tcpdump mailing list archives
'bogus savefile header'
From: Aaron Turner <synfinatic () gmail com>
Date: Sun, 22 Aug 2010 16:15:34 -0700
Long story short, tcpreplay allows users to replay traffic in "verbose mode" which basically involves forking tcpdump and writing each packet over a socketpair(). This has worked for quite a while (years now) but recently I've realized something broke along the way and I'm at a loss to as why. Basically, when I write my first packet over the socket to tcpdump, i get the error: tcpdump: pcap_loop: bogus savefile header I believe I've tracked that down to sf-pcap.c in libpcap, which indicates that the caplen > 65535. Seems straight forward, until I start debugging and see the pcap_t struct I'm using for pcap_dump_fopen() has snapshot set to 65535: gdb> print *pcap $3 = { fd = -1, selectable_fd = 4, send_fd = -1, snapshot = 65535, linktype = 1, linktype_ext = 0, tzoff = 0, offset = 0, activated = 1, oldstyle = 0, break_loop = 0, sf = { rfile = 0x7fff71171ec0, next_packet_op = 0x10001de80 <pcap_next_packet>, swapped = 0, hdrsize = 16, lengths_swapped = NOT_SWAPPED, version_major = 2, version_minor = 4, ifcount = 0, tsresol = 0, tsscale = 0, tsoffset = 0 }, md = { stat = { ps_recv = 0, ps_drop = 0, ps_ifdrop = 0 }, use_bpf = 0, TotPkts = 0, TotAccepted = 0, TotDrops = 0, TotMissed = 0, OrigMissed = 0, device = 0x0, timeout = 0, must_do_on_close = 0, next = 0x0 }, opt = { buffer_size = 0, source = 0x100109d00 "(savefile)", promisc = 0, rfmon = 0 }, bufsize = 65535, buffer = 0x100828800 "", bp = 0x0, cc = 0, pkt = 0x0, direction = PCAP_D_INOUT, activate_op = 0, can_set_rfmon_op = 0x10000e860 <pcap_cant_set_rfmon>, read_op = 0x10001d3d0 <pcap_offline_read>, inject_op = 0x10001d710 <sf_inject>, setfilter_op = 0x10001ac50 <install_bpf_program>, setdirection_op = 0x10001d490 <sf_setdirection>, set_datalink_op = 0, getnonblock_op = 0x10001d3b0 <sf_getnonblock>, setnonblock_op = 0x10001d3c0 <sf_setnonblock>, stats_op = 0x10001d4c0 <sf_stats>, oneshot_callback = 0x10000e870 <pcap_oneshot>, cleanup_op = 0x10001d6c0 <sf_cleanup>, fcode = { bf_len = 0, bf_insns = 0x0 }, errbuf = '\0' <repeats 256 times>, dlt_count = 0, dlt_list = 0x0, pcap_header = { ts = { tv_sec = 0, tv_usec = 0 }, caplen = 0, len = 0 } } At which point I'm at bit of a loss and figured I'd ask here if anyone had any insight. Anyways, if you want, you can see my code in full here: http://tcpreplay.synfin.net/browser/branches/3.4/src/common/tcpdump.c Thanks, Aaron -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 23)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 24)
- Re: 'bogus savefile header' Aaron Turner (Aug 24)
- Re: 'bogus savefile header' Michael Richardson (Aug 24)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 23)