tcpdump mailing list archives

Re: using TCPDump

From: Guy Harris <gharris () sonic net>
Date: Fri, 27 Dec 2002 15:24:56 -0800

On Wed, Dec 25, 2002 at 05:29:07PM -0500, Antonio I. wrote:

Gharris, first of all, thanks for your answer. I don't know what you 
mean by "if you are running it by yourself". I suppose you don't mean 
the super user account,


What I mean is "are you running it under a normal user's account, or are
you running it as the super-user"?

which I always am. I am always root.


I.e., you took the effort to turn on the super-user account, and you
always log in as the super-user?  (So that the "id" command reports
"uid=0(root)" - and doesn't report something other than 0 as the EUID?)

OK, although *I* don't do that - I like to run as little stuff as root
as possible.

(Don't even 
think about it I am behind a firewall). What you are saying is that I do 
not have permission to open the bpf devices.


No, what I am saying is that if you aren't running as root you probably
won't have permission to open the BPF devices.

But how could I not? I 
think you are aiming at the answer but I don't think that this is 
exactly it. Maybe there is something else (maybe there is something 
wrong with the bpf device files from Apple).


Maybe, but I suspect there's something else wrong - probably something
wrong that's not Apple's fault.

Let me ask you, what system are you using?


When I typed the commands and entered my original reply, I was using
MacOS X 10.1.  I am currently using FreeBSD 3.4, although my iBook is
also plugged into my home network and runnning.

When you first went on to use tcpdump, what did you do to 
get it working?


I typed

        sudo tcpdump

and then, when the MacOS X tcpdump annoyingly selected my inactive
Airport card rather than my active Ethernet interface, typed

        sudo tcpdump -i en0

instead.

(That was the tcpdump that comes with MacOS X; I just now compiled
libpcap 0.7.1 and tcpdump 3.7.1, and it selects en0 by default.)

Did something similar happened to you?


No, I had no problems whatsoever (other than having to tell the MacOS X
tcpdump to use en0 rather than en1) - it certainly didn't tell me that
it didn't find any devices.

I'd suggest you do

        ifconfig -a

to get a list of the network devices, and then try running tcpdump with
the "-i" flag specifying the interface that's plugged into your LAN, for
example if that's "en0", do

        sudo tcpdump -i en0

(or, if you really *are* logged in as root, just "tcpdump -i en0").
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

using TCPDump Antonio I. (Dec 25)
- Re: using TCPDump Guy Harris (Dec 25)
  - Re: using TCPDump Antonio I. (Dec 25)
    - Re: using TCPDump Guy Harris (Dec 27)
    - Re: using TCPDump Antonio I. (Dec 28)
    - Re: using TCPDump Guy Harris (Dec 29)
    - Re: using TCPDump Antonio I. (Dec 29)
    - Re: using TCPDump Guy Harris (Dec 30)