Re: [tcpdump-workers] question on DLT_ types

On Thu, Mar 25, 2004 at 02:00:44PM -0600, alex medvedev wrote: | hi, | | how do the DLT_ types get assigned? post your request to the list ... first come first serve once its in the code it is assigned | is there some "central authority" that does it? no | or are they arbitrarily assigned

Re: [tcpdump-workers] Patch for libpcap pcap_stats_linux

On Wed, Mar 31, 2004 at 10:16:55AM +0200, Alberto Ornaghi wrote: | Hannes Gredler wrote: | >On Fri, Jan 02, 2004 at 09:33:31AM +1100, Erik de Castro Lopo wrote: | > | >| The patch below, adds a static variable to pcap_stats_linux() which | >| holds a running total of the packet statis

Re: [tcpdump-workers] proposed new pcap format

On Thu, Mar 25, 2004 at 09:25:43AM -0800, Richard Sharpe wrote: | On Fri, 26 Mar 2004, Darren Reed wrote: | | > > okay, divide the 32-bit space into two 16-bit spaces. | > > vendor 0 will be reserved. | > > tcpdump.org will be vendor 1. | > > | > > vendor 0x will be reserved (for the

Re: [tcpdump-workers] Proposed new pcap format

On Wed, Apr 14, 2004 at 03:06:09AM -0400, Jefferson Ogata wrote: [ ... ] | I think we should take a hard look at | whether it's really appropriate to define yet another hard binary file | format when XML can provide the same

Re: [tcpdump-workers] Proposed new pcap format

On Wed, Apr 14, 2004 at 08:25:25AM +0200, Fulvio Risso wrote: | I agree with Loris. | I know that this flag would be extremely useful, but there are no guarantees | that you're able to get this info from the NIC / NIC driver. | Perhaps, what we should to is to use 2 bits for each flag, where the f

Re: [tcpdump-workers] IGRP

On Wed, Apr 28, 2004 at 10:03:56PM -0400, Michael Richardson wrote: | -BEGIN PGP SIGNED MESSAGE- | | | Hannes, | ipproto.c has IPPROTO_IGRP, but ipproto.h doens't define it. | | Is this supposed to be protocol=9 ("IGP"), which you have as | IPPROTO_PIGP, or??? yes, cisco is using prot

Re: [tcpdump-workers] IGRP

On Wed, Apr 28, 2004 at 07:23:31PM -0700, Guy Harris wrote: [ .. ] | The "temporary patch" Michael checked in is, in fact, the correct fix. | | That raises another question, though - "print-ip.c" now treats both | protocol 9 and protocol 88 as IGRP, but the packet formats are, I | think, differe

Re: [tcpdump-workers] text format stability

eddie, i did most of the vflag changes in the last 18 months along with my work on the rsvp,bgp,isis,ospf,lmp,rip,pim,eigrp dissectors; the rationale behind this is that you get brief one-line information that is good enough for troubleshooting and for a detailed information (vv) we switch to mul

Re: [tcpdump-workers] text format stability

On Thu, Jun 24, 2004 at 10:56:09AM -0700, Eddie Kohler wrote: eddie, [ ... ] | Similarly, it seems a mistake to put IP header information (tos, ttl, id, | offset, flags, proto, length) before the addresses. This changes | longstanding tcpdump practice and makes the output *less* readable, sin

Re: [tcpdump-workers] text format stability

eddie, On Fri, Jun 25, 2004 at 09:34:47AM -0700, Eddie Kohler wrote: | These changes should not have been implemented globally, without some flag | or option to preserve the old behavior. Such a flag should be added. i had to make a call between polluting the code base further with new flags

Re: [tcpdump-workers] text format stability

On Fri, Jun 25, 2004 at 02:21:24PM -0700, Christian Kreibich wrote: | Hi, | | On Fri, 2004-06-25 at 02:04, Hannes Gredler wrote: | > | > i am a believer that networking dissectors should print data in the order | > they arrive ... header information comes before ip adresses, right ? | &

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

darren, can we have a .pcap sample showing such a frame for the /tests directory ? /hannes On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote: | I've been using this patch to print IP packets inside PPP HDLC | frames found in raw 1xRTT traffic. I've been able to find few | details on t

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

darren, see questions/responses inline; On Fri, Jul 02, 2004 at 01:28:20AM +1000, Darren Reed wrote: | In some email I received from Hannes Gredler, sie wrote: | > darren, | > | > can we have a .pcap sample showing such a frame for | > the /tests directory ? | | I've semi-hand

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote: | I've been using this patch to print IP packets inside PPP HDLC | frames found in raw 1xRTT traffic. I've been able to find few | details on the actual PPP header format apart from what "0x7eff" | means and observing traffic for 0x7e21.

Re: [tcpdump-workers] Bug in print-ppp.c

thanks for your submission - checked in; - /hannes On Tue, Jul 13, 2004 at 03:04:43PM +1000, Darren Reed wrote: | I've come across a packet that causes me to get a stack trace something | like this: | #0 0x in ?? () | #1 0x0807a0bd in handle_ctrl_proto (proto=32855, pptr=0x8195c82 "\001"

Re: [tcpdump-workers] How tcpdump works?

On Thu, Jul 22, 2004 at 01:03:49PM +0200, C?sar C?rdenas wrote: | Hi: | | In reviewing a file captured from a server I found my IP adress as a source | or as a destination, but there is not combination without my IP adress. | most likely you have a LAN-switch in your network, which means that yo

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

karsten, could you elaborate a bit more on "it creates binary incompatible filters"; in my testbed the linux machine creates 100% correct BPF filters; e.g. --->encaps is LINUX_SLL # tcpdump -i ppp0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on p

Re: [tcpdump-workers] modifying source code

On Tue, Aug 17, 2004 at 03:16:27AM +0100, neha agrawal wrote: | hello! | i am capturing packets using tcpdump. i want | to read the packet header and all.. as tcpdump reads | and put the information in data base.i dont want to | read from output generated by tcpdump.. but read | informatio

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

karsten, i have checked in support for the new DLT_PPP_WITH_DIRECTION (166) and LINKTYPE_PPP_WITH_DIRECTION (166) also i tweaked libpcap to treat it like PPP plus support of the inbound/outbound tokens; see below testresults ... # ./tcpdump -dr ppp-dlt166.p

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

karsten, i have checked in support for DLT_PPP_WITH_DIRECTION in tcpdump and the PPP printer - the PPP printer shows now the direction (hidden under the -e flag) /hannes --- karsten, i have checked in support for the new DLT_PPP_WITH_DIRECTION (166) and L

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

karsten, could not reprodoce -> anoncvs is working for me; can you try again, pls ? /hannes On Thu, Aug 19, 2004 at 02:56:47AM +0200, Karsten Keil wrote: | On Wed, Aug 18, 2004 at 06:36:22PM +0200, Karsten Keil wrote: | > Hi Hannes, | > | > On Wed, Aug 18, 2004 at 05:27:41PM +

Re: [tcpdump-workers] New DLT needed for PPP active/passiv filtering

On Thu, Aug 19, 2004 at 02:52:38PM +0200, Karsten Keil wrote: | On Thu, Aug 19, 2004 at 01:27:45PM +0200, Hannes Gredler wrote: | > karsten, | > | > could not reproduce -> anoncvs is working for me; | > can you try again, pls ? | > | | I think because your IP was registered

Re: [tcpdump-workers] x.9 branch

On Thu, Sep 23, 2004 at 12:23:55PM -0700, Guy Harris wrote: | (blah blah blah the other brain fart was sending it from sonic.net again | blah blah blah duplicate message dissector blah blah blah) | | Michael Richardson wrote: | | > You tell me. | > We didn't do a 0.8.4 yet, but this sounds lik

Re: [tcpdump-workers] Buffer size question

shouldn't we have upper/lower boundary checks for such a buffer ? i.e. minbuffer 1.5K maxbuffer 128K /hannes On Thu, Oct 14, 2004 at 02:29:14PM -0400, Ed Maste wrote: | > I'll download one of the nightly tars and try out the | > environment variable idea. | | Here's my simple patch to all

Re: [tcpdump-workers] packet dumping

hi, i am not 100% sure if i do understand your question; if its regarding printing a hexdump of an arbitrary (including ICMP) then you may want to try tcpdump with the -X flag; see the tcpdump man page for details; /hannes On Sat, Jan 01, 2005 at 05:30:03AM -0800, linux lover wrote: | Hi all,

Re: [tcpdump-workers] Problem in print-egp.c

checked in 3_8 and HEAD branch - tx, /hannes On Fri, Jan 07, 2005 at 07:45:32PM +0100, [EMAIL PROTECTED] wrote: | | Hi, | There is a bug in egp_print fonction from print-egp.c | tcpdump don't print correct egp packet smaller than 32bytes, because their | size was inferior to egp struct size. | He

Re: [tcpdump-workers] More information about print_egp problem

On Tue, Jan 11, 2005 at 02:53:29AM +0100, [EMAIL PROTECTED] wrote: | Hi, | There is an error in the last message tcpdump print correctly egp paquet | in ascii and hexadecimal, but for egp paquet neighbor reachabily messages | the autonomous system num and the sequence num are not printed. I can see

Re: [tcpdump-workers] guessing when TSO is present

checked in - thanks for the submission - /hannes On Wed, Jan 19, 2005 at 05:35:13PM -0800, Rick Jones wrote: | A while back I think I posted something asking about what to do about TSO | (large send) and how it generated "IP bad-len 0" output when tracing on a | TSO-enabled sender. | | I had a

Re: [tcpdump-workers] DLT_PRISM_HEADER etc. and bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel")

On Wed, Jan 26, 2005 at 01:44:28PM +0100, Karl Gaissmaier wrote: | Hello, | | the following bpf filters with ethernet addresses like | 'ether host ' or synonym: 'wlan host ' | and others with mac address checks like gateway, multicast, ... | are not handled within gencode.c if you monitor a WLAN d

Re: [tcpdump-workers] can't do CVS checkouts/updates anymore

't do CVS pserver operations anymore (at | least half a year, but since I had no need to actually do anything | to the sources, I never bothered enough to send mail). | | I asked Hannes Gredler privately, he says "works for me", but it | doesn't work for me. I tried 4 differen

Re: [tcpdump-workers] Welcome to the tcpdump-workers list!

On Fri, Feb 18, 2005 at 03:28:50PM +0400, Ramsurrun Visham wrote: | Hi, | | 1) wanted to ask how to make tcpdump show mac addresses? use the e flag [tcpdump -e ] for displaying link-layer information; | 2) how can I pass the packet that has been captured by tcpdump to iptables? | not sure i

Re: [tcpdump-workers] ICMP header

On Sun, Feb 27, 2005 at 10:37:34PM +0400, Ramsurrun Visham wrote: | Hi to all, | | I would like to know how do we grab the icmp header from an ethernet frame. I believe we have to jump pass the ethernet and IP headers.. no - we actually need to parse through the IP header to find out if the head

Re: [tcpdump-workers] Problem with packet on ATM

On Tue, Mar 01, 2005 at 10:19:25AM +0100, Eric Leblond wrote: | Hi, | | I had to dump some RFC2684 atm bridge interfaces for a customer. We | often have some strange messages : | 09:09:43.262575 77:9c:7d:60:8:0 c:3f:b4:8:0:0 4500 401: | 0183 df1d 7111 96fb 527f 2537 d

Re: [tcpdump-workers] Customization of tcpdump for some specific requirements...

On Tue, Apr 05, 2005 at 10:36:59AM -0700, Shyam Kumar wrote: | | [1] Data Representation is handled by tcpdump code only or both by | tcpdump code & libpcap code?? if by data-representation you mean dissecting protocols then this is done by tcpdump; | [2] which *.c & *.h files deals with data r

Re: [tcpdump-workers] Automatic report from sources (tcpdump libpcap

ack, will do ... - /hannes On Sat, Apr 09, 2005 at 03:18:28AM -0700, Guy Harris wrote: | Automatic cvs log generator /tcpdump/bin/makelog wrote: | | >Description: | >-add support for llc based protocols (iso, etc..) for ethernet | > by checking the proto against the ethermtu and bumping | > the l

Re: [tcpdump-workers] pcap next gerneration / adding communication

On Fri, Apr 08, 2005 at 05:15:15AM -0700, Bruce M Simpson wrote: | On Fri, Apr 08, 2005 at 11:57:33AM +0200, Pilz Rene wrote: | > I want to add a feature where someone can connect and use a | > network-interface of a remote computer to capture data. As ronnie | > sahlberg has already pointed out

Re: [tcpdump-workers] pcap next gerneration / adding communication

way. | | /rene | | Hannes Gredler wrote: | | >On Fri, Apr 08, 2005 at 05:15:15AM -0700, Bruce M Simpson wrote: | >| On Fri, Apr 08, 2005 at 11:57:33AM +0200, Pilz Rene wrote: | >| > I want to add a feature where someone can connect and use a | >| > network-interface of a remote co

Re: [tcpdump-workers] compile failed on NetBSD-1.6.2

checked in; - /hannes On Tue, Apr 12, 2005 at 06:38:18AM +0900, TANAKA Shin-ya wrote: | Hi, | while trying to compile libpcap-2005.04.11 on NetBSD-1.6.2, I got this error: | | $ make | gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./pcap-bpf.c | ./pcap-bp

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed in cvs it seems, 1 not)

On Sun, Apr 24, 2005 at 04:02:56PM -0400, v9 wrote: | | i'm not totally sure this is the right place to send this, but i hope | so. it is the right place ... | | 3 infinite loop dos bugs... the bgp and ldp one SEEM to be fixed in the | cvs versions...the isis one isn't. have checked in f

Re: [tcpdump-workers] another infinite loop in tcpdump, RSVP this time (ethereal too)

On Sun, Apr 24, 2005 at 10:11:53PM -0400, v9 wrote: | | sorry i didn't include this one in the original message...noticed it fixed in tcpdump cvs and 3.9 - tx, /hannes - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

for software [3.9,cvs] that has not even been released yet ? - /hannes On Mon, Apr 25, 2005 at 05:28:51PM +0200, Romain Francoise wrote: | Can someone request CAN numbers for these? Michael? | | -- | ,''`. | : :' :Romain Francoise <[EMAIL PROTECTED]> | `. `' http://people.de

Re: [tcpdump-workers] tcpdump - fragmented?

i am not sure if i understand your question: if your question is "does tcpdump indicate if an IPv4 packet is fragmented ?" then the answer is yes, we do display the offset and more-fragment header flags in verbose (-v) mode; /hannes On Tue, Apr 26, 2005 at 11:01:09AM -, soumya r wrote: | Hell

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

On Mon, Apr 25, 2005 at 07:16:39PM +0200, Romain Francoise wrote: | Hannes Gredler <[EMAIL PROTECTED]> writes: | | > for software [3.9,cvs] that has not even been released yet ? | | All the exploits mention tcpdump 3.8.x as being affected. I didn't run | them to check that it

Re: [tcpdump-workers] (3) tcpdump infinite loop bugs... (2 fixed

On Tue, Apr 26, 2005 at 07:40:42PM +0200, Romain Francoise wrote: | Hannes Gredler <[EMAIL PROTECTED]> writes: | | > you're right for 3.8 it makes sense ... i did check meanwhile and both | > isis and rsvp are affected [just committed the outstanding 3.8 fix for | > rsvp] |

Re: [tcpdump-workers] 802.1Q VLAN packets

On Tue, May 10, 2005 at 04:09:36PM +, David Moron wrote: | Hi, | | Where can I find the files related to the VLAN packets. I'm trying to | write a simple program to extract IP packets inside VLAN packets using pcap. for the BPF code generator look into gencode.c / libpcap for the vlan printe

Re: [tcpdump-workers] preperation for 3.9 branch

On Mon, May 16, 2005 at 11:20:20AM -0700, Guy Harris wrote: | Gianluca Varenni wrote: | | >Is there any new plan for the release of libpcap 0.9? | | At this point, I don't have anything additional planned for tcpdump | (other than perhaps grabbing some more capture files from the Ethereal | Web

Re: [tcpdump-workers] 3.9 release

go ahead .. i have committed my stuff - /hannes On Wed, May 25, 2005 at 01:19:02PM -0400, mcr wrote: | -BEGIN PGP SIGNED MESSAGE- | | | Hi, I haven't cut the branch yet. Tonight, I think. | | I have a good excuse --- a child process was spawned, and it doesn't | take well to resour

Re: [tcpdump-workers] MPLS

On Fri, Jun 10, 2005 at 12:07:44PM +0200, Paolo Lucente wrote: | Hello, | i wish to share (hoping it might be found of interest) a patch i've | written for personal use; it merges fine against the daily tarball of | 09-06-2005 (yesterday). It aims to enhance the actual support for MPLS | label hier

Re: [tcpdump-workers] septel support on libpcap

On Thu, Jun 23, 2005 at 10:39:59PM +0300, gilbert HOYEK wrote: [ ... ] | Note: dissectors for ss7 protocols do not exist in tcpdump , so anyone who | would use it with tcpdump must add these dissectors.Instead they do exsit | in Ethereal. gilbert, call for you to write one ;-) - let me know if y

Re: [tcpdump-workers] print GRE over IPv6 packets

On Sat, Jul 02, 2005 at 11:45:56AM +0200, Gert Doering wrote: | Hi, | | I'm working on adding Cisco-compatible GRE over IPv6 tunneling, and | the following patch to tcpdump makes tcpdump dissect Cisco-encapsulated | GRE-over-IPv6 packets. | | The current GRE RFC (rfc2784) neither documents IPv6-o

Re: [tcpdump-workers] IP header filtering of MPLS packets

sven, you need to specify the keyword "mpls" in order to shift the offsets to match IP addresses; i.e. tcpdump -n -i eth1 -O -vv "mpls && src net 195.113.0.0/16" pls turn off the optimizer [-O flag] as without tcpdump returns the error "tcpdump: expression rejects all packets"; guy, do you h

Re: [tcpdump-workers] IP header filtering of MPLS packets

seven, sorry brain-fart; the optimizer does the right thing; the problem is that the bpf_code generation in conjunction with the keyword "mpls" is broken; i'll have a a look at that; /hannes -- sven, you need to specify the keyword "mpls" in order to shift the offsets to match IP addresses;

Re: [tcpdump-workers] IP header filtering of MPLS packets

sven, i have just checked in a fix for MPLS code generation into libpcap HEAD and 0_9: --- if we have a MPLS label stack deeper > 1 then generate a match for a cleared bottom-of-stack-bit of the previous MPLS shim header rather than just incrementing the offset; if there is a compined ex

Re: [tcpdump-workers] print-slow.c

On Tue, Jul 12, 2005 at 11:10:38PM -0700, Loris Degioanni wrote: | Some genius had the idea of adding a new file (print-slow.c) to the | repository few hours before the x.9.2 release, without at least trying | to recompile on all the platforms. Result: tcpdump 3.9.2 doesn't compile | under Windo

Re: [tcpdump-workers] [PATCH] Updated time-based dumpfile rotation (against 3.9.1)

will, pls could you re-submit your patch as a unified diff against CVS head; /hannes On Tue, Jul 19, 2005 at 10:29:04PM -0700, Will Drewry wrote: | Hi All - | | I've recently rewritten the patch I submitted last November which | allows tcpdump to automagically rotate dump files based on some ti

Re: [tcpdump-workers] misprinting of GRE tunneled packets on NetBSD Sparc64

On Tue, Jul 26, 2005 at 04:34:16PM +0200, Gert Doering wrote: | Hi, | | I'm sure this is going to be difficult to diagnose - so I need some | help to figure out where to start. | | Setup: | NetBSD -current (3.99.7) on Sparc64. | IPv6-over-GRE-over-IPv4 tunneling | tcpdump HEAD from CVS |

Re: [tcpdump-workers] 0.9.4/3.9.4 release?

Michael Richardson wrote: -BEGIN PGP SIGNED MESSAGE- "Guy" == Guy Harris <[EMAIL PROTECTED]> writes: Guy> I've checked in some libpcap fixes for HP-UX and Mike Kershaw's Guy> support for radiotap in Linux, and Hannes has checked in some Guy> changes in both l

Re: [tcpdump-workers] [PATCH] DCCP - print all ACKs

checked into HEAD; who is going to receive credit/blame for this patch ? andrea, ian or both ? tx, /hannes Ian McDonald wrote: Hi there folks, Andrea Bittau picked up we weren't displaying ACKs for close packets and provided a preliminary patch. I've gone through the spec and reworked the p

Re: [tcpdump-workers] [PATCH] DCCP - print all ACKs

Ian is already on the blamelist (aka CREDITS) - so i just have added Andrea; tx again for your submission; /hannes Ian McDonald wrote: On 04/11/05, Hannes Gredler <[EMAIL PROTECTED]> wrote: checked into HEAD; who is going to receive credit/blame for this patch ? andrea, ian o

Re: [tcpdump-workers] Paquets smaller than 64 bytes

David Rosal wrote: [ ... ] But what's is very strange is that everytime I make a capture session with tcpdump I get *many* packets of 60 bytes that are not originated in my own machine nor are them sent to it. Here's an example of the output of tcpdump: $ tcpdump -c5 '(host not 193.145.45.23

Re: [tcpdump-workers] libpcap for PPP raw data problem

libpcap does not do what you want it to do ... however you may want to look at the text2pcap utility that is bundled with ethereal. /hannes BinaryChen(TP/SH) wrote: Hi, I have captured some raw PPP data from serial driver, and I want use libpcap to convert to pcap file format so the ethereal

Re: [tcpdump-workers] gettimeofday() on Win32

would'nt it make sense to guard your private gettimeofday() function with #if defined(_MSC_VER) || defined(_MSC_EXTENSIONS) || defined(__WATCOMC__) /hannes Gisle Vanem wrote: The recent (?) -G option requires gettimeofday() which isn't available on Win32. Attached is a patch to util.c which add

Re: [tcpdump-workers] gettimeofday() on Win32

pls ignore prev. comment -> brain fart - checked in your patch - /hannes Gisle Vanem wrote: The recent (?) -G option requires gettimeofday() which isn't available on Win32. Attached is a patch to util.c which adds this function. --gv --- tcpdump-2005.12.03/util.cThu Jun 16 00:19:38 2005 ++

:Re: [tcpdump-workers] libpcap for PPP raw data problem

Chen *From:* [EMAIL PROTECTED] ´ú±í Hannes Gredler *Sent:* 2005-12-5 (ÐÇÆÚÒ») 16:07 *To:* tcpdump-workers@lists.tcpdump.org *Subject:* Spam:Re: [tcpdump-workers] libpcap for PPP raw data problem libpcap does not do what you want it to do ... however you may want to look at the text2pcap utility

Re: [tcpdump-workers] timestamp difference since first packet under

could you provide me a pointer to the openBSD source tree containing the -t modification then i can see if we can check this in; /hannes nero one wrote: Hello. OpenBSD added the -t option which, from what I understand, a very similar output to tethereal's default timestamp "Add -t

Re: [tcpdump-workers] timestamp difference since first packet under

found the openBSD tcpdump tree meanwhile ... have added the desired functionality to HEAD. would you mind checking out if it fits your needs ? /hannes nero one wrote: Hello. OpenBSD added the -t option which, from what I understand, a very similar output to tethereal's default timestamp

Re: [tcpdump-workers] timestamp difference since first packet under

Guy Harris wrote: Hannes Gredler wrote: found the openBSD tcpdump tree meanwhile ... have added the desired functionality to HEAD. Do we want relative time stamps (-ttt, for secs/usecs since previous packet, and -t, for secs/usecs since first packet) to be printed as

Re: [tcpdump-workers] timestamp difference since first packet under

? :) Is HEAD a directory somewhere in the CVS system, or ? HEAD is the head of the CVS tree where we do check in all the fancy and new stuff ;-) if you do an anonmymous CVS checkout and don't specify a branch e.g. tcpdump_3_9 then you'll get the HEAD of the tree ... /hannes Hannes

Re: [tcpdump-workers] timestamp difference since first packet under

I suppose we could get really ambitious and support strftime()-like formats ("strftime()-like" because, for relative times, you don't have any date fields, just time fields). that would be a really nice idea - so we'd have essentially three distinct -t behaviours 1. print absolute timestamp

Re: [tcpdump-workers] testing the list

works fine ... - /hannes Michael Richardson wrote: This is another test of the mailing list. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] error when installling in freeBSD

pls try a "make clean;make" - /hannes PRITHU wrote: Dear all, I was trying to install tcpdump 3.8.3 in freeBSD 5.4, I get the following error - tcpdump.o(.text+0x8f6): In function `main': : undefined reference to `pcap_debug' I have also passsed --enable-yydebug to libpcap's configure sc

Re: [tcpdump-workers] error when installling in freeBSD

also .. do you have libpcap installed ? --- pls try a "make clean;make" - /hannes PRITHU wrote: Dear all, I was trying to install tcpdump 3.8.3 in freeBSD 5.4, I get the following error - tcpdump.o(.text+0x8f6): In function `main': : undefined reference to `pcap_debug' I have also pass

Re: [tcpdump-workers] tcpdump -r option

Latha G wrote: Hi all, Thanks for your support till now. I want to clarify few things about the tcpdump -r option I just used tcpdump -w dump.pcap The -r option is used just to read back what we stored using -w option or can we use the dump.pcap file as network and we can apply all options & f

Re: [tcpdump-workers] "truncated arp " message while using -s option

Guy Harris wrote: The most recent update to the ARP printing code (which isn't yet in a release) prints "[|ARP]" for all the truncation cases. i took the courtesy of cleaning up the printer recently ... hope i did not break too much ;-) /hannes - This is the tcpdump-workers list. Visit https

Re: [tcpdump-workers] fragmented packets

Luis Del Pino wrote: Hello, i have a question. I am filtering UDP segments by port. In fragmented packets, i only capture the UDP segment and i can't capture the other fragments. My questions are: could the fragments loss? or if a fragment is lost in the network, the UDP segment entirely is it lo

Re: [tcpdump-workers] Missing af.h

af.{c,h} are new files used for AF printing/resolution; if they would have been committed (blush) they would have been there ... guy fixed that already ... /hannes Gisle Vanem wrote: This file is needed by print-bgp.c, print-ldp.c and print-rip.c, but missing from the tar-ball. Should it be ge

Re: [tcpdump-workers] Missing af.h

BTW. addrtoname.c on Win32 is missing ETHER_ADDR_LEN. A fix: --- tcpdump-2006.02.25\addrtoname.c Sat Feb 11 21:11:40 2006 +++ addrtoname.cSat Feb 25 17:26:17 2006 @@ -68,6 +68,10 @@ #include "extract.h" #include "oui.h" +#ifndef ETHER_ADDR_LEN +#include "ether.h" +#endif + tx, comm

Re: [tcpdump-workers] Missing af.h

that was contained in my original file -> fixed; - /hannes Gisle Vanem wrote: "Guy Harris" <[EMAIL PROTECTED]> wrote: No - it, and af.c, should probably be generated from the stuff removed from print-bgp.c. I've checked in versions of af.c and af.h generated that way. netdissect.h isn't a

Re: [tcpdump-workers] tcpdump output format

Latha G wrote: Hi all, I have one question about the output format of tcpdump. How can we know whether the output from the tcpdump is in the correct format? Any file is there to know about the format of the output? there is no central file - very printer controls its own output formay The

Re: [tcpdump-workers] tcpdump output format

.. My tcpdump version: 3.9.4 On 3/6/06, Hannes Gredler <[EMAIL PROTECTED]> wrote: Latha G wrote: Hi all, I have one question about the output format of tcpdump. How can we know whether the output from the tcpdump is in the correct format? Any file is there to know about the format

Re: [tcpdump-workers] UDP Fragments

luis, see the answer to the same questions answered a few weeks before. bottomline is: tcpdump does not perform fragment reassembly and there is no way to catch the fragments bases on port numbers. /hannes Luis Del Pino wrote: Hi, I'm Luis del Pino, What filter could I use to capture UDP data

Re: [tcpdump-workers] Checksum

sure - it could be that the data got corrupted by transit nodes; Luis Del Pino wrote: When I capture an UDP datagram from a well-known source, Could the checksum be incorrect? do I have to calculate it? or How Could I ask other entity about it? Thanks - This is the tcpdump-workers list. Visit

Re: [tcpdump-workers] How to set snaplen for tcpdump

a quick look into the man pages usually helps a lot ;-) --- NAME tcpdump - dump traffic on a network SYNOPSIS tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r

Re: [tcpdump-workers] [PATCH] compress savefiles after each rotation

checked in - tx for your submission; - /hannes Sebastien Raveau wrote: Hello everybody, I am submitting this patch for tcpdump that adds the -z flag (to be used in conjunction with -C or -G) which can be used to specify a command tcpdump should execute on each savefile after it's been rotate

Re: [tcpdump-workers] A broken filter...

Dan Joumaa wrote: Hello, I am trying to capture all ethernet packets with the source host's first 3 octets being 00, 09, and bf. It was suggested that I used this filter: "ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf." When packets are sent that should match, nothing comes thro

Re: [tcpdump-workers] how to construct tcpdump readable packets

latha, you may want to check the text2pcap utility that comes along with ethereal for learning about conversion to a libpcap readable format. /hannes Latha G wrote: Hi all, Is there any way to construct manually a tcpdump readable packet? As we know the header structres, we can fill those hea

Re: [tcpdump-workers] Assumptions needed to get the same tcpdump

if your DNS is configured correct on both systems and you don't do any site local private adressing then you should get the identical output on both systems - if you specifiy the -n flag then tcpdump does not attempt to resolve names, you should be fine i.e. identical output irrespective how broke

Re: [tcpdump-workers] what is the flag -c mean

the -c flag (c = count) means that capturing is stopped after packets ... /hannes Lan Qing wrote: hello, I'm of tcpdump,and i got the fllowing words while i'm reading the tcpdump man page " Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a

Re: [tcpdump-workers] about struct in_addr

what is the point ? - the storage space is the same ... Lan Qing wrote: hello, I read the fllowing words in the c header file " /* Internet address. */ typedef uint32_t in_addr_t; struct in_addr { in_addr_t s_addr; };" the struct in_addr have only one variable in it, is there any necessar

Re: [tcpdump-workers] Filtering based on multiple IP address.

1. Is there is a limit in the length of filter string afaik 256 BPF instructions 2. What will be the performance impact because of having a huge filter string. linear performance impact 3. Will PCAP automatically reduce the the filter string for performance. not for a chain of explicit h

Re: [tcpdump-workers] compiling problem

zubin, unless you post qualified information - for example the config.log file i fear nobody's crystal ball on the list is clear enough to provide an answer your question. /hannes [EMAIL PROTECTED] wrote: Hi guys, I havent heard from anyone and I really need solution to this problem. I was

Re: [tcpdump-workers] Verbose output of tcpdump on protocols of different

mikhail, what you are suggesting makes sense and you are welcome to submit a patch ;-) /hannes Mikhail Manuylov wrote: Hello, I need to parse output of tcpdump printing contents of snmp packets and insert to database. First time I thought that output can be explained with some regexps, but w

Re: [tcpdump-workers] [RESEND][PATCH] enable sniff on USB ports onlinux

paolo, checked in. can you make a fresh checkout and verify if everything is working as expected ? tx, /hannes Paolo Abeni wrote: > Hello, > > On Mon, 2006-10-02 at 17:15 -0700, Guy Harris wrote: >> I've added DLT_USB, with a value of 186. > > Must I resent the whole patch with the new DLT,

Re: [tcpdump-workers] Sniffing inbound ethernet frames only

[EMAIL PROTECTED] wrote: > Dear tcpdump experts, > > I have a Linux box with two Fast Ethernet interfaces. > In two separate windows on the desktop I want to see > all inbound ethernet frames (from the wire), but not > the ethernet frames coming down the local network stack. > In the left window

Re: [tcpdump-workers] Sniffing inbound ethernet frames only

> Hello Hannes, > > on SuSE 10.1 (Kernel 2.6.16.13-4) I get the > following message: > > # tcpdump -i eth1 inbound ether > tcpdump: inbound/outbound not supported on linktype 1 > # tcpdump --version > tcpdump version 3.9.4 > libpcap version 0.9.4 > > Best regards > jojo ok makese sense now - so

Re: [tcpdump-workers] [PATCH] tcpv6: removal of duplicate code

checked in and added you to the hall of shame (aka CREDITS file). tx for your submission, /hannes Gerrit Renker wrote: > This is an optional patch which removes duplicated code > from tcp6_cksum: comparison shows that the code of in_cksum > re-appears in that function. > > In addition, it fixe

Re: [tcpdump-workers] [PATCH]: [DCCP]: support for variable-length

checked in. tx for your submission. /hannes Gerrit Renker wrote: > This introduces support for variable-length checksum in > DCCP, as it is specified in section 9 of RFC 4340. > > Previously tcpdump was only able to validate full-coverage > checksums, this patch verifies checksums in accordan

Re: [tcpdump-workers] about tcpdump trace file!

> Hi, everybody > > > >I am a new comer! Nowadays, I want to analyze the tcpdump ¨Cw file. Does > anyone know some tool or method to do this? > you may want to check libpcap/savefile.c [http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/savefile.c?rev=1.147] to get a better understanding ab

Re: [tcpdump-workers] Outgoing packets capturing problem

what DLT type and what filter expression are you using ? Nickolay wrote: > Hello. > > I have a problem with outgoing packets capturing. I see only incoming > packets. > Any idea? > > Platform: ARM > kernel: 2.6.16.20. > libpcap: 0.9.5(--with-pcap=linux) > tcpdump: 3.9.5. > > Thanks. > - This i

Re: [tcpdump-workers] to recognize incoming and outgoing packets

Juan Pedro Muñoz Gea wrote: > Hi all, > > I'm using pcap library to capture live packets. > I want to distinguish incoming and outgoing captured packets > in an interface in promiscuous mode, without examining the payload, but I > don't know the way to do it. > > Using the PF_PACKET sockets fam

  1   2   >