Re: [tcpdump-workers] Multifile patch
On Thu, Sep 06, 2012 at 02:46:30PM -0400, Wesley Shields wrote:
> On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote:
> >
> > Wesley, is fopen("/dev/stdin") really the most portal way to
> > get a reference to stdin? I'd have thought that doing:
> > VFile=stdin;
> >
> > was the best way?
>
> I fixed this and your other comment about refactoring reading from the
> file.
>
> Please see my latest commit on github.
>
> https://github.com/wxsBSD/tcpdump/commit/4c2790a43252b9cac1fe7f6b50b51c3c55d2370a
No further comments so I issued a pull request.
-- WXS
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote:
>
> Wesley, is fopen("/dev/stdin") really the most portal way to
> get a reference to stdin? I'd have thought that doing:
> VFile=stdin;
>
> was the best way?
I fixed this and your other comment about refactoring reading from the
file.
Please see my latest commit on github.
https://github.com/wxsBSD/tcpdump/commit/4c2790a43252b9cac1fe7f6b50b51c3c55d2370a
-- WXS
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
> > On windows you can't pass 'FILE *' into shared libraries, > > they are likely to have their own copies of the stdio > > libraries - with different FILE structures. > > (eg if one part is compiled with debug enabled). > > In this patch, the library into which VFile is being passed is called > "the C library", i.e., with the patch, we're not passing it to > libpcap/WinPcap, we're passing it to fgets(); if you couldn't pass a > FILE * to, say, fgets(), the stdio libraries would be completely > useless. Did I miss that this is a tcpdump change, not a pcap one :-( David ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Sep 4, 2012, at 3:11 AM, David Laight wrote: > On windows you can't pass 'FILE *' into shared libraries, > they are likely to have their own copies of the stdio > libraries - with different FILE structures. > (eg if one part is compiled with debug enabled). In this patch, the library into which VFile is being passed is called "the C library", i.e., with the patch, we're not passing it to libpcap/WinPcap, we're passing it to fgets(); if you couldn't pass a FILE * to, say, fgets(), the stdio libraries would be completely useless. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
> On Sep 3, 2012, at 7:13 PM, Michael Richardson wrote:
>
> > Wesley, is fopen("/dev/stdin") really the most portal
>
> (Presumably "portable".)
>
> > way to get a reference to stein?
>
> Definitely not - it will probably work on most modern UN*Xes (Linux,
> *BSD/OS X, and Solaris; I don't know about HP-UX or AIX), but not on
> Windows, so it won't work in WinDump.
>
> > I'd have thought that doing:
> >VFile=stdin;
> >
> > was the best way?
>
> Yes.
I seem to be missing half these mails
On windows you can't pass 'FILE *' into shared libraries,
they are likely to have their own copies of the stdio
libraries - with different FILE structures.
(eg if one part is compiled with debug enabled).
Probably the most portable way is using fdopen(0, ...)
that will work in windows - fileno(stdin) is still 0.
David
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Hi,
On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote:
> Wesley, is fopen("/dev/stdin") really the most portal way to
> get a reference to stdin?
It's about the most complicated way, and guaranteed to be non-portable
(no /dev/std* devices on AIX, for example).
> I'd have thought that doing:
> VFile=stdin;
>
> was the best way?
This is well-defined.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Sep 3, 2012, at 7:13 PM, Michael Richardson wrote:
> Wesley, is fopen("/dev/stdin") really the most portal
(Presumably "portable".)
> way to get a reference to stein?
Definitely not - it will probably work on most modern UN*Xes (Linux, *BSD/OS X,
and Solaris; I don't know about HP-UX or AIX), but not on Windows, so it won't
work in WinDump.
> I'd have thought that doing:
>VFile=stdin;
>
> was the best way?
Yes.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Wesley, is fopen("/dev/stdin") really the most portal way to
get a reference to stdin? I'd have thought that doing:
VFile=stdin;
was the best way?
Other than that, I think your patch is the best way to implement
this I'd like if we could also handle multiple -r files in
exactly the same way.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video
then sign the petition.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Thu, Aug 23, 2012 at 01:27:33PM -0400, Michael Richardson wrote: > > > "Wesley" == Wesley Shields writes: > >> Since pcap files have no end of file marker, and each file > >> has a header on it, do you look at the beginning of each packet, and > see > >> if there is a pcap magic number? > > Wesley> I'm not sure I'm parsing this right but... > > Wesley> I am using pcap_open_offline() on each file, which should be > validating > Wesley> that I'm operating on a pcap file. I also check to ensure > Wesley> that the DLT > > Ah, sorry, you wrote: > find /pcaps -type f | tcpdump -V - -w out.pcap > > so you are reading a list of files rather than concatenating them. > I had read: > > find /pcaps -type f | xargs cat | tcpdump -V - -w out.pcap > > so you'd have a byte stream with multiple pcap headers inline. > Do we support multipe -r flags... no... maybe that's a better fix? I don't recall that being supported. I'm not sure what it would take to do that either. My approach seemed easy enough to implement. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
> "Wesley" == Wesley Shields writes: >> Since pcap files have no end of file marker, and each file >> has a header on it, do you look at the beginning of each packet, and see >> if there is a pcap magic number? Wesley> I'm not sure I'm parsing this right but... Wesley> I am using pcap_open_offline() on each file, which should be validating Wesley> that I'm operating on a pcap file. I also check to ensure Wesley> that the DLT Ah, sorry, you wrote: find /pcaps -type f | tcpdump -V - -w out.pcap so you are reading a list of files rather than concatenating them. I had read: find /pcaps -type f | xargs cat | tcpdump -V - -w out.pcap so you'd have a byte stream with multiple pcap headers inline. Do we support multipe -r flags... no... maybe that's a better fix? -- Michael Richardson -at the cottage- pgpZioelknL4Y.pgp Description: PGP signature ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Tue, Aug 21, 2012 at 08:36:12PM -0400, Michael Richardson wrote: > > Wesley, it seems like a good idea. > I can't look at your patch from the cottage, since I squirt out bits > only once a day by walking down the road to where there is some wifi. No worries, I'm in no rush on this. Enjoy your time away from the internet. > Since pcap files have no end of file marker, and each file > has a header on it, do you look at the beginning of each packet, and see > if there is a pcap magic number? I'm not sure I'm parsing this right but... I am using pcap_open_offline() on each file, which should be validating that I'm operating on a pcap file. I also check to ensure that the DLT of every subsequent file matches the DLT of the first file when using this option in conjunction with -w, since we don't want to generate one output file with multiple input DLTs. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Wesley, it seems like a good idea. I can't look at your patch from the cottage, since I squirt out bits only once a day by walking down the road to where there is some wifi. Since pcap files have no end of file marker, and each file has a header on it, do you look at the beginning of each packet, and see if there is a pcap magic number? (pcap-ng doesn't have this problem, and I appologize to the pcap-ng folks for how long it's taken to move towards it) -- Michael Richardson -at the cottage- pgppR8HF1tLLx.pgp Description: PGP signature ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] Multifile patch
I've added support to tcpdump that lets you do things like: find /pcaps -type f | tcpdump -V - -w out.pcap or: find /pcaps -type f > ~/pcaps; tcpdump -V ~/pcaps -w out.pcap When writing out to a file it makes sure the DLT of every subsequent file matches the DLT of the first file. It's in a fork on github. I'd appreciate any comments on it before I issue a pull request. https://github.com/wxsBSD/tcpdump/commits/master Yes, I realize there are other tools out there to do this but I don't see why it shouldn't be in tcpdump. It's far more ubiquitous than the others. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
