Hey gang.
Here's the bug: When tcpdump exits due to a SIGINT or SIGTERM, the
cleanup() function in tcpdump.c is called as the signal handler. This
function does not do a pcap_close() before exit()ing. I'm running
tcpdump 3.6, but verified this bug still exists in 3.6.2.
The impact is this: When a BPF (filter) is used, some of the output is
lost when written to a file. When a bpf is not used, libpcap doesn't seem
to buffer. I'll leave this up to the experts :)
Examples (ugly bash job control stuff snipped) first without a BPF, then
with one:
0:root@ajstats:packetstats# tcpdump -i hme1 -w test & sleep 10; kill %1
tcpdump: listening on hme1
83849 packets received by filter
0 packets dropped by kernel
0:root@ajstats:packetstats# tcpdump -n -r test | wc -l
83870
0:root@ajstats:packetstats# tcpdump -i hme1 -w test tcp & sleep 10; kill %1
tcpdump: listening on hme1
83751 packets received by filter
0 packets dropped by kernel
0:root@ajstats:packetstats# tcpdump -n -r test | wc -l
42987
0:root@ajstats:packetstats# uname -a; tcpdump -h
SunOS ajstats 5.8 Generic_108528-05 sun4u sparc SUNW,UltraSPARC-IIi-cEngine
tcpdump version 3.6
libpcap version 0.6
Usage: tcpdump [-adeflnNOpqStuvxX] [-c count] [ -F file ]
[ -i interface ] [ -r file ] [ -s snaplen ]
[ -T type ] [ -w file ] [ expression ]
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
