Re: [tcpdump-workers] TPACKET_V3 support added big packet delivery delay and/or affected timestamps

On Dec 4, 2014, at 10:13 AM, Thomas Habets wrote: > Actual behaviour: > $ sudo sh -c "LD_PRELOAD=$HOME/opt/buggypcap/lib/libpcap.so ./arping 10.0.0.1" > ARPING 10.0.0.1 > 60 bytes from 00:xx:xx:xx:xx:xx (10.0.0.1): index=0 time=52.633 msec > 60 bytes from 00:xx:xx:xx:xx:xx (10.0.0.1): index=1 ti

Re: [tcpdump-workers] TPACKET_V3 support added big packet delivery delay and/or affected timestamps

On Dec 5, 2014, at 3:15 AM, Thomas Habets wrote: > On 4 December 2014 at 20:01, Guy Harris wrote: >> If your program needs to have packets delivered as soon as they arrive, it >> should, if the version of libpcap with which it's being built has the >> pca

Re: [tcpdump-workers] Fix FreeBSD capsicum build on FreeBSD 10.1

On Dec 6, 2014, at 6:51 AM, Loganaden Velvindron wrote: > Support for FreeBSD capsicum doesn't work on FreeBSD 10.1, due to > cap_rights_init which returns a struct, instead of an int. Did its return value change in FreeBSD 10? (Presumably it didn't change between 10 and 10.1.) > I think th

Re: [tcpdump-workers] Fix FreeBSD capsicum build on FreeBSD 10.1

On Dec 6, 2014, at 9:19 PM, Loganaden Velvindron wrote: > Here's the config.log output: > > configure:4540: checking for cap_rights_init > configure:4540: cc -o conftest -g -O2 conftest.c >&5 > /tmp/conftest-942ee0.o: In function `main': > /root/tcpdump/tcpdump-4.6.2/conftest.c:66: undefined

Re: [tcpdump-workers] Fix FreeBSD capsicum build on FreeBSD 10.1

On Dec 6, 2014, at 11:44 PM, Loganaden Velvindron wrote: > On Sat, Dec 06, 2014 at 11:41:51PM -0800, Guy Harris wrote: >> >> On Dec 6, 2014, at 9:19 PM, Loganaden Velvindron wrote: >> >>> Here's the config.log output: >>> >>> configure:

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Dec 17, 2014, at 12:04 PM, Steve Karg wrote: > For a few years I have been using DLT_USER0 147 (user defined) for capturing > and saving a serial protocol used by Wattstopper Digital Lighting Management > products (see website) and dissecting via Wireshark and Lua. I'm planning on > adding

Re: [tcpdump-workers] Cross-compiling tcpdump with ipv6 enabled

On Dec 17, 2014, at 2:11 PM, Xiufeng Xie wrote: > Currently I need to capture ipv6 packets on Android phone. On my PC, > tcpdump works well with ipv6 traffic, so I also want to try it on the > phone. > > However, when I cross-compile tcpdump for ARM platform with ipv6 enabled, > it is forced

Re: [tcpdump-workers] Fix FreeBSD capsicum build on FreeBSD 10.1

On Dec 7, 2014, at 12:17 AM, Loganaden Velvindron wrote: > Here's the diff: > > index d0e90dd..1620bbb 100644 > --- a/configure.in > +++ b/configure.in > @@ -207,8 +207,10 @@ AC_ARG_WITH(sandbox-capsicum, > # > # All of them must be available in order to enable capsicum sandboxing. > # > +# NOT

Re: [tcpdump-workers] Cross-compiling tcpdump with ipv6 enabled

On Dec 18, 2014, at 1:42 PM, Michael Richardson wrote: > Guy Harris wrote: >> I would vote for assuming that there aren't many buggy implementations >> these days, especially when cross-compiling (which would probably be >> for a Linux or *BSD target, current versi

Re: [tcpdump-workers] Fix FreeBSD capsicum build on FreeBSD 10.1

On Dec 19, 2014, at 8:36 PM, Loganaden Velvindron wrote: > I was looking into the github repo, but couldn't find the change. I didn't check it into the github repo, I checked it into the bpf.tcpdump.org repo. It should eventually get propagated to the github repo. > Do you have the git commi

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Jan 8, 2015, at 2:21 PM, Denis Ovsienko wrote: > This is intended not to make things difficult for innovation, but to assist > the people from future who might be trying to debug relevant code much later. ...and to make it easier to implement dissection for the protocols (i.e., you can rea

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Jan 8, 2015, at 3:35 PM, Steve Karg wrote: > The Packet Delay field contains an integer value that is the > number of milliseconds since the previous packet. Presumably, in pcap or pcap-ng files with valid packet time stamps, this is redundant. > The Preamble 1 and Preamble 2 fields should

[tcpdump-workers] Libpcap timeout settings in tcpdump - too long when printing to a terminal?

With TPACKET_V3 support, Linux users are discovering what those of us using BSD-flavored OSes have known for quite a while: http://askubuntu.com/questions/570885/can-tcpdump-on-ubuntu-14-04-show-packets-in-real-time Tcpdump uses a timeout of 1 second when opening a capture device; this

Re: [tcpdump-workers] Libpcap timeout settings in tcpdump - too long when printing to a terminal?

On Jan 9, 2015, at 2:09 AM, Michal Sekletar wrote: > Can't we use new default timeout value (lower) if we detect TPACKET_V3, The first sentence of my original mail was "With TPACKET_V3 support, Linux users are discovering what those of us using BSD-flavored OSes have known for quite a while:"

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Jan 9, 2015, at 8:08 AM, Steve Karg wrote: > Hello Guy, > >>> The Family/Address/IR field contains 3-bits of family code, 2-bits of >>> address mode, 2-bits of IR (infrared) routing, and 1-bit unused. >>> The 8 Legrand NITOO families are 000=CAD Filaire, 001=TopDog, 010=CAD RF, >>> 011=CAD P

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Jan 9, 2015, at 4:11 PM, Steve Karg wrote: >> I.e., following the Family/Address/IR field, other families might not have >> the Sequence ID, Source and Destination MAC addresses, Opcode, and Payload >> Length followed by Payload? > > Yes, that is correct. OK, so we should, for now, indica

Re: [tcpdump-workers] RFC: DLT for "application TCP stream capture"

On Jan 13, 2015, at 6:05 PM, "Paul \"LeoNerd\" Evans" wrote: > I want an HTTP(S) client to write a dump file of the cleartext it is > sending/receiving, so I can analyse it later. I'm feeling like maybe a > pcap or pcapng file is good for that, so wireshark et.al. can be > applied. Ideally it w

Re: [tcpdump-workers] RFC: DLT for "application TCP stream capture"

On Jan 14, 2015, at 12:10 PM, Michael Tuexen wrote: >> On 14 Jan 2015, at 18:19, Denis Ovsienko wrote: >> >>> Eventually, we'll be using this format to debug multi-path TCP, in which >>> case >>> the IP addresses (and maybe even the IP4/IP6-ness of it) might change. >> >> Also there exist

Re: [tcpdump-workers] [libpcap] New DLT value Request - Wattstopper DLM (#401)

On Jan 9, 2015, at 8:08 AM, Steve Karg wrote: > Yes, the Family codes are dependent on the hardware. The WattStopper > DLM hardware uses a USB interface: > http://www.wattstopper.com/products/digital-lighting-management/configuration-tools/dlm-computer-interface-tools-and-software.aspx > and al

Re: [tcpdump-workers] ntopng & packet filter of libpcap

On Jan 23, 2015, at 12:25 PM, Gerhard Mourani wrote: > I’m using ntopng which rely on libpcap for the filtering expression. Below is > what I think to be valide to use into my ntopng configuration file but seem > to not working at all. > > --packet-filter "ip and not proto ipv6 and not ether

Re: [tcpdump-workers] ntopng & packet filter of libpcap

On Jan 23, 2015, at 1:23 PM, Gerhard Mourani wrote: > Yes, it is what I want but seem that ntopng doesn’t take it in consideration > because I can still view packet sent to or from 192.168.2.10! > Therfore, I’m presuming that maybe some () or other characters are missing in > my filtering. No

Re: [tcpdump-workers] ntopng & packet filter of libpcap

On Jan 23, 2015, at 5:44 PM, Gerhard Mourani wrote: > On mine I get: The same code. If you're seeing packets to or from 192.168.2.10, is there some form of tunneling involved, so that the outermost IP addresses, which the filter checks, aren't 192.168.2.10, but some innermore IP addresses ar

Re: [tcpdump-workers] ntopng & packet filter of libpcap

On Jan 23, 2015, at 6:19 PM, Gerhard Mourani wrote: > All packets received come from sFlow protocol activated on remote switches (3 > switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 > which is the one used by the machine where the program run in other to > exclude sta

Re: [tcpdump-workers] [libpcap] Uninitialized scalar variable

On Jan 27, 2015, at 1:58 AM, PEUGNEZ Baptiste wrote: > I do computer security studies and I wanted to test Coverity, a source code > analysis tool. If you're interested, I corrected a problem in /pcap-linux.c/ > file: uninitialized variable (/req.tp_frame_size/). > > You will find above the G

Re: [tcpdump-workers] odd issue with Linux VLAN interface

On Jan 27, 2015, at 4:09 PM, Denis Ovsienko wrote: > some time ago I did troubleshooting on a Linux PC and that involved running > tcpdump with the "not tcp" filter on a few network interfaces to put a number > of background TCP connections out of scope (I was interested how other > protocols

Re: [tcpdump-workers] odd issue with Linux VLAN interface

On Jan 27, 2015, at 4:28 PM, Denis Ovsienko wrote: > >> I.e., "tcpdump -i eth0 not tcp" prints *only* TCP packets? > > Yes, exactly. Just checked once again. > >> Just out of curiosity, what does "tcpdump -i eth0 -d not tcp" print? > > root@homepc:~# tcpdump -pni eth0 -d not tcp > (000) ldh

Re: [tcpdump-workers] Request for Geneve DLT type

On Jan 27, 2015, at 4:46 PM, Jesse Gross wrote: > I'm working on implementing support for Geneve in libpcap, which is > documented here: > http://tools.ietf.org/html/draft-gross-geneve-02 > > Geneve is a tunneling protocol than can encapsulate many different > things - normally this would be Et

Re: [tcpdump-workers] Libpcap timeout settings in tcpdump - too long when printing to a terminal?

On Jan 9, 2015, at 8:30 AM, Michael Richardson wrote: > Guy Harris wrote: >> The longer timeout can reduce capturing overhead, and if you're >> capturing a high volume of traffic to a file, it's probably the right >> timeout to have. If, however, you

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

On Feb 18, 2015, at 10:18 AM, Wesley Shields wrote: > I've got a patch for this at > https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. I've checked into the trunk a change to check for pcap_dump_ftell() failing (which it should *always* have done; had it done

Re: [tcpdump-workers] Requesting for information related to libpcap library

On Mar 22, 2015, at 11:45 PM, "H R, Shashikumar" wrote: > I am Shashikumar H R currently pursuing M.Tech in Siddaganga Institute of > technology, Tumkur. > Currently I' m doing a project in which the packets are captured in pcap-ng > format. I am using libpcap library(version-1.6.2) to captur

Re: [tcpdump-workers] Format of libpcap packet

On Mar 28, 2015, at 5:46 PM, Jesse Johnson wrote: > I am dissecting pcap packets generated by airodump-ng using libpcap and I > seem to be offset on the access of the Ethernet fram. You're assuming here that you *have* Ethernet frames. "airo" refers to "the air", as in "over the air", as in

Re: [tcpdump-workers] Format of libpcap packet

On Mar 28, 2015, at 9:16 PM, Jesse Johnson wrote: > Can you recommend a text that explains layer 2 networking a little more > succinct than the IEEE standards? Unfortunately, no; I've always used the standard when working on code to dissect 802.11 frames. _

[tcpdump-workers] Handling "-x" and "-xx" if the "link-layer header type" includes metadata

Somebody got confused by tcpdump on OS X Yosemite defaulting to capturing on all devices simultaneously, meaning that it got PKTAP metadata headers: http://www.tcpdump.org/linktypes/LINKTYPE_PKTAP.html and asked about this on SuperUser because the "tcpdump -x" and "tcpdump -xx" output w

Re: [tcpdump-workers] Security vulnerability

On Apr 7, 2015, at 5:28 AM, "H R, Shashikumar" wrote: > While through list vulnerability , It is mentioned that libpcap suffers the > from attack mentioned in below link . > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4174 No, it is not mentioned there. What that link says

Re: [tcpdump-workers] how many stable branches to have

On May 21, 2015, at 11:16 AM, Michael Richardson wrote: > I have no problem with having lts- branches created for distros, and I'd > rather do that than have "old stable". I'd rather call them something like: > wheezy-4.7 > or centos7-4.7 So, if both Chocolate Coated Spinach Linux "O

Re: [tcpdump-workers] some questions regarding pcap_sendpacket()

On Jun 3, 2015, at 6:16 AM, Kiran Mathews wrote: > I am sending this mail to ask some questions regarding pcap.Im doing some > research on synchronisation in wifi. I am trying to synchronise of two > devices by communicating through wifi. > So for this, i use pcap lib for sending and receving th

Re: [tcpdump-workers] Multiple interface listening modification

On Jun 4, 2015, at 12:37 AM, Michal Sekletar wrote: > Can't you just pcap_open more interfaces and for each pcap_t* you get call > pcap_fileno which will return back file descriptor for that capture. Then you > can use select/epoll to multiplex on those descriptors. Or, in newer versions of l

Re: [tcpdump-workers] BPF Extended: addressing BPF's shortcomings

On Jun 10, 2015, at 4:31 PM, Mindaugas Rasiukevicius wrote: > Darren Reed wrote: >> Extending BPF >> = >> >> Introduction >> >> BPF was originally designed to provide very fast packet matching >> capabilities for IPv4 but as a result of its generic nature, is >> capabl

Re: [tcpdump-workers] [tcpdump] New feature to limit capture file size (#464)

On Jun 10, 2015, at 4:35 AM, Darren Reed wrote: > On 10/06/2015 5:42 AM, Michael Richardson wrote: >> re: https://github.com/the-tcpdump-group/tcpdump/pull/464 Guy writes: >>> We have the -C option, giving a file size in megabytes (real megabytes, >>> i.e. 1,000,000 bytes, not 1,048,576 bytes);

Re: [tcpdump-workers] Coredump Without Much Info?

On Jul 10, 2015, at 7:53 AM, Hei Chan wrote: > I am using libpcap 1.4.0 to read in pcap. > And my application crashed at pcap_next() when it read the first packet from > my pcap file:(gdb) bt#0 0x7715a044 in pcap_next () from > /usr/lib64/libpcap.so.1 > > I used wireshark to open the

Re: [tcpdump-workers] Coredump Without Much Info?

On Jul 10, 2015, at 7:53 AM, Hei Chan wrote: > I am using libpcap 1.4.0 to read in pcap. > And my application crashed at pcap_next() when it read the first packet from > my pcap file:(gdb) bt#0 0x7715a044 in pcap_next () from > /usr/lib64/libpcap.so.1 What does "disassemble pcap_next

Re: [tcpdump-workers] Coredump Without Much Info?

On Jul 10, 2015, at 10:41 AM, Hei Chan wrote: > Thanks for your quick reply. > > Here is my code: > pcap_t* m_pPcap; > char *packet; > struct pcap_pkthdr header; > > m_pPcap = pcap_open_offline(pcapFile, errbuf); > if (pcapF

Re: [tcpdump-workers] pcap_next_ex() and pcap_dump() performance decreases over time...

On Aug 22, 2015, at 12:48 PM, barcaroller wrote: > I've been running performance tests against pcap_next_ex() and pcap_dump(). > I've placed micro-second timers around both functions So those are presumably real-time timers rather than CPU timers. > and sent millions of packets to my test pr

Re: [tcpdump-workers] pcap_next_ex() and pcap_dump() performance decreases over time...

On Aug 22, 2015, at 6:03 PM, barcaroller wrote: > Using the Boost timer functions. I could be wrong but I think they are based > on gettimeofday(). So probably real-time. That means that, *if* there are other processes on the machine, some of the time *could* be due to other processes havin

Re: [tcpdump-workers] pcap_next_ex() and pcap_dump() performance decreases over time...

On Aug 22, 2015, at 8:06 PM, barcaroller wrote: > It has puzzled me too. Keep in mind that I am making millions of these pcap > calls; only one of them could be taking 2 seconds. Then the average might be more interesting than the maximum. > I actually read the packets from a pcap file (not

[tcpdump-workers] Should we require Flex to build libpcap?

Currently, we don't use any Flexisms in scanner.l, we *do* use %a 18400 %o 21500 %e 7600 %k 4550 %p 27600 %n 2000 to try to boost some of lex's table sizes to handle it, and we make an effort in the configure file to find regular lex and see if it'

Re: [tcpdump-workers] [tcpdump] Sanity check on major/minor libpcap version

On Oct 8, 2015, at 11:33 AM, Michael Richardson wrote: > wrote: >> Using pcap_major_version() and pcap_minor_version()) in tcpdump when >> reading a file, I found: > >> Most pcap file have major.minor: 2.4 (current PCAP_VERSION_MAJOR and >> PCAP_VERSION_MINOR), > >> a few have: 1.0 (ahcp.pcap

Re: [tcpdump-workers] why does pcap_dispatch return 0?

On Oct 11, 2015, at 5:00 PM, liu wen wrote: > int pcapfd; > pcap_t *pcap_handle; > struct event pcap_ev; > > pcap_handle = create_pcap("eth0", NONBLOCKING); > pcapfd = pcap_get_selectable_fd(pcap_handle); > if(pcapfd<0){ > perror("pcap_get_selectable_fd() failed!\n"); > exit(1); > } > > if (s

Re: [tcpdump-workers] why does pcap_dispatch return 0?

On Oct 11, 2015, at 5:00 PM, liu wen wrote: > then I run the program on host A and send packets from host B, meanwhile I > use a tcpdump to capture packets on A (tcpdump -i eth0 port 8000 ) > the tcpdump can capture the packet, but in the program, pcap_dispatch() > returns 0 when it is called

Re: [tcpdump-workers] pcap_next_ex receive isse

On Oct 23, 2015, at 7:04 AM, Christian Gieseler wrote: > I have a receive thread in my program which shall capture frames according > to a filter. The Host is sending frames with the same multicast destination > mac as I want to receive them with the filter. > Filtering in general works fine. I

Re: [tcpdump-workers] buildbot success in OpenCSW Buildbot on tcpdump-solaris10-i386

On Nov 1, 2015, at 7:18 AM, Denis Ovsienko wrote: > Thank you for fixing this, my Internet link went down shortly after I started > to look into the failure report. Annoyingly, Xcode 7.1's clang didn't catch the format string/argument mismatch on my machine; apparently, if you have a function

Re: [tcpdump-workers] [pcap-ng-format] comments/edits on pcapng

On Nov 10, 2015, at 5:05 PM, Michael Richardson wrote: > I reviewed draft-tuexen-opsawg-pcapng, while it hasn't had an -01, some work > has been occuring in the github copy, and so the effort isn't dead, just not > as visible. The official version of the spec is, indeed draft-tuexen-opsawg-pcap

Re: [tcpdump-workers] [pcap-ng-format] comments/edits on pcapng

On Nov 12, 2015, at 8:26 AM, Michael Richardson wrote: > Guy Harris wrote: > >> I don't see what the problem is with different block types having >> different option name spaces. Common code to handle options in all >> block types wouldn't be that useful

Re: [tcpdump-workers] request for a DLT for ISO14443

On Nov 9, 2015, at 12:29 PM, Martin Kaiser wrote: > I would like to request a DLT for ISO14443. > > ISO14443 is a set of standards defining the communication protocols > between a contactless smartcard and a card reader. There are some > commercially available log tools for capturing such traff

Re: [tcpdump-workers] Cannot find -lpcap when statically compiling a C project

On Nov 19, 2015, at 3:29 PM, liu wen wrote: > I want to statically compile a C project in a laptop(fedora), using command > line like: > > gcc -o myprogram -static main.c ... -levent -lpcap > > but I get error: > > /usr/bin/ld: cannot find -lpcap > /usr/bin/ld: cannot find -lc > > I tried to

Re: [tcpdump-workers] Cannot find -lpcap when statically compiling a C project

On Nov 19, 2015, at 4:35 PM, liu wen wrote: > On Fri, Nov 20, 2015 at 12:52 AM, Guy Harris wrote: > >> On Nov 19, 2015, at 3:29 PM, liu wen wrote: >> >>> I want to statically compile a C project in a laptop(fedora), using command >>> line like: >

Re: [tcpdump-workers] Cannot find -lpcap when statically compiling a C project

On Nov 20, 2015, at 12:32 AM, Jamie Bainbridge wrote: > Fedora has glibc-static, but no libpcap-static. Then he'll have to build libpcap from source. I would suggest building with the *latest* version of libpcap from tcpdump.org, currently 1.7.4: http://www.tcpdump.org/#latest-relea

Re: [tcpdump-workers] Link type FlexRay

On Jan 15, 2016, at 10:44 AM, Guenter Ebermann wrote: > For which type of frame was the LINKTYPE_FLEXRAY 210 allocated? > > The file > https://github.com/the-tcpdump-group/libpcap/blob/master/pcap-common.c > simply state that: > /* > * FlexRay automotive bus - http://www.flexray.com/ - as req

Re: [tcpdump-workers] Link type FlexRay

On Jan 19, 2016, at 9:35 AM, Guenter Ebermann wrote: > I asked Hannes about DLT_FLEXRAY. > He told me that they currently dont use pcap for FlexRay and have only > used it in a limited scenario and that we are free to change the > layout. > The format represented the bitsream from the bus 1:1 wi

Re: [tcpdump-workers] Link type FlexRay

On Jan 19, 2016, at 5:50 PM, Guy Harris wrote: > OK, so the new format is that the frame begins with a measurement header, > which is followed by the bitstream from the bus? > > Is the bitstream from the bus padded in that fashion? > > From the Wikipedia article on FlexRay

Re: [tcpdump-workers] Link type FlexRay

On Jan 20, 2016, at 7:38 AM, Guenter Ebermann wrote: > I have a first draft of the packet-specification available: > https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14264 So it looks as if the extra low-level framing bits aren't included; is that correct? The Frame Header is 16 bits; do

Re: [tcpdump-workers] Adding loopback adapter detection for Windows

On Jan 24, 2016, at 6:46 AM, Yang Luo wrote: > I have implemented a loopback adapter called "Npcap Loopback Adapter" on > Windows. It's like lo in linux. I know that libpcap recognizes "lo" by just > matching the adapter name with "lo". ...*if* the OS doesn't helpfully provide, as one of the int

Re: [tcpdump-workers] Adding loopback adapter detection for Windows

On Jan 24, 2016, at 8:30 AM, Yang Luo wrote: > I forgot about one most important thing that libpcap seemingly doesn't > compile under Windows, even if there's a Win32\Prj in it. Actually I got > many errors when I build libpcap under VS2005. > > I am quite confused with some lines like this in p

Re: [tcpdump-workers] Adding loopback adapter detection for Windows

On Jan 24, 2016, at 7:47 PM, Yang Luo wrote: > My ubuntu 14.04 shows the lines below, so I think it doesn't support > IFF_LOOPBACK. > root@ly-controller:~# ifconfig lo > loLink encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope

Re: [tcpdump-workers] Need to drop packets using tcpdump

On Feb 4, 2016, at 5:48 PM, Rahmadi Trimananda wrote: > I am a beginner user of tcpdump. What I want to do is to write my own > version of tcpdump (or just extend it) to drop/reject network packets. > AFAIK, tcpdump and libpcap can only sniff packets. You are correct. The operating system mecha

Re: [tcpdump-workers] tcpdump -y

On Mar 3, 2016, at 2:17 PM, jing dai wrote: > I'm using tcpdump over a data link type. > > tcpdump -y PPP -c 1 No, what you're doing is using tcpdump on a *network interface*, and *trying* to use a particular data link type on that interface. > Here's prompt message, PPP is not

Re: [tcpdump-workers] What's the difference between NdisMediumBare80211 (DLT_IEEE802_11) and NdisMediumRadio80211 (DLT_IEEE802_11_RADIO)

On Apr 3, 2016, at 11:47 PM, Yang Luo wrote: > I'm adding Native 802.11 capture support to Npcap and demonstrate it on > Wireshark. (See: > https://github.com/nmap/npcap/releases/download/v0.06-r13/npcap-nmap-0.06-r13-wifi.exe). > I found that the there are two 802.11 related values to show the a

Re: [tcpdump-workers] What's the difference between NdisMediumBare80211 (DLT_IEEE802_11) and NdisMediumRadio80211 (DLT_IEEE802_11_RADIO)

On Apr 6, 2016, at 5:41 PM, Yang Luo wrote: > I wonder why this mail went to my spam.. I don't know anything about radiotap > header so I'm afraid i'm not supplying it. It's a way to provide "radio metadata" for packets; see http://www.radiotap.org for a description of it. If you wer

Re: [tcpdump-workers] Disable address/name resolution in libpcap

On Apr 13, 2016, at 8:44 AM, Ed Sealing wrote: > Is there a way to programatically disable name resolution in libpcap No. > (similar to tcpdump "-n" argument)? I haven't been able to find a variable > to pass in that would accomplish this directly in the library. I'm sure it > exists, but can't

Re: [tcpdump-workers] Disable address/name resolution in libpcap

On Apr 14, 2016, at 12:05 AM, Denis Ovsienko wrote: > On Wed, 13 Apr 2016 16:44:24 +0100 Ed Sealing wrote >> We're writing an application around libpcap. The app may or may not have >> DNS resolution available. We've noticed that when DNS resolution is not >> available, we experienc

Re: [tcpdump-workers] posix_fadvise()

On Apr 19, 2016, at 10:02 AM, Denis Ovsienko wrote: > As far as documentation goes, some sense may be presumed in libpcap calling > posix_fadvise() with POSIX_FADV_SEQUENTIAL. This way the OS would be able to > adjust the buffers better to read the .pcap file. Does anybody have any > practical

[tcpdump-workers] Recommendations for a USB Wi-Fi adapter for testing monitor-mode support in libpcap/WinPcap

I have a collection of VMware Fusion virtual machines that I use for libpcap/WinPcap development. Until recently, I was able to test monitor-mode support by plugging in a Belkin Wireless G adapter (with a Zydas chip) into my Mac and telling Fusion to connect it to the virtual machine. That no

Re: [tcpdump-workers] libpcap: fatal flex scanner internal error--end of buffer missed

On Jun 7, 2016, at 6:02 AM, ikuzar RABE wrote: > I catched the segfault with gdb. This time I put tcp as filter: > >Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x76125700 (LWP 5304)] > 0x7772ddcb in pcap_lex () at scanner.c:3860 > 3860scanner.c

Re: [tcpdump-workers] Hardware Timestamping Problem

On Jun 8, 2016, at 5:53 AM, Christian wrote: > Now, my results in itself make sense and would give me the desired results, > but they have a big offset to them. 36 seconds to be exact. So you're saying there's a 36-second offset between which two times?

Re: [tcpdump-workers] Hardware Timestamping Problem

On Jun 8, 2016, at 1:29 PM, Christian Rupp wrote: > The Timestamp when tcpdump grabs the package off of the receiver is 36 > seconds( +/- innaccuracy, here roughly +/- 5-10 µs) after the timestamp when > tcpdump grabs the package of the sender. "The" packet in the sense that you have two tcp

Re: [tcpdump-workers] Hardware Timestamping Problem

On Jun 9, 2016, at 1:19 PM, Guenter Ebermann wrote: >> Am 09.06.2016 um 15:47 schrieb Michael Richardson : >> >> Guenter Ebermann wrote: >>> Hardware timestamping of sending/receiving buffer descriptors is done >>> by NIC. >> >> Receiving I understand. >> >> Are you sure that the hardware is

Re: [tcpdump-workers] Hardware Timestamping Problem

On Jun 9, 2016, at 4:09 PM, Guenter Ebermann wrote: > >> Am 10.06.2016 um 00:13 schrieb Guy Harris : >> >> But that doesn't mean that the packets time stamped by the hardware when >> transmitted will be delivered to the PF_PACKET sockets used by libpcap *wit

Re: [tcpdump-workers] Hardware Timestamping Problem

On Jun 9, 2016, at 4:47 PM, Guenter Ebermann wrote: > They are only delivered to the socket on which the packet was sent, not to > all PF_PACKET sockets. Then Christian can't get what I think he wants with libpcap - or anything else doing PF_PACKET socket capturing on Linux - without doing so

Re: [tcpdump-workers] openssl 1.1 changes required for tcpdump: what minimum openssl?

On Jun 22, 2016, at 3:24 PM, Michael Richardson wrote: > It looks like openssl has obsoleted the EVP_CIPHER_CTX type in 1.1.x. > While 1.1 isn't shipping widely yet, I'd rather be ready. > I have looked through openssl to see if we can replace it easily, > and if the replacement will work in 1.0.

Re: [tcpdump-workers] Need precompiled source files in libpcap

On Jun 24, 2016, at 8:58 PM, Yang Luo wrote: > I found that there are a lot of “precompiled source code files" like > grammar.c, scanner.c, grammar.h, ,scanner.h, etc. (which are also listed in > .gitignore). They are NOT contained in the libpcap repo. > > I personally want to ship them in the

Re: [tcpdump-workers] Need precompiled source files in libpcap

On Jun 25, 2016, at 7:25 AM, Yang Luo wrote: > On Sat, Jun 25, 2016 at 3:09 PM, Guy Harris wrote: > >> On Jun 24, 2016, at 8:58 PM, Yang Luo wrote: >> >>> I found that there are a lot of “precompiled source code files" like >>> grammar.c, scanner.

Re: [tcpdump-workers] Is it OK to rename the MSVC project name from "libpcap" to "wpcap"?

On Jun 25, 2016, at 8:01 AM, Yang Luo wrote: > We know that the libpcap Windows version is called "wpcap", including the > project files names (wpcap.sln, wpcap.vcxproj) and the library name > (wpcap.dll). But the current libpcap trunk project is called "libpcap.sln", > and the built executabl

Re: [tcpdump-workers] Is it OK to rename the MSVC project name from "libpcap" to "wpcap"?

On Jun 25, 2016, at 5:56 PM, Yang Luo wrote: > Thanks! Then I will rename the MSVC project files later if you didn't do that. I haven't renamed them. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/

Re: [tcpdump-workers] Add WinPcap specific functions like pcap_open() to libpcap on Windows for binary compatibility

On Jun 27, 2016, at 11:22 PM, Yang Luo wrote: > So my thought is we need to add back those functions to libpcap on Windows, > the related source code files are remote-ext.h, pcap-new.c, etc, which don't > exist in libpcap. So are we OK with this? I am not OK with any solution that reintroduces

Re: [tcpdump-workers] Remove the eproto_db symbol exporting to keep the DLL delay-load feature on Windows

On Jun 27, 2016, at 10:56 PM, Yang Luo wrote: > Because of libpcap has exported the a data structure called eproto_db > (https://github.com/the-tcpdump-group/libpcap/blob/master/nametoaddr.c#L320), > when I compiled WinDump in MSVC specifying "wpcap.dll" as a delay loaded DLL, > I encountered

Re: [tcpdump-workers] Need precompiled source files in libpcap

On Jun 30, 2016, at 12:59 PM, Yang Luo wrote: > But I encountered an issue here, the built out scanner.h and scanner.c will > report these errors: > > 1> gencode.c > 1>..\scanner.h(239): fatal error C1083: Cannot open include file: 'unistd.h': > No such file or directory > 1> grammar.c > 1>.

Re: [tcpdump-workers] Where to put the TcApi.h?

On Jun 30, 2016, at 3:14 PM, Yang Luo wrote: > TcApi.h is contained in WinPcap but not in libpcap. Where to put it? Put it in the devpack/include directory underneath the directory in which the TurboCap API: https://support.riverbed.com/content/support/software/steelcentral-npm/turboc

Re: [tcpdump-workers] try to make tcpdump, but failed

On Jun 24, 2016, at 9:16 PM, 冲民过人 wrote: > I am try to make the tcpdump source code. first i run configure, and meet > some errors in the following. i already got the libpcap,but still get some > error. The attachment files are the config.log of tcpdump and libpcap. Unfortunately, the atta

Re: [tcpdump-workers] Pcap link type of InfiniBand

On Jun 25, 2016, at 11:20 PM, Tal Attaly wrote: > I would be happy if someone could help - Pcap link type of InfiniBand > http://stackoverflow.com/questions/37936754/pcap-link-type-of-infiniband The help that would be needed here would be code for Wireshark to interpret LINKTYPE_INFINIBAND, whi

Re: [tcpdump-workers] Pcap link type of InfiniBand

On Jul 6, 2016, at 12:50 PM, Guy Harris wrote: > Currently, Wireshark includes no code to process those frames, so it cannot > handle LINKTYPE_INFINIBAND pcap files or packets for LINKTYPE_INFINIBAND > interfaces in pcapng files. BTW, LINKTYPE_INFINIBAND was, according to p

Re: [tcpdump-workers] Pcap link type of InfiniBand

On Jul 6, 2016, at 12:50 PM, Guy Harris wrote: > Currently, Wireshark includes no code to process those frames, so it cannot > handle LINKTYPE_INFINIBAND pcap files or packets for LINKTYPE_INFINIBAND > interfaces in pcapng files. tcpdump doesn't have any code to process them

Re: [tcpdump-workers] Pcap link type of InfiniBand

On Jul 6, 2016, at 11:42 PM, Tal Attaly wrote: > I understand that LINKTYPE_ value just saves an id for the link type, but > parsing code for InfiniBand is exist in wireshark - under ERF link type > (Extensible Record File), so I wonder why not using the actual link type of > InfiniBand. LINK

Re: [tcpdump-workers] Pcap link type of InfiniBand

On Jul 6, 2016, at 11:58 PM, Tal Attaly wrote: > Buy the way, for the user it looks like wireshark does support InfiniBand There's "supports InfiniBand" and there's "supports LINKTYPE_INFINIBAND". If there were, for example, an "InfiniBand over Ethernet" or "InfiniBand over UDP" protocol, tra

Re: [tcpdump-workers] Request DLT_/LINKTYPE_ value for vSockets

On Jul 15, 2016, at 7:32 AM, Gerard Garcia wrote: > vSockets are used for host<>guest communication using the standard socket > API. They already supported in the mainline Linux kernel and can be used in > VMware VMs. > > There is an ongoing work to implement a virtio transport which will add

Re: [tcpdump-workers] Request DLT_/LINKTYPE_ value for vSockets

On Jul 15, 2016, at 12:18 PM, Gerard wrote: > There are control packets which don't have payload, So presumably AF_VSOCK_OP_CONTROL packets are control packets that have no payload; are AF_VSOCK_OP_CONNECT and AF_VSOCK_OP_DISCONNECT also packets with no payload? (Presumably no packets should

Re: [tcpdump-workers] Request DLT_/LINKTYPE_ value for vSockets

OK, so here's a description of the header, in the style of other pages linked to by the "Link-layer header types" page: Packet structure +---+ | Source CID| | (8 Octets)| +---+ | Destination CID | |

Re: [tcpdump-workers] Request DLT_/LINKTYPE_ value for vSockets

On Jul 19, 2016, at 7:12 AM, Gerard Garcia wrote: >> 2) What is the format of the transport header? > > It is well described in the virtio vsock specification: > https://stefanha.github.io/virtio/#x1-287 May we just link there? If that's struct virtio_vsock_hdr { le64 src_cid;

Re: [tcpdump-workers] Problems with ns Timestamps

On Jul 28, 2016, at 7:12 AM, Christian wrote: > I have encountered a problem. > > I am capturing Packages with hardware timestamps and nanosecond > precision...but the timestamps are bugged. > > sadly I'm not at the place where I captured the data, so the used used > command might be slightl

Re: [tcpdump-workers] Problems with ns Timestamps

On Jul 28, 2016, at 11:59 AM, Christian Rupp wrote: > Tcpdump is printing a good timestamp wrong, as far as i can tell. So did you build tcpdump from source, or is this a binary version from your Linux distribution? Which version of tcpdump is this? ___

Re: [tcpdump-workers] Request for new DLT for RFTAP

On Aug 31, 2016, at 9:18 AM, Jonathan Brucker wrote: > I am posting to request a value for DLT_RFTAP and LINKTYPE_RFTAP. > > RFtap is a simple protocol designed to provide Radio Frequency (RF) > metadata about packets, What types of packets? 802.11 packets? If so, this is probably better done

<    16   17   18   19   20   21   22   23   24   25   >