tcpdump mailing list archives
Re: Libpcap corrupts output
From: Cove Schneider <cove () wildpackets com>
Date: Tue, 2 May 2006 17:01:34 -0700
On May 2, 2006, at 14:16 , Guy Harris wrote:
(I'm not sure this message made it to the list; it never showed up in my mailbox, at least. I'm resending it. However, it appears to have been recorded in the duplicate-message detector, so it at least got that far; I'm adding this extra text in part in the hopes of defeating the duplicate-message dissector.)Cove Schneider wrote:Guy Harris wrote:I believe it's 1 here, the other end of the pipe is handled by openssh and from looking at the source it appears its pipe is set to non-blocking.Either1) the pipe is or other network connection is in non-blocking mode (in which case it *won't* block in that case)or 2) there's a bug in the OS on which you're running this."Other end" on the machine running tcpdump? Or "other end" on the otherend of the network connection?
Sorry, the "other end" is referring to where tcpdump is actually running vs.
"this end" where my app is running (on a Win32 machine).
If the latter, that has no effect on the end to which tcpdump is writing.Even if the former, that should have no effect as long as the OS isn'tbroken and this is being done with a pipe - setting the *receiving* end of the pipe to non-blocking should have no effect on the *sending* end.If it does, that's an OS bug - an application reading from a pipe should be able to run its pipe in non-blocking mode without any effecton the process on the other end of the pipe (most code that would writeto a pipe assumes, explicitly or implicitly, that it's writing to something that's blocking - non-blocking I/O is the exception, andapplications should only have to deal with it if they explicitly requestit).
Right, I'm not sure something like that is going on... (see my last paragraph)
But libpcap isn't "using non-blocking I/O" on the output - it never requests requests non-blocking I/O on the output. It's apparentlygetting non-blocking I/O shoved down its throat. libpcap shouldn't workaround that any more than, say, "grep" should.
Of course, that makes sense...
So I guess my predicament is that I'd like to stream the packets over an ssh connection and apparently ssh uses a non-blocking pipe to get the stdout from programs.So you're doing tcpdump -w - | ssh remotemachine command or something such as that?
My app is a Win32 app, but it effectively does this: ssh -T remotemachine "tcpdump -w-"| my_app Though I'm currently using cryptlib to do the ssh connection. It could be that cryptlib is exposing a bug in OpenSSH or vice-versa. Using OpenSSH's client it works fine though, albeit a fair bit slower than cryptlib's.So, I tried adding a check before the fwrite() to see if the fd (stdout) was in blocking mode or not, and it was always in blocking mode. So it occurred to me that the failed fwrite() may simply be an interrupted write as tcpdump gets a SIGTERM when the ssh connection is being shutdown. In which case I'm now thinking that the corruption must be happening in either OpenSSH or cryptlib.
I'll talk with the SSH folk and see what they say.Anyway, sorry for all the bother and thanks for all your help. Much appreciated.
Cove - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Libpcap corrupts output Cove Schneider (Apr 28)
- Re: Libpcap corrupts output Guy Harris (Apr 28)
- Re: Libpcap corrupts output Cove Schneider (Apr 30)
- Re: Libpcap corrupts output Guy Harris (May 02)
- Re: Libpcap corrupts output Cove Schneider (May 02)
- Re: Libpcap corrupts output Guy Harris (May 18)
- Re: Libpcap corrupts output Cove Schneider (Apr 30)
- Re: Libpcap corrupts output Guy Harris (Apr 28)