Re: other interfaces ???

["Guy Harris" <gharris () sonic net>]

Michael D. Schleif said:
> What changes have occured between tcpdump v3.6x and v3.7x that might
> cause this?

None, probably.

There may be differences between libpcap 0.4a6 and 0.7.1 that might have
caused this, however.

Or there may be a problem in the way libpcap 0.7.1 was built.

libpcap 0.4a6 is *so* old it can't even be downloaded from LBL's Web site
any more - it was the alpha 6 version, but the last release from LBL was
the final 0.4 version.  That means it's probably the version that came
with whatever Linux distribution you're using, which means it may well
have been modified by the distributor.

If you are running on a system with a 2.2 or later kernel, the problem is
probably that your C library comes with header files that don't fully
support the later kernels - in particular, header files that don't define
PF_PACKET, so that libpcap, when built, uses only the old SOCK_PACKET
mechanism, which means that if it doesn't know about some particular
link-layer type it can't support it.  The new PF_PACKET mechanism works
much better; one way, but not the only way, it works better is that, for
link-layer types libpcap doesn't know about, it can fall back on a
"cooked" capture mode.

If you are running on a system with a 2.0[.x] kernel, the problem is
probably that the vendor added to their version of libpcap support for
whatever type of interfaces "wan1" and "ipsec0" are.

What version of what Linux distribution are you running?  What version of
the kernel, and what version of libc, does it have?  Does <sys/socket.h>,
or any of the header files <sys/socket.h> includes, define PF_PACKET?


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe