull requests in general, are there blocking
issues with these, or insufficient resources to merge them?
Regards,
Stephen
___
tcpdump
or dagN:M where N is the
device number and M is the stream number. The former implies stream 0.
Thanks to joseph.cicc...@emulex.com <mailto:joseph.cicc...@emulex.com>
for his initial patch.
I have created a pull request at github:
https://github.com/the-tcpdump-group/libpcap/pull
, it might be more widely implemented. It seems
to solve a genuine problem, and avoids the proliferation of DLTs for WITH and
WITHOUT FCS.
Regards,
Stephen.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.
On Tue, 11 Dec 2012 14:36:33 -0800 (PST)
Ani Sinha wrote:
> >
> > It is possible to test for the presence of support of the new vlan bpf
> > extensions by attempting to load a filter that uses them. As only valid
> > filters can be loaded, old kernels that do not support filtering of vlan
> > ta
On 06/06/12 22:03, Guy Harris wrote:
On Jun 5, 2012, at 8:04 PM, Stephen Donnelly wrote:
I've posted an 'experimental' patch/hack to dumpcap in Bug #7300.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300
The dumpcap implementation assumes that there is a one-to-one
On Thu, 15 Dec 2011 10:32:56 -0800
Rick Jones wrote:
>
> > More exactly, we call dev_queue_xmit_nit() from dev_hard_start_xmit()
> > _before_ giving skb to device driver.
> >
> > If device driver returns NETDEV_TX_BUSY, and a qdisc was setup on the
> > device, packet is requeued.
> >
> > Later,
xonomy.xml
Stephen
--
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
well if needed.
Regards,
Stephen.
--
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
ailable on the platform at run time.
Regards,
Stephen
--
-------
Stephen Donnelly BCMS PhD email: s...@endace.com
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand
_attach_stream() and dag_detach_stream() to handle
mapping/unmapping.
Stephen.
--
---
Stephen Donnelly BCMS PhD email: s...@endace.com
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealan
he HCS. In some cases we have a
'Physical Port ID' which would be useful.
Stephen.
--
---
Stephen Donnelly BCMS PhD email: s...@endace.com
Endace Technology Ltd phone: +64 7 839 0540
git://github.com/sfd/libpcap.git
Updating Endace DAG ERF support.
--
---
Stephen Donnelly BCMS PhD email: s...@endace.com
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand
ll use the
ERF record information inside in preference to the pcap packet header
information.
Some DAG cards can also transmit packets at specific times. They use the
time stamp from the ERF record to determine when to transmit the packet
The default install path is probably /usr/local, have you checked
if /usr/local/lib is in your library path?
See /etc/ld.so.conf.d/*.conf
Stephen.
On Sun, 2008-12-21 at 01:25 -0800, Gianluca Varenni wrote:
> I have some problems using the shared version of libpcap.
>
> Environme
those source and destination
IP addresses are stored in a variable somewhere and if not, how can I access
them.
Any help or direction is greatly appreciated.
Thanks,
Stephen
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
I'm working with some C code using pcap.h and I have an infinite loop running
pcap_dispatch. The packet handler function then takes the packet header it
received from pcap_dispatch and sends a message to a synthesizer currently
based on the packet length which is stored in the packet header it
ssions and 'does the right thing' in order to
extract the original binary data. Putting the same functionality into
tcpdump would be duplication, and this is already handled by Wireshark
in any case.
Stephen.
> Dmitry
>
>
> On Mon, Sep 22, 2008 at 2:12 PM, <[EMAIL PROT
s.
Perhaps you should try Wireshark, you may find its 'display filters'
more user friendly.
http://www.wireshark.org
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTEC
ersion:
pppoes True if the packet is a PPP-over-Ethernet Session packet
(Ethernet type 0x8864). Note that the first pppoes keyword
encountered in expression changes the decoding offsets for the
remainder of expression on the assumption that the packet is a PPPoE
session packet.
# tcpdump --vers
On Wed, 2008-07-30 at 20:07 -0700, Guy Harris wrote:
> On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:
>
> > I recently came across some packets which tcpdump appears to display
> > incorrectly.
> >
> > Is tcpdump incorrectly invoking some heuristic dissector,
with
POSIX capabilities (Linux), with libpcre 7.4, without SMI, with ADNS,
without
Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos.
Running on Linux 2.6.24-12-generic, with libpcap version 0.9-PRE-CVS.
Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).
Any assistan
I tried piping to the SuperCollider program, but I'm guessing I would have to
edit the SuperCollider code then so that I can tell it what to do with the
Piped data?
Thanks,
Stephen
-Original Message-
From: Guy Harris <[EMAIL PROTECTED]>
Sent: Saturday, June 7, 2008 3:29am
tly appreciated. The purpose of
this is so that I can create sound based on like tcp network traffic.
Thanks,
Stephen
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
pcap-dag.c 1.37 doesn't compile after changes to support the new
'activate' model.
Small patch which should address the issues.
Stephen.
--
-------
Stephen Donnelly BCMS PhD email: [EMAIL PROTEC
If the user's purpose in saving to libpcap format is to use the file
with another program then saving to DLT_ERF may not be useful.
When you save a capture in libpcap format Wireshark doesn't prompt you
for which DLT to use? How does it decide which DLT is appropriate?
Stephen
--
--
On Thu, 2008-01-10 at 14:53 +1300, Stephen Donnelly wrote:
> On Wed, 2008-01-09 at 17:25 -0800, Guy Harris wrote:
> > On Jan 9, 2008, at 3:37 PM, lei wei wrote:
> >
> > > I'm actually trying to get Argus working with DAG but argus still
> > > can't re
around
any non-selectable descriptors it is not possible to use Argus with DAG
cards without further modification.
Curiously under CYGWIN it does not assume selectable descriptors, but
apparently works with only one interface in this case. It may be
possible t
rcial slant, you may be interested in my
whitepaper. Disclaimer: I work for Endace, a company that makes hardware
specialised for network packet capture.
http://www.endace.com/assets/docs/accelerated/DAGPacketCapturePerformance.pdf
Regards,
Stephen.
--
--
(and it avoids
> 4.0.1. and 1.0.1 48hours after release!)
A release candidate sounds like a good idea. Could easily give it a week
or two to settle before finalising it.
Stephen
--
-------
Stephen Donnelly BCMS PhD
also need to be
regenerated using the preferred autoconf version.
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New
mp; 0xF) << 28) |
0x0400)
typedef enum {
PCAP_D_INOUT = 0,
--
-------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Z
dagfour
or dagconfig can be used, or you can access the statistics via the DAG
configuration and status API from your own software.
Regards,
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace T
On Tue, 2007-08-07 at 16:55 -0700, Guy Harris wrote:
> On Jul 25, 2007, at 1:57 PM, Stephen Donnelly wrote:
>
> > Florent Drouin from Alcatel-Lucent has been working on improving the
> > ERF
> > support in Wireshark. As part of this work we would like to request a
>
ever there are already 19 ERF types defined and
I feel this would unnecessarily consume/pollute the libpcap DLT
namespace.
Comments, questions, objections welcome.
Regards,
Stephen.
--
---
Stephen Donnelly BCMS PhD
g
directly from ERF format files.
The only alternative I can see would be assigning new DLTs on a 1:1
basis with ERF types, however there are already 19 ERF types defined and
I feel this would unnecessarily consume/pollute the DLT namespace.
Comments, questions, objections welcome.
Regard
On Thu, 2007-06-28 at 03:09 +, Jefferson Ogata wrote:
> Stephen Donnelly wrote:
> > On Wed, 2007-06-27 at 22:00 +, Jefferson Ogata wrote:
> >> some packets to disk. Has anyone out there put together such a box and
> >> come up with some performance statistic
sk.
Endace also offers disk capture appliances which provide this level of
performance.
Unfortunately I'm not aware of any recent independent test publications.
Regards,
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAI
from Florent Drouin.
Regards,
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand c
It seems that if it is worth making the change, it is also worth using a
couple of bits to indicate whether a 16 or 32-bit CRC/FCS is present as
Guy suggested. This could then be used on linktypes such as PPP_SERIAL
which can have either length.
Stephen.
On Mon, 2007-02-19 at 19:59 +0100, [EMAIL
be necessary to add *_FCS DLTs where people specifically
request the ability to capture the checksum. This would keep the number
of new DLTs required to the minimum.
Regards,
Stephen
On Thu, 2007-02-08 at 19:44 +0100, [EMAIL PROTECTED]
wrote:
> I agree with you, the problem I am speaking ab
rally happy with adding LINKTYPE_MTP2_FCS as a special
case I have no problem, and Endace can support both linktypes.
Stephen.
--
-------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd
.
You may have to get hold of low level Ethernet test equipment in order
to determine exactly what is there.
Stephen.
On Tue, 2007-01-23 at 12:11 -0600, Paul Armor wrote:
> Hi,
> after Guy's last email where he states:
> "Tcpdump supports capturing *all* network traffic;"
>
dissect packets directly with a protocol analyser class
etc.
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
d into libpcap there would need to be a way to
'reject' the option, perhaps via a specific function call like
pcap_setnonblock()?
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Tech
On Wed, 2006-10-04 at 16:53 -0400, Michael Richardson wrote:
> >>>>> "Stephen" == Stephen Donnelly <[EMAIL PROTECTED]> writes:
> Stephen> (/tcpdump/master/libpcap/pcap/#cvs.lock): Permission denied
>
> Appologies. the lockdir stuff got los
ir lock in repository
`/tcpdump/master/libpcap/pcap'
cvs [update aborted]: read lock failed - giving up
Regards,
Stephen.
On Wed, 2006-10-04 at 17:51 +0200, Hannes Gredler wrote:
> paolo,
>
> checked in.
> can you make a fresh checkout and verify if everything is worki
Hi Don,
That sounds quite likely. This may well be a case where you need to edit
the file directly, and it seems unlikely that the compatibility issues I
mentioned would be a problem.
Alternatively have you looked to see if NetDude will do what you want?
Stephen.
On Sun, 2006-03-19 at 20:43
own code to read/write the current libpcap file format
it may not deal with older files or with potential new changes (aka
pcap-ng, pcap 1.0, NTAR etc)
Stephen.
On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote:
> Hello,
>
> Is there documentation describing the pcap file formats (o
r the appended
records would have to be the same as for the original file.
I'm not sure how you could check for or enforce this?
The 'NTAR' file format intended for pcap-ng supports directly appending
capture files together, allowing new header blocks to redescribe the
interfaces and
other words, it is safe to add 4 bytes to the sizes of *all* captured
> packets to get the sizes on wire?
You can also add an unknown number of bytes of preamble (typ. 8), and 12
bytes of Inter-frame Gap if you like. Depends what you mean by 'On the
wire'.
Stephen.
--
----
tions that also use
memory mapping and would have similar problems.
Why is it that you want packets in user allocated buffers? It seems to
me that requiring the user to do their own explicit copies when required
is not unreasonable.
Regards,
Stephen.
--
the feedback address on
the webpage you mentioned and ask them about how to process the trace.
Regards,
Stephen.
Zhen Wu wrote:
Yes. I tried different flags. Here is what I got by trying "dagbpf -p".
-
$ zcat 20021125-14-0.gz | /usr/local/dagtools-0.8.1/p
From the web pages you mentioned, the Leipzig-I trace page says that it
was taken from a Packet over SONET link. Did you try the "dagbpf -p" flag
for PoS?
Regards,
Stephen.
Zhen Wu wrote:
Hello, everyone:
I am using dagtools and tcpdump to parse the Leipzig-I trace. The output
i
de works pretty well,
it's not much slower than the native interface. There are however some
changes I'm planning that will improve things a bit more. So far my
proposed changes affect only the library internals, they do not require
changes to the l
velopment, is there the intent for a new version
of libpcap to also process the new format? Independently of NTAR? With or
without backwards compatibility at the file reading or API levels?
Thanks,
Stephen.
Gianluca Varenni wrote:
Hi all.
This mail is to announce the birth of the NTAR project.
tions snipped-
DAG cards capture their timestamps at the beginning of the packet. For
Ethernet this is generally the SFD byte. I'm happy to discuss specifics
off-list if people are interested.
Stephen.
--
---
/tools/measurement/coralreef/
http://fprobe.sourceforge.net/
http://www.ntop.org/
Regards,
Stephen.
César Cárdenas wrote:
Many Thanks Kiss, Dear all:
I am using windump (windows 2000)...
I really appreciate if you could say me how I can determine the number of
concurrent TCP connections?
César
cussion forum for this draft? I see a reference
to 'Network Working Group', is this an IETF body?
Regards,
Stephen.
--
-------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd
should be off by default and selectable as an option
perhaps, if necessary?
Stephen.
Hannes Gredler wrote:
On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote:
| I've been using this patch to print IP packets inside PPP HDLC
| frames found in raw 1xRTT traffic. I've been able t
sion 2.4
(Ethernet, capture length 68)
DAG cards have their own native format as well, but the research group may
have converted the traces to libpcap format for public convienience.
Perhaps they did this using CoralReef.
How are you attempting to parse it if you are having
or results, but libpcap is primarily about packet capture.
Stephen.
--
-------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand
be determined by the rate, multiplied by the capture time. E.g. 250MB/s *
24 hours.
Stephen.
--
---
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
be as space efficient per record as possible. Extra
information can still be carried in 'file headers', 'metadata packets', or
attached to each packet record in *optional* metadata fields that can be omitted
66 matches
Mail list logo
