tcpdump Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 19
• 23
• –
• –
• 2023
• 77
• 8
• 20
• 16
• 2022
• 21
• 47
• 37
• 17
• 2021
• 90
• 5
• 32
• 16
• 2020
• 57
• 69
• 72
• 61
• 2019
• 46
• 47
• 37
• 45
• 2018
• 41
• 58
• 149
• 32
• 2017
• 57
• 54
• 24
• 59
• 2016
• 33
• 73
• 63
• 48
• 2015
• 112
• 79
• 62
• 108
• 2014
• 133
• 84
• 69
• 112
• 2013
• 127
• 157
• 55
• 107
• 2012
• 176
• 84
• 53
• 144
• 2011
• 177
• 234
• 187
• 215
• 2010
• 217
• 131
• 85
• 141
• 2009
• 220
• 182
• 186
• 145
• 2008
• 233
• 140
• 139
• 269
• 2007
• 154
• 118
• 251
• 226
• 2006
• 200
• 147
• 71
• 162
• 2004
• 392
• 374
• 377
• 208
• 2003
• 315
• 283
• 259
• 304
• 2002
• –
• –
• –
• 319

Latest Posts

Re: Question about an uninitialized array in bpf_filter Guy Harris (Apr 29)
Only if an invalid BPF program that does a load from a memory location without storing something there first is used as
a filter.

The BPF validator in libpcap doesn't check for that. It would require a dataflow analysis, but perhaps it should check
for that.

Question about an uninitialized array in bpf_filter Michal Ruprich (Apr 29)
Hi,

I was wondering, whether the mem[BPF_MEMWORDS] array in function
pcapint_filter_with_aux_data in bpf_filter.c should be initialized? If
the switch hits cases BPF_LD|BPF_MEM or BPF_LDX|BPF_MEM the variables A
or X are filled with random uninitialized data from the array. Is it the
case that this never happens before mem is filled with relevant data? In
all cases, setting it to mem[BPF_MEMWORDS] = {0}; could not hurt probably?

Thanks and...

Re: Dropping support in tcpdump for older versions of libpcap? Denis Ovsienko (Apr 25)
On a second thought, the best way to describe the desired result would
be that from the library users' point of view the version macros should
be easy to use correctly and difficult to use incorrectly. This would
justify some inconvenience in the library code, if necessary.

An advantage of correctly sized BCD versions is that two packed integer
values compare in a straightforward way, so every end user does not
have to remember how to...

SITA ECN code is going to retire soon Denis Ovsienko (Apr 25)
Hello all.

The libpcap module in pcap-sita.c has been defunct for a while: there is
no support for "--with-pcap=sita", so the source cannot be compiled by
normal means, and "make pcap-sita.o" makes it clear it would fail to
compile anyway.

I have confirmed with Fulko Hew -- the original contributor of this
code -- that there are no known remaining users of this module. Unless
anybody justifies the need to keep the SITA...

Re: RadioTap Parsing as seperate library Ravi chandra (Apr 19)
Hi Guy,

[1] Thanks for the quick response. I went through the examples of
t-shark and some codebase. Looks like it does help in my case.
[2] regarding others, RadioTap library is updated in wireshark and
have more additions in terms of header parsing compared to RadioTap
library standalone
[3] "Note that tcpdump has its own code to parse radiotap headers, and
that code doesn't use the Radiotap library.". Thanks for confirmation....

Re: Dropping support in tcpdump for older versions of libpcap? Guy Harris (Apr 19)
...

Presumably meaning that we should export version information in the way GCC and Clang do, rather than in the ways that
Sun/Oracle C, XL C and HP C do, the latter being why we have to go through all that extra pain (they provide a single
#define with the version number components packed in it - or two different defines in different versions as XL C does -
rather than separate #defines for major and minor versions, as GCC and Clang...

Re: Dropping support in tcpdump for older versions of libpcap? Denis Ovsienko (Apr 19)
Specifically, tcpdump tests for particular functions one-by-one and
then enables specific code paths depending on specific HAVE_PCAP_xxxxx
macros. This covers some use cases, however...

First, the solution is not always convenient: every program that uses
libpcap has to make the build-time checks without much assistance from
libpcap headers: i.e. instead of hinging the conditionals on
hypothetical PCAP_HAVE_PCAP_xxxx macros pre-defined (or not)...

Re: RadioTap Parsing as seperate library Guy Harris (Apr 15)
If that's all you're doing, is there some reason why you don't just use TShark and do

tshark -T fields -E separator=, -E quote=d -e {radiotap field} -e {another radiotap field} ...

By "Radiotap library files" do you mean this library:

https://github.com/radiotap/radiotap-library

What do you mean by "NOT updated"? Do you mean that the recent commits haven't significantly changed the...

RadioTap Parsing as seperate library Ravi chandra (Apr 15)
Hi All experts,

I am planning to create an ieee 802.11 packet RadioTap parsing
code/library [offlines processing of pcap-ng files. Decoding each and
every field and write it to a .csv file].

Meanwhile, before asking [did my homework] of going through source
code and found the following.

[1] Compared to the Wireshark library, RadioTap library files are NOT
updated in the radiotap-library. so it looks like I have to use/ the
wireshark code
[2] I...

xwmzxyduldc jyoung--- via tcpdump-workers (Apr 15)

Re: Dropping support in tcpdump for older versions of libpcap? Michael Richardson (Apr 14)
Guy Harris <gharris () sonic net> wrote:
> A while ago, tcpdump and its configuration script were modified -
> mainly by Bill Fenner, as I remember - so that it didn't require a
> contemporary version of libpcap, and could be built with older versions
> of libpcap.

For instance, I think, the FreeBSD that is JUNOS is an example of that.
I don't know if the libpcap is built in some special way to...

Dropping support in tcpdump for older versions of libpcap? Guy Harris (Apr 12)
A while ago, tcpdump and its configuration script were modified - mainly by Bill Fenner, as I remember - so that it
didn't require a contemporary version of libpcap, and could be built with older versions of libpcap.

The intent, as I remember, was to allow somebody who was using a system that provided both libpcap and tcpdump to build
a more recent version of tcpdump without having to download and build a newer version of libpcap....

Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 03)
s/confidence/convenience/

I knew what I meant, of course.

Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 02)
Let's consider the problem and the solution.

If the host is fully compromised (a remote attacker made themselves the
root user of my computer's OS), there is little point in trying to
game around it. I delete configure, they put the virus into
autogen.sh. I delete autogen.sh, they put the virus into mkdep. I
delete mkdep, they put the virus into Makefile.in. I delete
Makefile.in, they put the virus into CMakeLists.txt. I delete...

Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Francois-Xavier Le Bail via tcpdump-workers (Apr 02)

More Lists

Dozens of other network security lists are archived at SecLists.Org.