[tcpdump-workers] Automatic report from sources (tcpdump libpcap htdocs) between 28.06.2004 - 30.06.2004 GMT
CVS log entries from 28.06.2004 (Mon) 09:10:41 - 30.06.2004 (Wed) 09:04:04 GMT = Summary by authors = Author: hannes File: tcpdump/print-gre.c; Revisions: 1.26 = Log entries = Description: -call the PPP printer in GREv1 (to better debug PPTP) -commatized and multipline output for better readability -make use of bittok2str() for flag processing Modified files: File: tcpdump/print-gre.c; Revision: 1.26; Date: 2004/06/29 08:12:06; Author: hannes; Lines: (+56 -53) = Summary of modified files = File: tcpdump/print-gre.c Revisions: 1.26 Authors: hannes (+56 -53) -- Automatic cron job from /tcpdump/bin/makelog - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Libpcap and Super User mode
Title: Message Hello everyone Is it possible to write a program using libpcap that doesnt need to be run in super user mode, and if there is how would that be done. Everything that i have seen that uses libpcap has to be in su mode jason
Re: [tcpdump-workers] Libpcap and Super User mode
Is it possible to write a program using libpcap that doesnt need to be run in super user mode, and if there is how would that be done. Everything that i have seen that uses libpcap has to be in su mode At least on BSD based systems, it depends on readability of the /dev/bpf* devices and not on super user mode. Normally /dev/bpf* is only readable by root, but you can change this. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Libpcap and Super User mode
[EMAIL PROTECTED] wrote: Is it possible to write a program using libpcap that doesnt need to be run in super user mode, and if there is how would that be done. Everything that i have seen that uses libpcap has to be in su mode At least on BSD based systems, it depends on readability of the /dev/bpf* devices and not on super user mode. Normally /dev/bpf* is only readable by root, but you can change this. More specifically, you can use libpcap as any user. On most systems, you have to be root, however, to monitor traffic on a network interface. -- Jefferson Ogata [EMAIL PROTECTED] NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] new capture file format
-BEGIN PGP SIGNED MESSAGE- Christian == Christian Kreibich [EMAIL PROTECTED] writes: Christian A few months ago this list saw a discussion of the future Christian capture file format (what's the latest on that btw), and I've been going around inviting various users of libpcap to come and take a look. Other than that, we just need to find someone willing to take notes and issue revised proposals. There is no point in writing code until then. - -- ] Elmo went to the wrong fundraiser - The Simpson | firewalls [ ] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic(Just another Debian GNU/Linux using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQOMYoIqHRg3pndX9AQEPrwP/a0Hr0bDPvvwpfHXkpYRRQtwZ5pjJHmmN fcGuol4kPsNfiUkUCT1mpe3FXwW5Ady44f+oMkAEYDCC2vQCLo56PJeLSL1OJZxd R6fHNQ4eyFr/OIIjQgfeoY3qEafZXbftG5qoad59rPdxPwTfydzUS8s00U7nCZkR JUwK+izcyvM= =A991 -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
-BEGIN PGP SIGNED MESSAGE- Eddie == Eddie Kohler [EMAIL PROTECTED] writes: Eddie These changes should not have been implemented globally, Eddie without some flag or option to preserve the old behavior. Eddie Such a flag should be added. It is really hard to do that -- there are a lot of files involved. But, feel free to send patches! Eddie Why change the way 'cksum' is spelled? Why print out the Eddie checksum when it's valid? Why not leave the IP addresses at Becuse checksums are not calculated unless the capture is complete, so one can't tell the difference between: 1) invalid 2) valid 3) not enough data Again, if scripts want a stable format, then we need a field=value format. Anything else is going to change at some point. - -- ] Elmo went to the wrong fundraiser - The Simpson | firewalls [ ] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic(Just another Debian GNU/Linux using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQOMYH4qHRg3pndX9AQFamwQAhRk/Sltm6U+d2Lnvbjt7czkYjcVaSPWj d1tvpp/+kP78UfGlkoqfF+d/7BXFyY6F3E/Q7zDyPjrSA0KXP9i5NXEIjNXT3CkG ff+P84ElEJ7ClrAbudeBnqKPOoqppUHgT4Ov9mUxSwDqC+I3L4DaMOXGbTN12F3O wGeRhGAMkjA= =h1bG -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] XML dissector output
-BEGIN PGP SIGNED MESSAGE- Christian == Christian Kreibich [EMAIL PROTECTED] writes: Christian proposal that while I personally think an XML capture Christian format is not the right idea, an XML based tcpdump output Christian would be great in the long term -- it would certainly Christian eliminate a lot of parsing ambiguity. I am not a fan of XML, but I could live with this kind of thing. My opinion is that we need a code structure change: - dissectors would not call printf() directly. - dissectors would call some kind of thing=value function that has a table for the current packet only. - at the end of dissection, an appropriate thing=value-OUTPUT converter would occur. I think that this can work very well for XML or $thing=value; or { thing = value } format. The question is -- how to retain what we have now? Does each level of dissector register a print function as well? (with XML output all using the common XML print function?) Or is some other structure that someone can think of. - -- ] Elmo went to the wrong fundraiser - The Simpson | firewalls [ ] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic(Just another Debian GNU/Linux using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQOMZgoqHRg3pndX9AQHTDgQAknqmHRwfvCS4H36sI3u9BMiTcZTFn0it tSE5X6dOHVedvLVsjQk9BIJISBp3QUSaGfUbcRDPNrE7z4x1YWt42u8jLVI885ZE if+u8o/cZQhiCZu8UF4Ty2+5kzKmRXIvqFIwe8o8fcw43/Hl+bPuVM1EcTBbTfzv Z2G9AQMUgqU= =Y5xc -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
-BEGIN PGP SIGNED MESSAGE- Guy == Guy Harris [EMAIL PROTECTED] writes: Guy Along those lines, Tethereal currently offers the ability to Guy output either one-line summary information, a detailed Guy multi-line parse, *or* PDML XML-based dissection for packets. Guy See Guy Guy http://analyzer.polito.it/30alpha/docs/dissectors/PDMLSpec.htm Guy for the PDML specification. I think it is an abuse of XML... nothing is actually marked up. Everything seems to be given as attributes, i.e.: field name=verhlen pos=15 show=45 showname=Version and header Length size=1 value=45 rather than: field name=verhlen pos=15 show=45 showname=Version and header Length size=10x45/field It does use the container mechanism to do sub-structure, but I'm not convinced that I like it this. It is worth looking at. How widespread is PDML? - -- ] Elmo went to the wrong fundraiser - The Simpson | firewalls [ ] Michael Richardson,Xelerance Corporation, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic(Just another Debian GNU/Linux using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQOMbXoqHRg3pndX9AQFraQQAsLtSGHDqsspYb1l6K7ysaX6zJ4u02nNl RZ+g/FKc3oFtCmj0qKi7+Q4phgd9Qj0RJ7Wz7JaYgZbX6/iZtY2GO46BVRqbPxU6 8o0VaqIVSjgPsOr/xupwOSgmQkEhd37sEsTqkr2JmI1ZdJtnYgDhhw5Y6Tzju2hp muDJNgZssGo= =zdsq -END PGP SIGNATURE- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Libpcap and Super User mode
On Jun 30, 2004, at 10:00 AM, Jefferson Ogata wrote: More specifically, you can use libpcap as any user. On most systems, you have to be root, however, to monitor traffic on a network interface. I.e., you can use libpcap to read a capture file as any user (if that user has permission to read the capture file in question), but you might have to have privileges of some sort (see the tcpdump man page for what we believe to be the current set of privileges required on various platforms) to do live captures. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] XML dissector output
On Wed, 2004-06-30 at 12:50, Michael Richardson wrote: -BEGIN PGP SIGNED MESSAGE- Christian == Christian Kreibich [EMAIL PROTECTED] writes: Christian proposal that while I personally think an XML capture Christian format is not the right idea, an XML based tcpdump output Christian would be great in the long term -- it would certainly Christian eliminate a lot of parsing ambiguity. I am not a fan of XML, but I could live with this kind of thing. I should probably add that I'd picture that as an optional output format suitable for post-processing -- something more human-readable would certainly be good as well. Cheers, Christian. -- http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] text format stability
On Jun 30, 2004, at 12:58 PM, Michael Richardson wrote: How widespread is PDML? Tethereal and Ethereal can generate it; I presume the intent is to have Analyzer 3.0 generate it as well, given that it was invented by the Politecnico di Torino folks. (I don't see anything immediately obvious on the Analyzer site saying it can generate PDML or PSML.) - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.