The simplest way is to spoof the source IP of your packets with that of
another IP on the same subnet which is not in use. That way you can
still send and receive packets, but the kernel won't be a problem.
-Aaron
On Sun, Jul 04, 2004 at 11:10:02PM +, Mustafa Abu Sedera wrote:
> Hi all,
> I
d fix it of course.
>
> Thanks,
> Matt
>
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
--
Aaron Turner http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor saf
Uh, I'm sure this is obvious, but why not just use a bpf filter to
restrict what packets get written? At least my experiances with SQL
databases is that the insert speed is not going to be fast enough with
anything but the lightest loaded network.
--
Aaron Turner http://synfin.net/
They
ch as sold by NetOptics). If you're really cheap, you could run
ettercap to "sniff" on a switch, but I wouldn't run that in a production
network with 300 servers.
Good luck.
- --
Aaron Turner http://synfin.net/
They that can give up essential liberty to obtain a little te
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The ethernet standard requires that all ethernet frames must be at least
60 bytes long. If the ethernet payload is < 60, then the ethernet card
itself will pad it out to 60 bytes when it sends the packet.
- -Aaron
On Sat, Apr 23, 2005 at 10:59:23PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think the question is:
Does libpcap do IP defragmentation of fragmented packets?
In which case the answer is, no. The packets are unmodified from how
they are recieved off the wire.
- -Aaron
On Tue, Apr 26, 2005 at 02:28:22PM +0200, Hannes Gredl
ed there you'll have to do yourself.
- -Aaron
On Wed, Apr 27, 2005 at 11:04:17AM -, soumya r wrote:
> Hello,
> I am doing a sniffer program using "libpcap" as part of my project.
> How can I display the 'packet payload' in 'HEX' and 'ASCII&#x
You can also check this lists' archives to see
if your question has already been answered.
Regards,
Aaron
- --
Aaron Turner http://synfin.net
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty no safety. -- Benjamin Franklin
All emails by me ar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Not sure exactly what you want to do, but you might look at tcpflow.
- --
Aaron Turner http://synfin.net
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All
don't use autoconf for this project, anyone have a way of
detecting what version of pcap.h is there? Simple things like:
#ifndef D_IN
#define D_IN PCAP_D_IN
#endif
aren't going to work.
--
Aaron Turner
http://synfin.net/
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
On 2/27/06, dean gaudet <[EMAIL PROTECTED]> wrote:
> On Mon, 27 Feb 2006, Aaron Turner wrote:
>
> > Well looks like sometime in libpcap 0.9.x, pcap.h changed the enum for
> > direction_t to pcap_direction_t and the enumerated types within.
> > While I can understand
her use the TCP timestamp option on a
socket() or use libnet to generate raw packets and put your timestamp
in the payload.
Btw, you do know that there are already tools which do this right???
things like iperf and netperf.
--
Aaron Turner
http://synfin.net/
On 3/1/06, J S <[EMAIL PROTECTED]>
Hate to follow up, but realized a mistake... NIC's with TCP offload
engines in hardware may put the TCP timestamp option in the header.
I know from a co-worker that the Nvida TOE chipset does for example.
On 3/1/06, Aaron Turner <[EMAIL PROTECTED]> wrote:
> No, NIC's don&
f you have hosts on the other side of a router for example).
--
Aaron Turner
http://synfin.net/
On 3/21/06, J S <[EMAIL PROTECTED]> wrote:
[snip]
> Does pcap header contains information about sender/reciever or is it
> possible to parse the header to get this info?
-
This is the tcpdu
ace that a libpcap handle is bound to. Anyone have any hints or
ideas of how to do this?
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
al_to_name(pcap_datalink(pcap_dump)));
returns the string: (null)
I've tried using pcap_set_datalink() on pcap_dump, but it returns the error:
EN10MB is not one of the DLTs supported by this device
How do I get this to work?
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
-
This is the tcpdu
s 100 bytes and the first packet header caplen and len are
390 bytes.
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
lue and the maximum caplen, in the right
byte order, in the snaplen field.
Yeah, definitely doable. Is there a way to detect this situation via
libpcap? I'd like to gracefully handle this issue rather then expect
my users to notice that things aren't right.
--
Aaron Turner
http://
On 11/30/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote:
On 2006-12-01 01:28, Guy Harris wrote:
> On Nov 30, 2006, at 1:08 PM, Aaron Turner wrote:
>> Unfortunately, I don't know where or how these pcap files were
>> generated, so I don't know what's causing th
this
is happening. And telling people "run this tool to fix your pcap" is
only useful if they know this is why it's broken.
Honestly, I haven't taken a close enough look to see what the effort
would be to "fix" this as I've described, but if I submitted a p
On 12/5/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> Storing (or processing) the snaplen seems to open the door for
> problems with little benefit (the cost of wasting a few thousand bytes
> or incurring the performance penalty of a realloc if the defaul
On 12/5/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> Perhaps I'm confused... how does an application using the libpcap API
> get access to the snaplen? I don't see any way to do that.
int pcap_snapshot (pcap_t *)
Ah... there it is. Doh.
testing
both sniffing and inline devices.
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
GET=_top>");.doc
0x0080: 756d 656e 742e 7772 6974 6528 223c 494d ument.write("");.doc
0080 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 49 4d ument.write("http://";
This only happens when pkthdr.len != pkthdr.caplen. For the record,
this is libpcap 0.9.5 under OS
Inline...
On 3/20/07, Guy Harris <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> notice the addtional 14 byes in the wireshark decode: "G SRC='http://";
When you say "same packet", do you mean that you ran "tcpdump -XX" on a
capture file, and ran
On 3/20/07, Guy Harris <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> That's an excellent question. The original pcap file is over 3 years
> old, and honestly I don't remember. My guess is that the packets were
> most likely captured using tcpdump using the defa
O is the buggy RH hacked libpcap. If snaplen
= caplen we wouldn't be having this conversation. It would seem
that the bed has already been made, so encouraging applications
writers to handle this better is probably too late if you're not
comfortable with making the change now.
--
Aa
you don't like, let me know and I'll
be happy to fix it.
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
On 3/20/07, Aaron Turner <[EMAIL PROTECTED]> wrote:
On 3/20/07, Guy Harris <[EMAIL PROTECTED]&
Oops... pcap.h moved to pcap/pcap.h since 0.9.5... This patch
properly handles that.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
On 3/20/07, Aaron Turner <[EMAIL PROTECTED]> wrote:
Well here's a quick patch (a
e accessible to clients as well
> as used in the dumping process as options.
Only if all apps using libpcap would also use the anonymizing code.
Otherwise, it might be best done as a library of its own.
For what it's worth, if the anonymizing code was a library, I'd be
interested in using
;pcap_next() caplen is off by 14 bytes (L2 len)" thread from last week.
I'd appreciate some feedback so that I can plan to incorporate this
enhancement in my own code.
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Uni
quot;
COUNTER_SPEC "): %s",
sp->sent + 1, pcap_geterr(sp->handle.pcap));
}
/*
* pcap_sendpacket returns 0 on success, not the packet length!
* hence, as a special case, update the counters here and return len
*/
sp->bytes_sent += len;
sp->se
ly something
someone should look into further.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
On 3/31/07, Aaron Turner <[EMAIL PROTECTED]> wrote:
Odd problem under OS X:
I've tried using both pcap_inject() and pcap_sendpacke
On 4/1/07, Guy Harris <[EMAIL PROTECTED]> wrote:
I've checked into the main and x.9 branches a change that sets the
pcap_t's snaplen value to 14 more than the value from the file header if
the capture was an Ethernet capture with the modified libpcap (based on
the magic number). This isn't idea
My code is indeed based on the libnet code and does not use
BIOCSHDRCMPLT on OS X.
Looks like I'll need to see if my contacts @ Apple can get this bug
fixed. Thanks for the info Guy.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
Bug ID# 5108045
I'm going to see if I can get one of my contacts at apple to nudge it
along in the system. Unfortunately, neither of them work with the OS
X kernel, so not sure what they can do.
-Aaron
On 4/3/07, Guy Harris <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> L
owever, if you really want to
"replay" those packets, look at tcpreplay.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
it happen.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On 4/22/07, Guy Harris <[EMAIL PROTECTED]> wrote:
Aaron Turner wrote:
> FYI, I've opened another ticket with apple (Bug ID# 5152213) regarding
> pcap_findalldevs(). Short story is that calling pcap_findalldevs()
> causes the builtin wifi on my MacBook Pro (10.4.9) to disass
a variety of limitations in the API which made it a non-starter for
me. YMMV.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
cat VERSION
0.9.5
cat version.h
static const char pcap_version_string[] = "libpcap version 0.9.5";
Unfortunately this creates a variety of issues for people who try to
detect which version of libpcap is installed.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pc
Did 0.9.7 go out? I don't see it on www.tcpdump.org.
-Aaron
On 6/21/07, Ken Bantoft <[EMAIL PROTECTED]> wrote:
We'll kick out a 0.9.7 tomorrow, since I'll be next to mcr and we and
co-ordinate and sign the release.
On 21-Jun-07, at 5:44 PM, Aaron Turner wrote:
> cat
direction of traffic (outbound I think), and again no vlan tags.
Is it not possible to sniff traffic with the vlan tags if the traffic
is destined or generated by the host? Or do I need to upgrade
something?
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap
et starting from the byte SUM in the
> dump file? (a seek on the dumped file)... I found no function that do this in
> the libpcap code.
>
> Does someone can give me some hints?
> Giovanni
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & re
hand please?
Look at tcpbridge: http://tcpreplay.synfin.net/
If it doesn't do what you want, you should be able to hack the code.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
They that can give up essential liberty to ob
ll() because my code listens on multiple interfaces, hence I need a
way to look at multiple pcap handles.
Questions basically boil down to:
1) Is this expected?
2) Is there a better way?
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for
On Thu, Nov 13, 2008 at 1:34 PM, Ben Greear <[EMAIL PROTECTED]> wrote:
> Aaron Turner wrote:
>>
>> I've been told by an end user under Linux 2.6.x at least that, he's
>> seeing very high CPU utilization numbers with tcpbridge which uses
>> libpcap to
sue my application has is that since it sends &
receives traffic on an interface, every packet I send I usually end up
reading. I know some OS's support pcap_setdirection() which helps,
but last time I checked I don't think Linux is one of them since
libpcap uses PF_PACKET on the bac
however.
Interesting... Right now I'm using different handles for read & write
so I see packets I send. Obviously not ideal, but if I could use the
same handle for read & write that would help out a lot.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing an
address of the interface which is currently required for my
implementation, so tcpbridge is disabled under windows. doh.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
They that can give up essential liberty to obtain
On Thu, Nov 13, 2008 at 9:38 PM, Ben Greear <[EMAIL PROTECTED]> wrote:
> Aaron Turner wrote:
>>
>> On Thu, Nov 13, 2008 at 8:15 PM, Ben Greear <[EMAIL PROTECTED]>
>> wrote:
>>
>>>
>>> I guess you have some way of knowing you are reading a p
network with a 10/100Mbps NIC
- Some of the frames are Jumbo frames and your NIC doesn't support them
Again, this isn't a complete list, but gives you some things to look into.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
ces
> - and, in the case of Mac OS X, where poll() doesn't work *at all* on
> "character" devices such as BPF devices or ttys).
Sorry to hijack the thread... but this begs the question:
What is the solution on *BSD/OS X where you want a timeout or need to
listen on multiple
nt and hence I've pretty much punted on this for
tcpreplay. Many combinations appear not possible. What I would
recommend you look at is lorcon or libradiate to actually inject
frames onto 802.11 networks.
Maybe one of these days I'll use lorcon in tcpreplay, but my access to
hardware
problem then missing packet data in most real
world situations.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little
temporary Safety,
deserve neither Liberty nor Safe
/IP stack and application do not receive the packet. The exact same
>>> packet works on Windows (with WinPcap). Is this not possible?
>>>
>>> Thanks,
>>> Oliver
>
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
On Mon, Feb 23, 2009 at 1:17 PM, Oliver Zheng
wrote:
> Thanks for the response Aaron.
>
> On Mon, Feb 23, 2009 at 11:34 AM, Aaron Turner wrote:
>> In my experience, sending packets on eth0 causes the packet to bypass
>> the TCP/IP stack and be sent out sight unseen. Hence,
On Mon, Feb 23, 2009 at 1:55 PM, Guy Harris wrote:
>
> On Feb 23, 2009, at 1:29 PM, Aaron Turner wrote:
>
>> tcpdump/Wireshark will show you the Linux SLL header.
>
> ...although that's not the format of the link-layer header on packets on the
> Linux loopback inter
ystems (I don't
think it's fully cross platform) you can use
pcap_setdirection(). In other cases, writing a BPF filter to look for
packets with a source MAC of the listening host is good enough to get
outbound only, while looking for anything else is good enough for
inbound.
t work that way.
pcap_setdirection() is for limiting what packets are *read* by libpcap
and has nothing with packet injection.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purch
On Sat, Mar 28, 2009 at 3:46 AM, David H. Lynch Jr. wrote:
> Thanks;
> How does one use pcap to transmit to both the net and the local host ?
> This seems to work with winpcap in colinux.
I'm not aware of any way to do that with libpcap.
--
Aaron Turner
http://sy
oding
> part ?
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little
temporary Safety,
deserve neither Liberty nor Safety.
-- Benjamin Franklin
-
This is the tcpdump-
eader->ip_v);
>
> printf("Source IP: %s \n",inet_ntoa(ipHeader->ip_src));
>
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential
gt; terminates with a -1, which indicates an internal error .
>
>
> Am i correct ?.
>
>
> How can i know the exact error message, as we are not passing any errorbuff
> we can't use it rt?.
pcap_geterr()?
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap
use?
libpcap (or winpcap under Windows). You will need to decode the
packet yourself to get the IP address information though.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to
interface(s) and IP(s) (and maybe other
> usefull info).
Sorry, but that information isn't stored in pcap files.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purc
3
before writing. You can do that yourself or steal my tcpedit code
from tcpreplay. One of these days I'll make it a standalone library,
but haven't found the time.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Th
sn't allow you to change the protocol field, so
you'll have to specify a new ethernet header in full via the --user-dlink
option.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential
ump uses libpcap which uses the
PF_PACKET socket API to read frames.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty n
to dive any deeper as I was able to work
around it. You probably have two choices:
1) Contact the linux-kernel developers and offer up a patch to fix the
problem
2) Use epoll or threads with libpcap/PF_PACKET to listen on multiple network
interfaces
--
Aaron Turner
http://synfin.net/
htt
y PCAP version to the LATEST.Is there any
> document in that pattern?
You need to download the latest code and look in that CHANGES file.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential L
ap
2. Forwards packets between them
3. Filters packets out to prevent replay loops caused by seeing the
packets you send (basically implements a learning bridge where it
learns which MAC addresses live on each segment)
All you'd have to do is add your firewall logic to decide what packets to
n possible as it will improve
performance a good deal.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
--
t; performance a good deal.
>
> That's pcap_setdirection, yes? Thanks!
yep.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve nei
ine, so more of a FYI
then anything.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
-
This i
On Tue, Oct 27, 2009 at 11:55 AM, Jung-uk Kim wrote:
> On Friday 25 September 2009 01:18 am, Aaron Turner wrote:
>> I've got a user of tcpreplay having issues where his interfaces are
>> not being returned via pcap_findalldevs() under FreeBSD 7.2 using
>> libpcap 0.9.
On Wed, Oct 28, 2009 at 9:27 AM, Wesley Shields wrote:
> On Wed, Oct 28, 2009 at 10:57:33AM -0400, Wesley Shields wrote:
>> On Tue, Oct 27, 2009 at 12:00:04PM -0700, Aaron Turner wrote:
>> > On Tue, Oct 27, 2009 at 11:55 AM, Jung-uk Kim wrote:
>> > > On Friday 25
you've provided, I'm going to guess your code is the
problem. I don't see this problem with tcpbridge which does the same
thing.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up es
could just use tcpbridge: http://tcpreplay.synfin.net/trac/wiki/tcpbridge
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Saf
tional Space
Station). So unless you're coding for something really really
obscure/obsolete I wouldn't worry about manually providing the FCS.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up esse
y svnserve. Contact
me directly.
If you have any questions, let me know!
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve ne
at all,
> but it's a convenient fiction.
>
> Does this seem like a plausible strategy? Or am I heading off into the
> weeds?
Totally reasonable. And easier then you think. You don't need to do
the ethernet CRC and you should set the UDP checksum to 0x0 which is
always v
can then drop the packets that I want to
> drop).
>
>
>
> Thank you for your kind attention,
>
Look at libdnet. It has a cross platform API to modify the firewall
rules on various OS's to drop packets.
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http:
it could be handled properly, but I can't
think of a way off hand of determining the correct timestamp values
post-capture time.
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & W
e in full
here:
http://tcpreplay.synfin.net/browser/branches/3.4/src/common/tcpdump.c
Thanks,
Aaron
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchas
On Mon, Aug 23, 2010 at 12:08 PM, Guy Harris wrote:
>
> On Aug 22, 2010, at 4:15 PM, Aaron Turner wrote:
>
>> Long story short, tcpreplay allows users to replay traffic in "verbose
>> mode" which basically involves forking tcpdump and writing each packet
>>
or configure args for the current
libpcap/tcpdump MacPorts builds (1.1.1/4.1.1) so maybe something
changed?
libpcap is building with: -arch x86_64 -arch i386
I tried:
CFLAGS="-arch x86_64 -arch i386" ./configure
for tcpdump, but still no worky.
ideas?
On Mon, Aug 23, 2010 at 1:44 PM, A
Grrr, it's "git pull" not "git fetch". libpcap tree was out of date
and that seems to be the cause of the problem. Thanks for the help,
sorry about the crappy bug report.
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/
via a SPAN port on a switch.
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
asier to ship libnet too,
especially since there are two common versions out in the wild with
different and incompatible API's.
Many people, myself included just allocate a buffer and fill out the
packet headers manually. Depending on how complicated the packet is,
it's pretty easy to
manually going through it looking for IP addresses.
You might try grepping through the PDML as well and check for any
misses. Obviously though, even wireshark doesn't decode every
protocol fully so even that isn't 100% but at least it'll get you most
of the way there.
--
Aaron Turne
erceived or real limitation in
the real libpcap library. Of course, the user almost always points
out "Well it looks just fine in Wireshark!"
Long story short, adding features like this to libpcap IMHO is likely
to reduce the need for others to reinvent the wheel and the inevitable
creat
affic via
tcpreplay/libpcap is done in a way which avoids all processing by the
sending host's IP stack. For example, tcpreplay skips outbound
firewall rules and traffic sent is never "seen" by the sending host,
even if the destination MAC/IP is for that host.
Again, this is platf
, then I'd
have to guess that the classification rules you're using don't match
the traffic. No idea if it matters, but make sure your IP checksums
are correct. When you captured the traffic, outbound traffic may have
the wrong checksums.
Other then that, may want to ask the traffi
e open a ticket at http://tcpreplay.synfin.net and attach a
sample pcap.
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporar
said before, I didn't even know what you were
talking about. :)
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, dese
other host, 3rd host sniffs the packets using pcap library. This will
> enable us to sniff the packets.I am on ubuntu platform.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
--
Aaron Turner
http://synfin.net/ Twitter: @synfinat
k layer protocol
> is being used (the DLT). If it is an Ethernet network, you can strip the
> ethernet header doing:
>
> payload=packet + 14
>
> where 14 is the length of the Ethernet header. If you are not on an
> ethernet network, you have to replace that
ts you send are likely to been seen on the way out by the
listening pcap handle so you may want to filter them out (perhaps
filtering on source MAC).
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Th
r system. Hence I'd copy tcpdump to a special location and
do:
cp tcpdump tcpdump.root
chmod 750 tcpdump.root
chown root tcpdump.root
chmod u+s tcpdump.root
chgrp tcpdump tcpdump.root
and then anyone in the 'tcpdump' group can run the tcpdump.root binary
without needing to be root.
--
Aar
1 - 100 of 108 matches
Mail list logo
