Re: [tcpdump-workers] How to cut capture by duration
Hello, Thanks for the answer, I test it and it works. But I have some remarks: - when we use a long time (more 10 hours with the next command line /tmp/tcpdump-2006.03.29 -G 3600 -i eth0 -s 0 -w /tmp/%y%m%d%H%M.eth0.dmp) tcpdump with the -G option the generated file are longer than the G granularity as you can see in the list of generated file ... /tmp/0604111800.eth0.dmp /tmp/0604111900.eth0.dmp ... /tmp/0604112001.eth0.dmp /tmp/0604112101.eth0.dmp ... ^^ /tmp/0604121201.eth1.dmp /tmp/0604121202.eth0.dmp ... ^^ maybe a mean to solve the issue is to take packet's timestamp as reference to cute? - it maybe interesting to cut generating files at the modulo of the granularity. For example with a granularity 60 I generate a file each minute from the begin of a minute (the modulo of the number of seconds since 1970) to the end. This can help to solve the previous issue. Kind regards. Cédric Dalmasso PS:excuse my poor englih :-( > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part > de Guy Harris > Envoyé : jeudi 5 janvier 2006 23:59 > À : tcpdump-workers@lists.tcpdump.org > Objet : Re: [tcpdump-workers] How to cut capture by duration > > > On Jan 5, 2006, at 12:30 AM, zze-DALMASSO Cedric RD-BIZZ-SOP wrote: > > > I look for a means to make a capture at long time. But it's > > impossible since the file's size grow up. > > Do you know a means to cut it by duration, for example each hour a > > new file (it's simpler to use file with duration cut rather than > > size cut)? > > Yes, but it only works with the "current tar files" version of > tcpdump, not with any version that's been released - the "-G" flag > can be used to switch capture files after some amount of time has > expired. > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] How to cut capture by duration
Hello, I look for a means to make a capture at long time. But it's impossible since the file's size grow up. Do you know a means to cut it by duration, for example each hour a new file (it's simpler to use file with duration cut rather than size cut)? Thank you for your assistance. Cédric Dalmasso - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 50% received packet are missing
Hello I test the last CVS version of tcpdump and libpcap and all work fine. Once again thanks a lot for your help. Sincerely Cedric Dalmasso FranceTelecom R&D > -Message d'origine- > De : dalmasso cedric [mailto:[EMAIL PROTECTED] > Envoyé : mercredi 30 novembre 2005 09:56 > À : zze-DALMASSO Cedric RD-BIZZ-SOP > Objet : Fwd: [tcpdump-workers] 50% received packet are missing > > -- Forwarded message -- > From: dalmasso cedric <[EMAIL PROTECTED]> > Date: Nov 25, 2005 11:33 AM > Subject: Re: [tcpdump-workers] 50% received packet are missing > To: tcpdump-workers@lists.tcpdump.org > > > Hello, > thanks for all > I don't have access to the machine where the bug occur before > next Wednesday but I test it as soon as possible. > We already see yesterday, there are many times wheres the > count of packets "received by filter" are updated but we > don't go more into detail. > > Again thanks, > > Cedric > > On 11/24/05, Guy Harris <[EMAIL PROTECTED]> wrote: > > dalmasso cedric wrote: > > > > > I use Linux Mandriva 2006 and as I describe in subject > with tcpdump > > > 50% of received packet are missing! I provide many test and it's > > > also the same I capture 1/2 of received packets. > > > > ... > > > > > 923 packets captured > > > 1846 packets received by filter > > > > There's a bug in libpcap 0.9[.x] (and maybe 0.8[.x]) that > causes the > > count of packets "received by filter" to be twice (or approximately > > twice) the number of packets actually received, on systems > with newer > > kernels (kernels supporting the PACKET_STATISTICS socket option on > > PF_PACKET sockets). > > > > So it's not that you're capturing 1/2 of the received packets; it's > > that the reported number of received packets is 2/1 the > actual number > > of received packets. > > > > I've checked in a change that should fix this; if you can get the > > current CVS version of libpcap (and tcpdump) and build them > together > > (unpack both into subdirectories of the same directory, > configure and > > build libpcap, then configure and build tcpdump, so that tcpdump is > > built with the version of libpcap you just built), or get the next > > "current" tarball sfrom tcpdump.org (2005-11-25 or later) when it > > appears on the Web site and try those, see if that fixes > the problem. > > - > > This is the tcpdump-workers list. > > Visit https://lists.sandelman.ca/ to unsubscribe. > > > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 50% received packet are missing
Hello I test the last CVS version of tcpdump and libpcap and all work fine. Once again thanks a lot for your help. Sincerely Cedric Dalmasso FranceTelecom R&D > -Message d'origine----- > De : dalmasso cedric [mailto:[EMAIL PROTECTED] Envoyé : mercredi 30 > novembre 2005 09:56 À : zze-DALMASSO Cedric RD-BIZZ-SOP Objet : Fwd: > [tcpdump-workers] 50% received packet are missing > > -- Forwarded message ------ > From: dalmasso cedric <[EMAIL PROTECTED]> > Date: Nov 25, 2005 11:33 AM > Subject: Re: [tcpdump-workers] 50% received packet are missing > To: tcpdump-workers@lists.tcpdump.org > > > Hello, > thanks for all > I don't have access to the machine where the bug occur before next > Wednesday but I test it as soon as possible. > We already see yesterday, there are many times wheres the count of > packets "received by filter" are updated but we don't go more into > detail. > > Again thanks, > > Cedric > > On 11/24/05, Guy Harris <[EMAIL PROTECTED]> wrote: > > dalmasso cedric wrote: > > > > > I use Linux Mandriva 2006 and as I describe in subject > with tcpdump > > > 50% of received packet are missing! I provide many test and it's > > > also the same I capture 1/2 of received packets. > > > > ... > > > > > 923 packets captured > > > 1846 packets received by filter > > > > There's a bug in libpcap 0.9[.x] (and maybe 0.8[.x]) that > causes the > > count of packets "received by filter" to be twice (or approximately > > twice) the number of packets actually received, on systems > with newer > > kernels (kernels supporting the PACKET_STATISTICS socket option on > > PF_PACKET sockets). > > > > So it's not that you're capturing 1/2 of the received packets; it's > > that the reported number of received packets is 2/1 the > actual number > > of received packets. > > > > I've checked in a change that should fix this; if you can get the > > current CVS version of libpcap (and tcpdump) and build them > together > > (unpack both into subdirectories of the same directory, > configure and > > build libpcap, then configure and build tcpdump, so that tcpdump is > > built with the version of libpcap you just built), or get the next > > "current" tarball sfrom tcpdump.org (2005-11-25 or later) when it > > appears on the Web site and try those, see if that fixes > the problem. > > - > > This is the tcpdump-workers list. > > Visit https://lists.sandelman.ca/ to unsubscribe. > > > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] 50% received packet are missing
Hello, thanks for all I don't have access to the machine where the bug occur before next Wednesday but I test it as soon as possible. We already see yesterday, there are many times wheres the count of packets "received by filter" are updated but we don't go more into detail. Again thanks, Cedric On 11/24/05, Guy Harris <[EMAIL PROTECTED]> wrote: > dalmasso cedric wrote: > > > I use Linux Mandriva 2006 and as I describe in subject with tcpdump > > 50% of received packet are missing! I provide many test and it's also > > the same I capture 1/2 of received packets. > > ... > > > 923 packets captured > > 1846 packets received by filter > > There's a bug in libpcap 0.9[.x] (and maybe 0.8[.x]) that causes the > count of packets "received by filter" to be twice (or approximately > twice) the number of packets actually received, on systems with newer > kernels (kernels supporting the PACKET_STATISTICS socket option on > PF_PACKET sockets). > > So it's not that you're capturing 1/2 of the received packets; it's that > the reported number of received packets is 2/1 the actual number of > received packets. > > I've checked in a change that should fix this; if you can get the > current CVS version of libpcap (and tcpdump) and build them together > (unpack both into subdirectories of the same directory, configure and > build libpcap, then configure and build tcpdump, so that tcpdump is > built with the version of libpcap you just built), or get the next > "current" tarball sfrom tcpdump.org (2005-11-25 or later) when it > appears on the Web site and try those, see if that fixes the problem. > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] 50% received packet are missing
Hello, I use Linux Mandriva 2006 and as I describe in subject with tcpdump 50% of received packet are missing! I provide many test and it's also the same I capture 1/2 of received packets. [user ~]$ uname -a Linux hostname 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Xeon(TM) CPU 3.00GHz unknown GNU/Linux [user ~]$ /usr/sbin/tcpdump --version tcpdump version 3.9.2 libpcap version 0.9.1 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ] [user ~]$ /usr/sbin/tcpdump -i eth1 >test.dump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 923 packets captured 1846 packets received by filter 0 packets dropped by kernel Any idea? Thanks Cedric - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
