Snort mailing list archives
Re: [Snort-devel] OT-ish: libpcap apps on x86_64
From: Phil Wood <cpw () lanl gov>
Date: Tue, 26 Jul 2005 18:07:15 -0600
Alex, Please try the release at: http://public.lanl.gov/cpw/ The current libpcap release can be obtained using the following: wget http://public.lanl.gov/cpw/libpcap-0.9.20050722.tar.gz <a>href="http://public.lanl.gov/cpw/libpcap-0.9.20050722.tar.gz";>this</a> This release works on linux 2.6.12 x86_64 as well as other releases of linux. The current tcpdump at tcpdump.org builds with this library. Please let me know if it does not work for you on a linux/64bit machine. In particular it fixes the problem described below: 11:58:02.000182 [|ether] ... Sorry about that. Special thanks to Steve Miller and Daniel Black whos comments led to the mmap based packet capture working on linux 64bit architectures and for eliminating the PROT_EXEC on mmap calls. Also a special kudo for Kyle Wheeler who pointed out a problem with passing the header structure back to the callback in pcap_ring_recv. These fixes, and a few updates to get more or less in line with tcpdump.org, should allow the mmap pcap to function on an Opteron system running linux. If I ever master RPM manufacturing techniques, I'll have Alex to thank for it. At this juncture, there is no linux "package" for the mmap libpcap. You just get the tar ball, extract some place, sh bootstrap, ./configure [with appropriate prefix and possibly enable-shared] and read the .warrantee. Actually, you should read the warrantee first. You can double your ring buffer by installing the patch provide by Ulisses Alonso Camaro. Read about MMAP mode in the linux kernel Documentation/networking/packet_mmap.txt file. Then get the patch It comes for free with debian kernel releases after approximately 2.4.25. See http://pusa.uv.es/~ulisses/packet_mmap/ for the document as well as the patches for the 2.4 and 2.6 kernel (if you do not already have them!). Later, On Tue, Jul 26, 2005 at 12:11:50PM +0100, Alex Butcher, ISC/ISYS wrote:
Hi - I'm having some problems with Phil Wood's libpcap on CentOS 4.1/x86_64 (a Free RHEL 4U1 clone for those not in the loop!). I've built i386 and x86_64 RPMs of libpcap, and installed them: # rpm -qil libpcap.i386 libpcap.x86_64 Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none) Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:49:46 BST Install Date: Tue 26 Jul 2005 11:06:11 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm Size : 424623 License: BSD Signature : DSA/SHA1, Mon 25 Jul 2005 16:49:46 BST, Key ID 2a598db7552ee4e4 URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib/libpcap-0.8.3.so /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap.so.0 /usr/lib/libpcap.so.0.7 /usr/lib/libpcap.so.0.8 /usr/lib/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none) Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:50:53 BST Install Date: Tue 26 Jul 2005 11:06:12 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm Size : 520887 License: BSD Signature : DSA/SHA1, Mon 25 Jul 2005 16:50:54 BST, Key ID 2a598db7552ee4e4 URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib64/libpcap-0.8.3.so /usr/lib64/libpcap.a /usr/lib64/libpcap.so /usr/lib64/libpcap.so.0 /usr/lib64/libpcap.so.0.7 /usr/lib64/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Applications appear to be linking OK: # ldd /usr/sbin/tcpdump libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000) /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000) # ldd /usr/sbin/tethereal libwiretap.so.0 => /usr/lib64/libwiretap.so.0 (0x0000002a95583000) libethereal.so.0 => /usr/lib64/libethereal.so.0 (0x0000002a956a9000) libnetsnmp.so.5 => /usr/lib64/libnetsnmp.so.5 (0x00000037dad00000) libelf.so.1 => /usr/lib64/libelf.so.1 (0x00000037d9b00000) libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000037daf00000) libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00000037da300000) libdl.so.2 => /lib64/libdl.so.2 (0x00000037d7400000) libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00000037d9900000) libm.so.6 => /lib64/tls/libm.so.6 (0x00000037d7900000) libpcap-0.8.3.so => /usr/lib64/libpcap-0.8.3.so (0x0000002a96692000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000037da900000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000037da700000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000037da500000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00000037d8700000) libz.so.1 => /usr/lib64/libz.so.1 (0x00000037d7b00000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x00000037d8100000) libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000037dab00000) /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000) (that's a version of tethereal that's been rebuilt against the new libpcap, but subsequent behaviour is identical even if I use the CentOS-supplied tethereal). But when I try to use it: # tcpdump -s 1514 -w foo.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 11 packets captured 11 packets received by filter 0 packets dropped by kernel # tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet) 11:58:02.000182 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:03.000062 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000060 [|ether] 11:58:03.000134 [|ether] # tethereal -r foo.pcap tethereal: "foo.pcap" appears to be damaged or corrupt. (pcap: File has 262152-byte packet, bigger than maximum of 65535) If I uninstall my local packages and revert to CentOS' own: # rpm -e --nodeps arpwatch tcpdump.i386 tcpdump.x86_64 libpcap.i386 libpcap.x86_64 ethereal ethereal-gnome [root@vauxhallx ~]# yum install arpwatch tcpdump libpcap ethereal-gnome [...] Dependencies Resolved Transaction Listing: Install: arpwatch.x86_64 14:2.1a13-10.RHEL4 - update Install: ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 - base Install: libpcap.i386 14:0.8.3-9.RHEL4 - base Install: libpcap.x86_64 14:0.8.3-10.RHEL4 - update Install: tcpdump.i386 14:3.8.2-10.RHEL4 - update Install: tcpdump.x86_64 14:3.8.2-10.RHEL4 - update Performing the following to resolve dependencies: Install: ethereal.x86_64 0:0.10.11-1.EL4.1 - base Total download size: 7.6 M Is this ok [y/N]: y Downloading Packages: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: libpcap 100 % done 1/7 Installing: ethereal 100 % done 2/7 Installing: libpcap 100 % done 3/7 Installing: tcpdump 100 % done 4/7 Installing: arpwatch 100 % done 5/7 Installing: ethereal-gnome 100 % done 6/7 Installing: tcpdump 100 % done 7/7 Installed: arpwatch.x86_64 14:2.1a13-10.RHEL4 ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 libpcap.i386 14:0.8.3-9.RHEL4 libpcap.x86_64 14:0.8.3-10.RHEL4 tcpdump.i386 14:3.8.2-10.RHEL4 tcpdump.x86_64 14:3.8.2-10.RHEL4 Dependency Installed: ethereal.x86_64 0:0.10.11-1.EL4.1 Complete! [root@vauxhallx ~]# tcpdump -s 1514 -w foo.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@vauxhallx ~]# tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet) 12:03:12.069506 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 438264354:438264402(48) ack 562433326 win 13056 12:03:12.069938 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 48 win 16608 12:03:12.069965 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 48:160(112) ack 1 win 13056 12:03:12.088801 IP zzz.bris.ac.uk.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=0 addr=zzz.bris.ac.uk 12:03:12.188619 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 160 win 16496 12:03:13.076233 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 1:81(80) ack 160 win 16496 12:03:13.076328 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 160:208(48) ack 81 win 13056 12:03:13.194539 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 208 win 16448 12:03:13.337582 802.1d config 800a.00:14:69:ZZ:ZZ:ZZ.8004 root 600a.00:12:01:XX:XX:XX pathcost 4 age 1 max 14 hello 2 fdelay 10 12:03:13.564950 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 81:161(80) ack 208 win 16448 [root@vauxhallx ~]# tethereal -r foo.pcap 1 0.000000 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 2 0.000432 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=48 Win=16608 Len=0 3 0.000459 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=112 4 0.019295 xxx.xxx.xxx.251 -> 224.0.0.2 HSRP Hello (state Active) 5 0.119113 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=160 Win=16496 Len=0 6 1.006727 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 7 1.006822 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 8 1.125033 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=80 Ack=208 Win=16448 Len=0 9 1.268076 00:14:69:YY:YY:YY -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 24586/00:12:01:XX:XX:XX Cost = 4 Port = 0x8004 10 1.495444 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 Anyone got any tips or patches? Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Phil Wood (cpw_at-sign_lanl.gov) On Tue, Jul 26, 2005 at 12:11:50PM +0100, Alex Butcher, ISC/ISYS wrote:
Hi - I'm having some problems with Phil Wood's libpcap on CentOS 4.1/x86_64 (a Free RHEL 4U1 clone for those not in the loop!). I've built i386 and x86_64 RPMs of libpcap, and installed them: # rpm -qil libpcap.i386 libpcap.x86_64 Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none) Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:49:46 BST Install Date: Tue 26 Jul 2005 11:06:11 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm Size : 424623 License: BSD Signature : DSA/SHA1, Mon 25 Jul 2005 16:49:46 BST, Key ID 2a598db7552ee4e4 URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib/libpcap-0.8.3.so /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap.so.0 /usr/lib/libpcap.so.0.7 /usr/lib/libpcap.so.0.8 /usr/lib/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none) Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:50:53 BST Install Date: Tue 26 Jul 2005 11:06:12 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm Size : 520887 License: BSD Signature : DSA/SHA1, Mon 25 Jul 2005 16:50:54 BST, Key ID 2a598db7552ee4e4 URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib64/libpcap-0.8.3.so /usr/lib64/libpcap.a /usr/lib64/libpcap.so /usr/lib64/libpcap.so.0 /usr/lib64/libpcap.so.0.7 /usr/lib64/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Applications appear to be linking OK: # ldd /usr/sbin/tcpdump libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000) /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000) # ldd /usr/sbin/tethereal libwiretap.so.0 => /usr/lib64/libwiretap.so.0 (0x0000002a95583000) libethereal.so.0 => /usr/lib64/libethereal.so.0 (0x0000002a956a9000) libnetsnmp.so.5 => /usr/lib64/libnetsnmp.so.5 (0x00000037dad00000) libelf.so.1 => /usr/lib64/libelf.so.1 (0x00000037d9b00000) libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000037daf00000) libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00000037da300000) libdl.so.2 => /lib64/libdl.so.2 (0x00000037d7400000) libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00000037d9900000) libm.so.6 => /lib64/tls/libm.so.6 (0x00000037d7900000) libpcap-0.8.3.so => /usr/lib64/libpcap-0.8.3.so (0x0000002a96692000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000037da900000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000037da700000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000037da500000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00000037d8700000) libz.so.1 => /usr/lib64/libz.so.1 (0x00000037d7b00000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x00000037d8100000) libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000037dab00000) /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000) (that's a version of tethereal that's been rebuilt against the new libpcap, but subsequent behaviour is identical even if I use the CentOS-supplied tethereal). But when I try to use it: # tcpdump -s 1514 -w foo.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 11 packets captured 11 packets received by filter 0 packets dropped by kernel # tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet) 11:58:02.000182 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:03.000062 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000060 [|ether] 11:58:03.000134 [|ether] # tethereal -r foo.pcap tethereal: "foo.pcap" appears to be damaged or corrupt. (pcap: File has 262152-byte packet, bigger than maximum of 65535) If I uninstall my local packages and revert to CentOS' own: # rpm -e --nodeps arpwatch tcpdump.i386 tcpdump.x86_64 libpcap.i386 libpcap.x86_64 ethereal ethereal-gnome [root@vauxhallx ~]# yum install arpwatch tcpdump libpcap ethereal-gnome [...] Dependencies Resolved Transaction Listing: Install: arpwatch.x86_64 14:2.1a13-10.RHEL4 - update Install: ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 - base Install: libpcap.i386 14:0.8.3-9.RHEL4 - base Install: libpcap.x86_64 14:0.8.3-10.RHEL4 - update Install: tcpdump.i386 14:3.8.2-10.RHEL4 - update Install: tcpdump.x86_64 14:3.8.2-10.RHEL4 - update Performing the following to resolve dependencies: Install: ethereal.x86_64 0:0.10.11-1.EL4.1 - base Total download size: 7.6 M Is this ok [y/N]: y Downloading Packages: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: libpcap 100 % done 1/7 Installing: ethereal 100 % done 2/7 Installing: libpcap 100 % done 3/7 Installing: tcpdump 100 % done 4/7 Installing: arpwatch 100 % done 5/7 Installing: ethereal-gnome 100 % done 6/7 Installing: tcpdump 100 % done 7/7 Installed: arpwatch.x86_64 14:2.1a13-10.RHEL4 ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 libpcap.i386 14:0.8.3-9.RHEL4 libpcap.x86_64 14:0.8.3-10.RHEL4 tcpdump.i386 14:3.8.2-10.RHEL4 tcpdump.x86_64 14:3.8.2-10.RHEL4 Dependency Installed: ethereal.x86_64 0:0.10.11-1.EL4.1 Complete! [root@vauxhallx ~]# tcpdump -s 1514 -w foo.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@vauxhallx ~]# tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet) 12:03:12.069506 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 438264354:438264402(48) ack 562433326 win 13056 12:03:12.069938 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 48 win 16608 12:03:12.069965 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 48:160(112) ack 1 win 13056 12:03:12.088801 IP zzz.bris.ac.uk.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=0 addr=zzz.bris.ac.uk 12:03:12.188619 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 160 win 16496 12:03:13.076233 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 1:81(80) ack 160 win 16496 12:03:13.076328 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 160:208(48) ack 81 win 13056 12:03:13.194539 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 208 win 16448 12:03:13.337582 802.1d config 800a.00:14:69:ZZ:ZZ:ZZ.8004 root 600a.00:12:01:XX:XX:XX pathcost 4 age 1 max 14 hello 2 fdelay 10 12:03:13.564950 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 81:161(80) ack 208 win 16448 [root@vauxhallx ~]# tethereal -r foo.pcap 1 0.000000 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 2 0.000432 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=48 Win=16608 Len=0 3 0.000459 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=112 4 0.019295 xxx.xxx.xxx.251 -> 224.0.0.2 HSRP Hello (state Active) 5 0.119113 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=160 Win=16496 Len=0 6 1.006727 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 7 1.006822 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 8 1.125033 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=80 Ack=208 Win=16448 Len=0 9 1.268076 00:14:69:YY:YY:YY -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 24586/00:12:01:XX:XX:XX Cost = 4 Port = 0x8004 10 1.495444 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 Anyone got any tips or patches? Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Phil Wood (cpw_at-sign_lanl.gov) ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT-ish: libpcap apps on x86_64 Alex Butcher, ISC/ISYS (Jul 26)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Phil Wood (Jul 26)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Alex Butcher, ISC/ISYS (Jul 27)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Phil Wood (Jul 26)