tcpdump Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 19
• 33
• –
• –
• 2023
• 77
• 8
• 20
• 16
• 2022
• 21
• 47
• 37
• 17
• 2021
• 90
• 5
• 32
• 16
• 2020
• 57
• 69
• 72
• 61
• 2019
• 46
• 47
• 37
• 45
• 2018
• 41
• 58
• 149
• 32
• 2017
• 57
• 54
• 24
• 59
• 2016
• 33
• 73
• 63
• 48
• 2015
• 112
• 79
• 62
• 108
• 2014
• 133
• 84
• 69
• 112
• 2013
• 127
• 157
• 55
• 107
• 2012
• 176
• 84
• 53
• 144
• 2011
• 177
• 234
• 187
• 215
• 2010
• 217
• 131
• 85
• 141
• 2009
• 220
• 182
• 186
• 145
• 2008
• 233
• 140
• 139
• 269
• 2007
• 154
• 118
• 251
• 226
• 2006
• 200
• 147
• 71
• 162
• 2004
• 392
• 374
• 377
• 208
• 2003
• 315
• 283
• 259
• 304
• 2002
• –
• –
• –
• 319

Latest Posts

CI news February - May 2024 Denis Ovsienko (May 21)
Hello all.

I hope this finds you well. Below you can find a digest of the CI
infrastructure improvements since the previous update. These changes
correspond to the recent releases of NetBSD 10.0 and OpenBSD 7.5, also
in July 2023 Cirrus CI introduced [1] a monthly limit on the amount of
free resources, which we learned last March after managing to reach the
limit, so I took some measures to reduce the footprint there.

* netbsd-mips64 has been...

Re: Support for saving pcapng Guy Harris (May 20)
The main problem with the APSL that I know of is the patent clause, which might mean that, if somebody uses APSLed code
as a result of using libpcap to read or write pcapng files, their license to use it would terminate immediately and
without notice if they file a patent lawsuit against Apple (unless they do so in response to an Apple patent lawsuit
against them).

Not being a lawyer, I don't know whether the patent clause would apply to...

Re: Support for saving pcapng Michael Richardson (May 20)
luoyuxuan.carl () gmail com wrote:
> function. Can anyone provide an update: is it currently in progress or
> still pending implementation? Additionally, given Apple's

There isn't anyone working on it in any serious way.

> implementation under the APSL license, I wonder if the community is
> allowed to submit a pull request for it. Are there any restrictions or
> guidelines we should be aware of in...

Re: Support for saving pcapng Guy Harris (May 20)
The current status is that there is a GitHub issue for adding full pcapng support to libpcap:

https://github.com/the-tcpdump-group/libpcap/issues/1321

because support for writing pcapng files without full support for reading those files is not all that useful.

...which is a license not compatible with the GPL:

https://www.gnu.org/philosophy/apsl.html

as it contains a patent clause:

12. Termination.
12.1...

Support for saving pcapng luoyuxuan . carl (May 20)
Hi,
I've noticed that the question about libpcap's support for writing files in the pcapng format has been brought up
multiple times in the mailing list. Yet, I'm still curious about the current status of this function. Can anyone
provide an update: is it currently in progress or still pending implementation?
Additionally, given Apple's implementation under the APSL license, I wonder if the community is allowed to...

Re: Dropping support in tcpdump for older versions of libpcap? Guy Harris (May 19)
OK, support removed, in the main branch. for libpcaps with only pre-1.0 APIs. The 4.99 branch still supports them,
although I don't know whether we've tested all the way back to libpcap 0.4 (the last LBL release).

Re: pcap-savefile(5) in libpcap-1.10 Guy Harris (May 10)
This all began with this thread:

https://seclists.org/tcpdump/2007/q1/83

from 2007-02. This thread:

https://seclists.org/tcpdump/2007/q1/94

continues it with a repost. In

https://seclists.org/tcpdump/2007/q1/97

I first proposed "repurpose the upper 16 bits":

I think NetBSD never did much with their extension; we never did, either.

Florent Drouin, the person who asked for the "MTP2 with an FCS"...

pcap-savefile(5) in libpcap-1.10 Denis Ovsienko (May 10)
(re-sending because the first copy didn't make it to the list)

Hello all.

I have been looking through commits and the 1.10.5 section of libpcap
change log, and the recent changes to the link-layer header type field
structure look like a potential place for things to go wrong.

Specifically, the new prose says:

P (1 bit): A bit that, if set, indicates that the
Frame Check Sequence (FCS) length value is...

release signing key extended Denis Ovsienko (May 10)
Hello all.

The release signing key E089DEF1D9C15D0D was about to expire, so before
a better solution is in place, it has been extended for one more year.
The updated file is at
https://www.tcpdump.org/release/signing-key-RSA-E089DEF1D9C15D0D.asc

Cheers.

Re: Dropping support in tcpdump for older versions of libpcap? Francois-Xavier Le Bail via tcpdump-workers (May 05)

Re: Question about an uninitialized array in bpf_filter Guy Harris (Apr 29)
Only if an invalid BPF program that does a load from a memory location without storing something there first is used as
a filter.

The BPF validator in libpcap doesn't check for that. It would require a dataflow analysis, but perhaps it should check
for that.

Question about an uninitialized array in bpf_filter Michal Ruprich (Apr 29)
Hi,

I was wondering, whether the mem[BPF_MEMWORDS] array in function
pcapint_filter_with_aux_data in bpf_filter.c should be initialized? If
the switch hits cases BPF_LD|BPF_MEM or BPF_LDX|BPF_MEM the variables A
or X are filled with random uninitialized data from the array. Is it the
case that this never happens before mem is filled with relevant data? In
all cases, setting it to mem[BPF_MEMWORDS] = {0}; could not hurt probably?

Thanks and...

Re: Dropping support in tcpdump for older versions of libpcap? Denis Ovsienko (Apr 25)
On a second thought, the best way to describe the desired result would
be that from the library users' point of view the version macros should
be easy to use correctly and difficult to use incorrectly. This would
justify some inconvenience in the library code, if necessary.

An advantage of correctly sized BCD versions is that two packed integer
values compare in a straightforward way, so every end user does not
have to remember how to...

SITA ECN code is going to retire soon Denis Ovsienko (Apr 25)
Hello all.

The libpcap module in pcap-sita.c has been defunct for a while: there is
no support for "--with-pcap=sita", so the source cannot be compiled by
normal means, and "make pcap-sita.o" makes it clear it would fail to
compile anyway.

I have confirmed with Fulko Hew -- the original contributor of this
code -- that there are no known remaining users of this module. Unless
anybody justifies the need to keep the SITA...

Re: RadioTap Parsing as seperate library Ravi chandra (Apr 19)
Hi Guy,

[1] Thanks for the quick response. I went through the examples of
t-shark and some codebase. Looks like it does help in my case.
[2] regarding others, RadioTap library is updated in wireshark and
have more additions in terms of header parsing compared to RadioTap
library standalone
[3] "Note that tcpdump has its own code to parse radiotap headers, and
that code doesn't use the Radiotap library.". Thanks for confirmation....

More Lists

Dozens of other network security lists are archived at SecLists.Org.