Re: [tcpdump-workers] Multifile patch
On Thu, Sep 06, 2012 at 02:46:30PM -0400, Wesley Shields wrote: On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote: Wesley, is fopen(/dev/stdin) really the most portal way to get a reference to stdin? I'd have thought that doing: VFile=stdin; was the best way? I fixed this and your other comment about refactoring reading from the file. Please see my latest commit on github. https://github.com/wxsBSD/tcpdump/commit/4c2790a43252b9cac1fe7f6b50b51c3c55d2370a No further comments so I issued a pull request. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote: Wesley, is fopen(/dev/stdin) really the most portal way to get a reference to stdin? I'd have thought that doing: VFile=stdin; was the best way? I fixed this and your other comment about refactoring reading from the file. Please see my latest commit on github. https://github.com/wxsBSD/tcpdump/commit/4c2790a43252b9cac1fe7f6b50b51c3c55d2370a -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On windows you can't pass 'FILE *' into shared libraries, they are likely to have their own copies of the stdio libraries - with different FILE structures. (eg if one part is compiled with debug enabled). In this patch, the library into which VFile is being passed is called the C library, i.e., with the patch, we're not passing it to libpcap/WinPcap, we're passing it to fgets(); if you couldn't pass a FILE * to, say, fgets(), the stdio libraries would be completely useless. Did I miss that this is a tcpdump change, not a pcap one :-( David ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Sep 3, 2012, at 7:13 PM, Michael Richardson wrote: Wesley, is fopen(/dev/stdin) really the most portal (Presumably portable.) way to get a reference to stein? Definitely not - it will probably work on most modern UN*Xes (Linux, *BSD/OS X, and Solaris; I don't know about HP-UX or AIX), but not on Windows, so it won't work in WinDump. I'd have thought that doing: VFile=stdin; was the best way? Yes. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Hi, On Mon, Sep 03, 2012 at 10:13:57PM -0400, Michael Richardson wrote: Wesley, is fopen(/dev/stdin) really the most portal way to get a reference to stdin? It's about the most complicated way, and guaranteed to be non-portable (no /dev/std* devices on AIX, for example). I'd have thought that doing: VFile=stdin; was the best way? This is well-defined. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Sep 3, 2012, at 7:13 PM, Michael Richardson wrote: Wesley, is fopen(/dev/stdin) really the most portal (Presumably portable.) way to get a reference to stein? Definitely not - it will probably work on most modern UN*Xes (Linux, *BSD/OS X, and Solaris; I don't know about HP-UX or AIX), but not on Windows, so it won't work in WinDump. I'd have thought that doing: VFile=stdin; was the best way? Yes. I seem to be missing half these mails On windows you can't pass 'FILE *' into shared libraries, they are likely to have their own copies of the stdio libraries - with different FILE structures. (eg if one part is compiled with debug enabled). Probably the most portable way is using fdopen(0, ...) that will work in windows - fileno(stdin) is still 0. David ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Sep 4, 2012, at 3:11 AM, David Laight wrote: On windows you can't pass 'FILE *' into shared libraries, they are likely to have their own copies of the stdio libraries - with different FILE structures. (eg if one part is compiled with debug enabled). In this patch, the library into which VFile is being passed is called the C library, i.e., with the patch, we're not passing it to libpcap/WinPcap, we're passing it to fgets(); if you couldn't pass a FILE * to, say, fgets(), the stdio libraries would be completely useless. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Wesley, is fopen(/dev/stdin) really the most portal way to get a reference to stdin? I'd have thought that doing: VFile=stdin; was the best way? Other than that, I think your patch is the best way to implement this I'd like if we could also handle multiple -r files in exactly the same way. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video http://www.youtube.com/watch?v=kzx1ycLXQSE then sign the petition. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Wesley == Wesley Shields w...@freebsd.org writes: Since pcap files have no end of file marker, and each file has a header on it, do you look at the beginning of each packet, and see if there is a pcap magic number? Wesley I'm not sure I'm parsing this right but... Wesley I am using pcap_open_offline() on each file, which should be validating Wesley that I'm operating on a pcap file. I also check to ensure Wesley that the DLT Ah, sorry, you wrote: find /pcaps -type f | tcpdump -V - -w out.pcap so you are reading a list of files rather than concatenating them. I had read: find /pcaps -type f | xargs cat | tcpdump -V - -w out.pcap so you'd have a byte stream with multiple pcap headers inline. Do we support multipe -r flags... no... maybe that's a better fix? -- Michael Richardson -at the cottage- pgpZioelknL4Y.pgp Description: PGP signature ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Thu, Aug 23, 2012 at 01:27:33PM -0400, Michael Richardson wrote: Wesley == Wesley Shields w...@freebsd.org writes: Since pcap files have no end of file marker, and each file has a header on it, do you look at the beginning of each packet, and see if there is a pcap magic number? Wesley I'm not sure I'm parsing this right but... Wesley I am using pcap_open_offline() on each file, which should be validating Wesley that I'm operating on a pcap file. I also check to ensure Wesley that the DLT Ah, sorry, you wrote: find /pcaps -type f | tcpdump -V - -w out.pcap so you are reading a list of files rather than concatenating them. I had read: find /pcaps -type f | xargs cat | tcpdump -V - -w out.pcap so you'd have a byte stream with multiple pcap headers inline. Do we support multipe -r flags... no... maybe that's a better fix? I don't recall that being supported. I'm not sure what it would take to do that either. My approach seemed easy enough to implement. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
Wesley, it seems like a good idea. I can't look at your patch from the cottage, since I squirt out bits only once a day by walking down the road to where there is some wifi. Since pcap files have no end of file marker, and each file has a header on it, do you look at the beginning of each packet, and see if there is a pcap magic number? (pcap-ng doesn't have this problem, and I appologize to the pcap-ng folks for how long it's taken to move towards it) -- Michael Richardson -at the cottage- pgppR8HF1tLLx.pgp Description: PGP signature ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multifile patch
On Tue, Aug 21, 2012 at 08:36:12PM -0400, Michael Richardson wrote: Wesley, it seems like a good idea. I can't look at your patch from the cottage, since I squirt out bits only once a day by walking down the road to where there is some wifi. No worries, I'm in no rush on this. Enjoy your time away from the internet. Since pcap files have no end of file marker, and each file has a header on it, do you look at the beginning of each packet, and see if there is a pcap magic number? I'm not sure I'm parsing this right but... I am using pcap_open_offline() on each file, which should be validating that I'm operating on a pcap file. I also check to ensure that the DLT of every subsequent file matches the DLT of the first file when using this option in conjunction with -w, since we don't want to generate one output file with multiple input DLTs. -- WXS ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers