Bugtraq mailing list archives

Re: tcpdump under RedHat 6.1

From: ken () VORTEXCORP COM (Ken Lyon)
Date: Sat, 22 Jan 2000 10:38:07 -0000

I found that -n affects the src and dest IPs and -nn will add the port numbers.
Note the newly added second field after the datetime stamp.
Courtney and Trojan PERLs will have to change the line[] array to add 1 to each position _after 0.
line[1] becomes line[2], etc.

...ken

**************************
Another problem is that the -e flag doesn't work correctly.  For an outgoing
packet
the source  MAC address is 0:0:0:0:0:0, for an incoming packet the destination
MAC address is 0:0:0:0:0:1.  I have this problem with tcpdump-3.4-16,
with tcpdump-3.4-10 copied from another machine the source and destination
addresses are correct.

John Comeau wrote:

<FONT COLOR="#222255">> Another nice gotcha is that -p now means the opposite of its old</FONT>
<FONT COLOR="#222255">> behavior (and what its manpage still reads): rather than disabling</FONT>
<FONT COLOR="#222255">> promiscuous mode, it now enables same (default is now nonpromiscuous -</FONT>
<FONT COLOR="#222255">> all you'll see is your own traffic plus broadcast and multicast) - jc</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Renaud Deraison wrote:</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > RedHat 6.1 comes bundled with a modified version of tcpdump, which has</FONT>
<FONT COLOR="#222255">> > the ability to listen on all the interfaces at once, which is nice.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > However, the output format has changed. Whereas a typical tcpdump</FONT>
<FONT COLOR="#222255">> > line was :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time source.port > dest.port:[.....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > It is now :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time interface > source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> > or</FONT>
<FONT COLOR="#222255">> > time interface < source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > If you explicitely ask tcpdump to listen on one interface, the</FONT>
<FONT COLOR="#222255">> > output will be :</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > time > source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> > or</FONT>
<FONT COLOR="#222255">> > time < source.port > dest.port:[....]</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > Also, the 'port' is no longer a numeric value. It is taken from</FONT>
<FONT COLOR="#222255">> > /etc/services, even with the -n option set.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > This new behavior will make a lot of programs that use tcpdump's</FONT>
<FONT COLOR="#222255">> > output panic or produce bogus output. I think shadow is affected,</FONT>
<FONT COLOR="#222255">> > but it's not the only one.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > I have been looking through the man page, and I could not find an option</FONT>
<FONT COLOR="#222255">> > to issue a backward compatible output. What is worst is that</FONT>
<FONT COLOR="#222255">> > tcpdump --version will show up the same version numbers (3.4) than</FONT>
<FONT COLOR="#222255">> > the older tcpdumps, so this problem will only be detected at runtime.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > So, if you have written your own custom scripts or if some of the programs</FONT>
<FONT COLOR="#222255">> > you use are relying on tcpdump, then install the tcpdump that comes</FONT>
<FONT COLOR="#222255">> > bundled with RH 6.0, or modify your scripts so that they can handle this</FONT>
<FONT COLOR="#222255">> > modification.</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> >                                 -- Renaud</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > (apologies if this was already known)</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">> > --</FONT>
<FONT COLOR="#222255">> > Renaud Deraison</FONT>
<FONT COLOR="#222255">> > The Nessus Project</FONT>
<FONT COLOR="#222255">> > <A TARGET=nonlocal HREF="/external/http://www.nessus.org";><A 
HREF="http://www.nessus.org</A">http://www.nessus.org</A</A>></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> --</FONT>
<FONT COLOR="#222255">> John Comeau - Chief Operating Officer</FONT>
<FONT COLOR="#222255">> Dialtone Internet - Extremely Fast Web Systems</FONT>
<FONT COLOR="#222255">> 954-581-0097  fax://954-581-7629</FONT>
<FONT COLOR="#222255">> <A HREF="mailto:jcomeau () dialtoneinternet net">jcomeau () dialtoneinternet net</A></FONT>
<FONT COLOR="#222255">> <A TARGET=nonlocal HREF="/external/http://www.dialtoneinternet.net";><A 
HREF="http://www.dialtoneinternet.net</A">http://www.dialtoneinternet.net</A</A>></FONT>

--
François MORRIS                Lab. Minéralogie-Cristallographie,
4, place Jussieu               F-75252 PARIS
Phone: +33 (0) 1 44 27 52 42   Fax: +33 (0) 1 44 27 37 85
E-mail: <A HREF="mailto:morris () lmcp jussieu fr">morris () lmcp jussieu fr</A> URL: <A TARGET=nonlocal 
HREF="/external/http://www.lmcp.jussieu.fr/~morris";><A 
HREF="http://www.lmcp.jussieu.fr/~morris</A">http://www.lmcp.jussieu.fr/~morris</A</A>>
Current thread:

Re: tcpdump under RedHat 6.1 John Comeau (Jan 17)
- Re: tcpdump under RedHat 6.1 Francois Morris (Jan 19)
  - Re: tcpdump under RedHat 6.1 Ken Lyon (Jan 22)