'bogus savefile header'

[Aaron Turner <synfinatic () gmail com>]

Long story short, tcpreplay allows users to replay traffic in "verbose
mode" which basically involves forking tcpdump and writing each packet
over a socketpair().  This has worked for quite a while (years now)
but recently I've realized something broke along the way and I'm at a
loss to as why.

Basically, when I write my first packet over the socket to tcpdump, i
get the error:

tcpdump: pcap_loop: bogus savefile header

I believe I've tracked that down to sf-pcap.c in libpcap, which
indicates that the caplen > 65535.  Seems straight forward, until I
start debugging and see the pcap_t struct I'm using for
pcap_dump_fopen() has snapshot set to 65535:

gdb> print *pcap
$3 = {
  fd = -1,
  selectable_fd = 4,
  send_fd = -1,
  snapshot = 65535,
  linktype = 1,
  linktype_ext = 0,
  tzoff = 0,
  offset = 0,
  activated = 1,
  oldstyle = 0,
  break_loop = 0,
  sf = {
    rfile = 0x7fff71171ec0,
    next_packet_op = 0x10001de80 <pcap_next_packet>,
    swapped = 0,
    hdrsize = 16,
    lengths_swapped = NOT_SWAPPED,
    version_major = 2,
    version_minor = 4,
    ifcount = 0,
    tsresol = 0,
    tsscale = 0,
    tsoffset = 0
  },
  md = {
    stat = {
      ps_recv = 0,
      ps_drop = 0,
      ps_ifdrop = 0
    },
    use_bpf = 0,
    TotPkts = 0,
    TotAccepted = 0,
    TotDrops = 0,
    TotMissed = 0,
    OrigMissed = 0,
    device = 0x0,
    timeout = 0,
    must_do_on_close = 0,
    next = 0x0
  },
  opt = {
    buffer_size = 0,
    source = 0x100109d00 "(savefile)",
    promisc = 0,
    rfmon = 0
  },
  bufsize = 65535,
  buffer = 0x100828800 "",
  bp = 0x0,
  cc = 0,
  pkt = 0x0,
  direction = PCAP_D_INOUT,
  activate_op = 0,
  can_set_rfmon_op = 0x10000e860 <pcap_cant_set_rfmon>,
  read_op = 0x10001d3d0 <pcap_offline_read>,
  inject_op = 0x10001d710 <sf_inject>,
  setfilter_op = 0x10001ac50 <install_bpf_program>,
  setdirection_op = 0x10001d490 <sf_setdirection>,
  set_datalink_op = 0,
  getnonblock_op = 0x10001d3b0 <sf_getnonblock>,
  setnonblock_op = 0x10001d3c0 <sf_setnonblock>,
  stats_op = 0x10001d4c0 <sf_stats>,
  oneshot_callback = 0x10000e870 <pcap_oneshot>,
  cleanup_op = 0x10001d6c0 <sf_cleanup>,
  fcode = {
    bf_len = 0,
    bf_insns = 0x0
  },
  errbuf = '\0' <repeats 256 times>,
  dlt_count = 0,
  dlt_list = 0x0,
  pcap_header = {
    ts = {
      tv_sec = 0,
      tv_usec = 0
    },
    caplen = 0,
    len = 0
  }
}

At which point I'm at bit of a loss and figured I'd ask here if anyone
had any insight.  Anyways, if you want, you can see my code in full
here:

http://tcpreplay.synfin.net/browser/branches/3.4/src/common/tcpdump.c

Thanks,
Aaron

-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.