Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
Wow this was quick! Thanks so much Wesley and Guy. Shane On 19 February 2015 at 09:11, Wesley Shields wrote: > Thanks! I've submitted a pull request (please ignore my first one, it was > made on the master branch of my fork). > > https://github.com/the-tcpdump-group/tcpdump/pull/433 > > I'm still not clear how -G, -C and -W are meant to work together though. > The manage is a bit unclear to me. Any pointers on how it is supposed to > work so I can try and make sure that is true would be appreciated. > > -- WXS > > > On Feb 18, 2015, at 4:23 PM, Guy Harris wrote: > > > > > > On Feb 18, 2015, at 10:18 AM, Wesley Shields wrote: > > > >> I've got a patch for this at > https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960 > . > > > > I've checked into the trunk a change to check for pcap_dump_ftell() > failing (which it should *always* have done; had it done that, the symptoms > of this problem would have been a bit less obscure), so your changes might > at least need to get the indentation readjusted. > > > > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
Thanks! I've submitted a pull request (please ignore my first one, it was made on the master branch of my fork). https://github.com/the-tcpdump-group/tcpdump/pull/433 I'm still not clear how -G, -C and -W are meant to work together though. The manage is a bit unclear to me. Any pointers on how it is supposed to work so I can try and make sure that is true would be appreciated. -- WXS > On Feb 18, 2015, at 4:23 PM, Guy Harris wrote: > > > On Feb 18, 2015, at 10:18 AM, Wesley Shields wrote: > >> I've got a patch for this at >> https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. > > I've checked into the trunk a change to check for pcap_dump_ftell() failing > (which it should *always* have done; had it done that, the symptoms of this > problem would have been a bit less obscure), so your changes might at least > need to get the indentation readjusted. > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
On Feb 18, 2015, at 10:18 AM, Wesley Shields wrote: > I've got a patch for this at > https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. I've checked into the trunk a change to check for pcap_dump_ftell() failing (which it should *always* have done; had it done that, the symptoms of this problem would have been a bit less obscure), so your changes might at least need to get the indentation readjusted. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
I've got a patch for this at https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. Seems to work well but I would appreciate any testing anyone can do. I'm also going to make sure this is right from the capsicum perspective as I have no experience with that. Once I discuss it with those folks I'll send a pull request. On a somewhat related note, how is -G, -W and -C supposed to work together. The man page makes it sound like you can use all three together, but I'm not able to get anything to work. I would expect to do this: tcpdump -i em0 -G 5 -W 5 -C 1 -w foo.pcap and get foo.pcap0, foo.pcap1, foo.pcap2, foo.pcap3, foo.pcap4. Each output file should have 5 seconds worth of packets in them and then rotated. I can't seem to get this behavior. -- WXS > On Feb 18, 2015, at 12:38 AM, SJP Lists wrote: > > Hello all, > > Firstly, apologies if I missed info about this from a FAQ, documentation, > source README and CHANGES and Google or if I am just doing something > silly. I looked at the man page and performed a Google and case sensitive > searches via casesensitivesearch.com (to avoid all the -c results) but did > not find any info about this issue I am having. > > I have built a host for circular recording of WAN traffic onto 2TB worth of > storage, in order to hopefully catch pcaps after an event of intermittent > issues we are not able to replicate. Hoping that when a user complains and > gives us the time of the issue, I can just grab a copy of the pre-recorded > pcap which should contain the traffic associated with their issue. > > I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an > example, run as root: > > tcpdump -C 1 -W 10 -w filename -i em0 > > and I am finding that filename0 is created and captured to, but the capture > does not roll over to the next file and instead continues to capture to the > first file beyond the limit I thought would be imposed with "-C 1", until I > kill the process. > > I have tried the -Z option with "-Z root", in case the issue was that a new > file cannot be created once privs are dropped, but I get the same result. > > Thank you for reading and any help that you can give! > > > Shane > ___ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
Looks like the call to pcap_dump_ftell() is always returning -1 and setting errno to 93 (ENOTCAPABLE). This makes sense since I can only trigger it on FreeBSD, and if I disable capsicum support in config.h and rebuild then -C works as expected. I'll take a look at this and send a PR, but you may be better off building it yourself and disabling capsicum for now. -- WXS > On Feb 18, 2015, at 12:38 AM, SJP Lists wrote: > > Hello all, > > Firstly, apologies if I missed info about this from a FAQ, documentation, > source README and CHANGES and Google or if I am just doing something > silly. I looked at the man page and performed a Google and case sensitive > searches via casesensitivesearch.com (to avoid all the -c results) but did > not find any info about this issue I am having. > > I have built a host for circular recording of WAN traffic onto 2TB worth of > storage, in order to hopefully catch pcaps after an event of intermittent > issues we are not able to replicate. Hoping that when a user complains and > gives us the time of the issue, I can just grab a copy of the pre-recorded > pcap which should contain the traffic associated with their issue. > > I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an > example, run as root: > > tcpdump -C 1 -W 10 -w filename -i em0 > > and I am finding that filename0 is created and captured to, but the capture > does not roll over to the next file and instead continues to capture to the > first file beyond the limit I thought would be imposed with "-C 1", until I > kill the process. > > I have tried the -Z option with "-Z root", in case the issue was that a new > file cannot be created once privs are dropped, but I get the same result. > > Thank you for reading and any help that you can give! > > > Shane > ___ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] -C option not working? FreeBSD 10.1
I don't have an answer to your original question other than to say I just duplicated it on a FreeBSD host but not on OS X. Smells like a bug to me. I've done something similar in the past using -G and writing to something like /packets/%Y/%m/%d/%H%M%S.pcap (assuming those directories exist). This way when you are given a time when the problem occurred you can jump to that specific file much easier. Though, if you have to find the start of the session it may be in an earlier file. tcpdump -G 300 -w /packets/%Y/%m/%d/%H%M%S.pcap -- WXS > On Feb 18, 2015, at 12:38 AM, SJP Lists wrote: > > Hello all, > > Firstly, apologies if I missed info about this from a FAQ, documentation, > source README and CHANGES and Google or if I am just doing something > silly. I looked at the man page and performed a Google and case sensitive > searches via casesensitivesearch.com (to avoid all the -c results) but did > not find any info about this issue I am having. > > I have built a host for circular recording of WAN traffic onto 2TB worth of > storage, in order to hopefully catch pcaps after an event of intermittent > issues we are not able to replicate. Hoping that when a user complains and > gives us the time of the issue, I can just grab a copy of the pre-recorded > pcap which should contain the traffic associated with their issue. > > I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an > example, run as root: > > tcpdump -C 1 -W 10 -w filename -i em0 > > and I am finding that filename0 is created and captured to, but the capture > does not roll over to the next file and instead continues to capture to the > first file beyond the limit I thought would be imposed with "-C 1", until I > kill the process. > > I have tried the -Z option with "-Z root", in case the issue was that a new > file cannot be created once privs are dropped, but I get the same result. > > Thank you for reading and any help that you can give! > > > Shane > ___ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
