Re: [tcpdump-workers] Proposed new pcap format

for space/speed. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - Th

Re: [tcpdump-workers] Proposed new pcap format

be determined by the rate, multiplied by the capture time. E.g. 250MB/s * 24 hours. Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540

Re: [tcpdump-workers] Proposed new pcap format

or results, but libpcap is primarily about packet capture. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

Re: [tcpdump-workers] Are all traces captured by dag card in "tcpdump"

trouble? Note you shouldn't assume it uses DLT_EN10MB. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7

Re: [tcpdump-workers] Patch to print out IP data in PPP HDLC packets

nt length) { +if ((proto & 0xff00) == 0x7e00) {/* is this an escape code ? */ +ppp_hdlc(p-1, length); +return; +} + switch (proto) { case PPP_LCP: case PPP_IPCP: -- ------- Stephen Donne

Re: [tcpdump-workers] New magic number

cussion forum for this draft? I see a reference to 'Network Working Group', is this an IETF body? Regards, Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd

Re: [tcpdump-workers] number of concurrent TCP sessions

ch easyer if you do a wc -l /proc/net/tcp This will give you the number of connections pretty accurately. But be careful with using ip_conntrack because it makes your box vulnerable to SYN flood attacks. Regards Karoly Kiss - -- --- Step

Re: [tcpdump-workers] PCAP Timestamp - HWClock or SWClock?

tions snipped- DAG cards capture their timestamps at the beginning of the packet. For Ethernet this is generally the SFD byte. I'm happy to discuss specifics off-list if people are interested. Stephen. -- ---

Re: [tcpdump-workers] [ANNOUNCE] NTAR - PCAP next generation dump

in it, the mailman web interface to subscribe is available at https://www.winpcap.org/mailman/listinfo/ntar-workers Have a nice day Gianluca Varenni -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace

Re: [ntar-workers] Re: [tcpdump-workers] [ANNOUNCE] NTAR - PCAP next

ibpcap API. Regards, Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

Re: [tcpdump-workers] problem with parsing Leipzig-I trace

version 0.7 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540

Re: [tcpdump-workers] problem with parsing Leipzig-I trace

ol (0x0021) There must be a way to read/parse the Leipzig-I trace. I just couldn't figure it out. I would appreciate any suggestion. Thanks! Zhen On Jul 10, 2005, at 2:19 PM, Stephen Donnelly wrote: From the web pages you mentioned, the Leipzig-I trace page says that it was taken from a Pa

Re: [tcpdump-workers] user provided packet buffer

tions that also use memory mapping and would have similar problems. Why is it that you want packets in user allocated buffers? It seems to me that requiring the user to do their own explicit copies when required is not unreasonable. Regards, Stephen. --

Re: [tcpdump-workers] Paquets smaller than 64 bytes

other words, it is safe to add 4 bytes to the sizes of *all* captured > packets to get the sizes on wire? You can also add an unknown number of bytes of preamble (typ. 8), and 12 bytes of Inter-frame Gap if you like. Depends what you mean by 'On the wire'. Stephen. -- ----

Re: [tcpdump-workers] What is the main reason in absent append

capture parameters. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

Re: [tcpdump-workers] pcap file format documentation

ther than > the libpcap source)? > > Thanks, > Don > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTEC

Re: [tcpdump-workers] pcap file format documentation

7;s API will not allow me to deal with this since programs that > are dependent on it (tcpdump, ethereal) hang when attempting to open > any such file. Is this assumption incorrect? > > Thanks, > Don > > On 3/19/06, Stephen Donnelly <[EMAIL PROTECTED]> wrote: > > I

Re: [tcpdump-workers] [RESEND][PATCH] enable sniff on USB ports

ng as expected > ? > > tx, > > /hannes -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Z

Re: [tcpdump-workers] [RESEND][PATCH] enable sniff on USB ports

On Wed, 2006-10-04 at 16:53 -0400, Michael Richardson wrote: > >>>>> "Stephen" == Stephen Donnelly <[EMAIL PROTECTED]> writes: > Stephen> (/tcpdump/master/libpcap/pcap/#cvs.lock): Permission denied > > Appologies. the lockdir stuff got los

Re: [tcpdump-workers] Headroom

d into libpcap there would need to be a way to 'reject' the option, perhaps via a specific function call like pcap_setnonblock()? Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Tech

Re: [tcpdump-workers] print-tcp.c: remove commas from output, to

dissect packets directly with a protocol analyser class etc. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540

Re: [tcpdump-workers] Failing to capture packets....

overflow on a big Force 10 switch, > > which > > causes other machines to "drop off the network" (as ARP fails, etc). > > > > I suspect a problem with BIOS on motherboard or firmware on embedded > > ethernet > > controller (Broadcom

Re: [tcpdump-workers] Request for a new DLT for MTP2 with FCS

rally happy with adding LINKTYPE_MTP2_FCS as a special case I have no problem, and Endace can support both linktypes. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd

Re: [tcpdump-workers] Request for a new DLT for MTP2 with FCS

; Is it really a problem to create new linktypes, just for such purpose ? > (I understood that the linktypes are coded on 4 bytes ) > > Regards > Florent -- ------- Stephen Donnelly BCMS PhD email: [EMAIL

Re: [tcpdump-workers] Request for a new DLT for MTP2 with FCS

it would be possible to make this work with pcap-NG as well. > > This has the advantage that "what is the link-layer header?" and "do > frames have FCSes?" are separate questions, answered in separate > bitfields of the link type value. > - > This is the tcpdump-

[tcpdump-workers] [PATCH] DAG card support update

from Florent Drouin. Regards, Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand c

Re: [tcpdump-workers] Packet capture performance comparison of

sk. Endace also offers disk capture appliances which provide this level of performance. Unfortunately I'm not aware of any recent independent test publications. Regards, Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAI

Re: [tcpdump-workers] Packet capture performance comparison of

On Thu, 2007-06-28 at 03:09 +, Jefferson Ogata wrote: > Stephen Donnelly wrote: > > On Wed, 2007-06-27 at 22:00 +, Jefferson Ogata wrote: > >> some packets to disk. Has anyone out there put together such a box and > >> come up with some performance statistic

[tcpdump-workers] DLT assignment request

s, Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64

[tcpdump-workers] DLT assignment request

ever there are already 19 ERF types defined and I feel this would unnecessarily consume/pollute the libpcap DLT namespace. Comments, questions, objections welcome. Regards, Stephen. -- --- Stephen Donnelly BCMS PhD

Re: [tcpdump-workers] DLT assignment request

On Tue, 2007-08-07 at 16:55 -0700, Guy Harris wrote: > On Jul 25, 2007, at 1:57 PM, Stephen Donnelly wrote: > > > Florent Drouin from Alcatel-Lucent has been working on improving the > > ERF > > support in Wireshark. As part of this work we would like to request a >

Re: [tcpdump-workers] Endace DAG card

dagfour or dagconfig can be used, or you can access the statistics via the DAG configuration and status API from your own software. Regards, Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace T

[tcpdump-workers] [PATCH] Recent checkin breaks build

mp; 0xF) << 28) | 0x0400) typedef enum { PCAP_D_INOUT = 0, -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Z

[tcpdump-workers] [PATCH] dag updates

also need to be regenerated using the preferred autoconf version. Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New

Re: [tcpdump-workers] Creation of libpcap 1.0 and tcpdump

(and it avoids > 4.0.1. and 1.0.1 48hours after release!) A release candidate sounds like a good idea. Could easily give it a week or two to settle before finalising it. Stephen -- ------- Stephen Donnelly BCMS PhD

Re: [tcpdump-workers] NIC / driver performance with libpcap

rcial slant, you may be interested in my whitepaper. Disclaimer: I work for Endace, a company that makes hardware specialised for network packet capture. http://www.endace.com/assets/docs/accelerated/DAGPacketCapturePerformance.pdf Regards, Stephen. -- --

Re: [tcpdump-workers] tcpdump problem with DAG card

o use this as the basis for non-selectable descriptors in general. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +

Re: [tcpdump-workers] tcpdump problem with DAG card

On Thu, 2008-01-10 at 14:53 +1300, Stephen Donnelly wrote: > On Wed, 2008-01-09 at 17:25 -0800, Guy Harris wrote: > > On Jan 9, 2008, at 3:37 PM, lei wei wrote: > > > > > I'm actually trying to get Argus working with DAG but argus still > > > can't re

Re: [tcpdump-workers] Which versions of pcap files accept

If the user's purpose in saving to libpcap format is to use the file with another program then saving to DLT_ERF may not be useful. When you save a capture in libpcap format Wireshark doesn't prompt you for which DLT to use? How does it decide which DLT is appropriate? Stephen -- --

[tcpdump-workers] Patch to fix DAG support in HEAD

pcap-dag.c 1.37 doesn't compile after changes to support the new 'activate' model. Small patch which should address the issues. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTEC

[tcpdump-workers] tcpdump display/decode bug?

ce appreciated. Stephen. -- ------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

Re: [tcpdump-workers] tcpdump display/decode bug?

On Wed, 2008-07-30 at 20:07 -0700, Guy Harris wrote: > On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote: > > > I recently came across some packets which tcpdump appears to display > > incorrectly. > > > > Is tcpdump incorrectly invoking some heuristic dissector,

Re: [tcpdump-workers] does "port 25" work?

ersion: pppoes True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). Note that the first pppoes keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a PPPoE session packet. # tcpdump --vers

Re: [tcpdump-workers] does "port 25" work?

s. Perhaps you should try Wireshark, you may find its 'display filters' more user friendly. http://www.wireshark.org Stephen. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTEC

Re: [tcpdump-workers] tcpdump and wireshark

gt; > > Marco. > > - > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscribe. > > > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > -- -

Re: [tcpdump-workers] TCPDUMP 4.0.1rc1 and LIBPCAP 1.0.1rc1

give them a test run if you can - provided no bugs, I'm planning > > to release them for Monday, Dec 8th. > > > > > > Ken > > - > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscri

Re: [tcpdump-workers] Hardware timestamp ?

in hardware. This allows for very accurate capture and 'replay' of network traffic. The inter-packet timing is preserved and regenerated with high accuracy, typically orders of magnitude better than software-only approaches. Regards, Stephen -- --- Stephen Donnelly BCMS PhD

[tcpdump-workers] Pull request

git://github.com/sfd/libpcap.git Updating Endace DAG ERF support. -- --- Stephen Donnelly BCMS PhD email: s...@endace.com Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

Re: [tcpdump-workers] ATM raw format data-link level type code in

he HCS. In some cases we have a 'Physical Port ID' which would be useful. Stephen. -- ------- Stephen Donnelly BCMS PhD email: s...@endace.com Endace Technology Ltd phone: +64 7 839 0540

Re: [tcpdump-workers] Memory leak in libpcap (top of tree) and/or

_attach_stream() and dag_detach_stream() to handle mapping/unmapping. Stephen. -- ------- Stephen Donnelly BCMS PhD email: s...@endace.com Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealan

Re: [PATCH] Re: [tcpdump-workers] Bug: Counting dropped packets in

ailable on the platform at run time. Regards, Stephen -- ------- Stephen Donnelly BCMS PhD email: s...@endace.com Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand

[tcpdump-workers] Pull request for DAG updates

I have submitted a pull request to mcr's github tree. https://github.com/mcr/libpcap/pull/1 There are 2 changes. The dag_platform_finddevs() function is updated to improve the search space and efficiency. Secondly the build process moves to 'pcap-config' for external library dependencies ins

Re: [tcpdump-workers] pcap anonymizer

On 29/04/11 19:12, Guy Harris wrote: On Apr 28, 2011, at 3:31 PM, Michael Richardson wrote: Unless someone says that there is something else out there, I'm going to write an (IPv4) pcap file anonymizer. I won't make the first version efficient. The Internet Traffic Archive has some anonymizin

Re: [tcpdump-workers] [Wireshark-dev] Multiple interface capture device support in

On 06/06/12 22:03, Guy Harris wrote: On Jun 5, 2012, at 8:04 PM, Stephen Donnelly wrote: I've posted an 'experimental' patch/hack to dumpcap in Bug #7300. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300 The dumpcap implementation assumes that there is a one-to-one

[tcpdump-workers] pcap FCS length and LT_FCS_DATALINK_EXT()

Hi Guy, In 2007 in libpcap afbb1ce7 you committed some code (possibly from Florent Drouin) adding the LT_FCS_DATALINK_EXT mechanism to record whether the capture includes information about captured FCS length, and if so what length it is. I believe that currently only the DAG capture code suppo

[tcpdump-workers] Fix DAG Stream support in dag_create()

It appears that when "Have non-interface modules take responsibility for identifying their devices" 2426611 was committed, the heuristic for DAG device names was insufficient. https://github.com/the-

[tcpdump-workers] Pending pull request #378

Hi, I have had a pull request in the queue on github since August: https://github.com/the-tcpdump-group/libpcap/pull/378 This does include some ideally separate things, a bug fix, and some improvements. Is there anything blocking this pull request? Is more information required, or should I reba

[tcpdump-workers] 1.9.0 release progress

Hi, I see 1.9.0 is up to rc2 as of 25th June, how is it going? Is there anything we can do to assist? This fixes a serious bug in 1.8.1 for us, so keen to see a new release! Regards, Stephen ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpd

Re: [tcpdump-workers] [libpcap] Problem with version 1.9.0

>Behalf Of Francois-Xavier Le Bail >On 23/07/2018 15:33, Michael Richardson wrote: >> Francois-Xavier Le Bail via tcpdump-security wrote: >> > Need autoreconf. >> > And 1.9.1 ? >> >> Let's do 1.9.1 in September. > >Why not this week to have a proper version tag ? Agreed, seems like a simpl