>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
Guy> On Mon, Jul 09, 2001 at 12:32:10PM -0700, Jim Mellander wrote:
>> Might be worthwhile adding this exchange to the tcpdump faq...
Guy> It might be, although the correct place to send messages such as
Guy> that is [EMAIL PROTECTED], not [EMAIL PROTECTED], as the
Guy> tcpdump FAQ isn't part of the tcpdump or libpcap source, so changes
Guy> to it aren't patches to the tcpdump or libpcap source.
Sure.
Can you write it up as a Question and an Answer rather than a dialogue.
Guy> As such, I'm forwarding it to tcpdump-workers.
>> > I'm running the tcpdump command below on xxxx & it seems to be
>> leaking > memory (its been running since 7/2 16:09, and its up to 111M
>> in size - > seems to be increasing by 4K every couple of seconds. Any
>> suggestions? > > tcpdump -n -tt -i eth0 '(tcp[2] <4 or tcp[0]<4) and
>> tcp[13] & 18 == 18' > > Looking for SYN/ACK packets, with src or dest
>> port < 1024
>>
>> Run it with -S. Otherwise, tcpdump keeps track of all the connections
>> it has seen so it can generate relative sequence numbers rather than
>> absolute sequence numbers. This looks like a leak, but is in fact
>> just state accumulation.
>>
>>
>> -- Jim Mellander Incident Response Manager Computer Protection Program
>> Lawrence Berkeley National Laboratory (510) 486-7204
>>
>> Your fortune for today is:
>>
>> There is no fool to the old fool. -- John Heywood
Guy> - This is the TCPDUMP workers list. It is archived at
Guy> http://www.tcpdump.org/lists/workers/index.html To unsubscribe use
Guy> mailto:[EMAIL PROTECTED]?body=unsubscribe
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
