Re: -i man "Ties are broken by choosing the earliest match."

[Guy Harris <guy () alum mit edu>]

On Jul 16, 2009, at 9:04 AM, Doru Georgescu wrote:

> Please explain what this means, -i in manual: "Ties are broken by
> choosing the earliest match." Ties between what and what? Match, I
> suppose, is between the tcpdump expression and packets headers.

No - that section of the manual refers to selecting an interface, not  
to matching packets when filtering.

As far as I can tell, "ties are broken by choosing the earliest match"  
means "for some reason, we didn't just say that the first interface in  
the list is used".

The way that an interface on which to capture is chosen if you *don't*  
specify a "-i" flag is that it gets a list of all interfaces, which  
first lists all non-loopback interfaces and then all loopback  
interfaces, and picks the first interface in the list.  I'll look at  
fixing that part of the manual page.

> I answer here to guy_harris on
> http://sourceforge.net/tracker/?func=detail&aid=2813234&group_id=53066&atid=469573 
> ,
> because comments are disabled there,

I was able to add a new comment, so they don't appear to be completely  
disabled.  Did you log in?  You might want to log in and try again.

(When a user closes a bug, SourceForge lets that user disable further  
comments - and, for some reason, makes that the *default*, so, unless  
you're paying attention, you end up disabling further comments.  That  
strikes me as more than a bit annoying; I'm not sure whether you can  
then re-enable them - if not, I'd move that from "annoying" to  
"criminally stupid".

However, it doesn't seem to let the user disable comments until the  
bug is closed, so I don't *think* I could have accidentally disabled  
them.)

> and I would not open a new tracker.

Given that fixes would only be made in a 1.0.1 or 1.1 release, and  
that in that release, the problems you have mentioned in the tracker  
are libpcap bugs, not tcpdump bugs, as the description of libpcap  
filter expressions is in the pcap-filter man page, you should probably  
open a new tracker for libpcap, copying to it the stuff you already  
put in the existing tracker.

Then you should open another new tracker against tcpdump, with the  
comment about the "-i" flag, as that's a problem in the tcpdump man  
page.

> > Actually, the list of primitives isn't strictly a list; it doesn't,  
> > for
> > example, have an entry for "ip src host {host}", although that's a  
> > valid
> > primitive (unlike "src host {host}", it doesn't check for {host}'s  
> > IPv6
> > address).
>
> So the manual does not clearly state when ip is an alias for ether
> proto \\ip and when it is a modifier. This is the little hole I
> slipped in.
>
> Still, I hope that the "expression" chapter of man somehow completely
> defines expressions.

The entire chapter should do so, although it perhaps doesn't do so in  
a sufficiently rigorous form.

> > Something that works is tcpdump-workers () lists tcpdump org, which is  
> > what
> > the current top-of-Git-tree (and libpcap 1.0.0/tcpdump 4.0.0)  
> > documentation
> > use.
>
> Fedora 11 is lagging behind, the man still shows
> tcpdump-workers () tcpdump org.

Yes, Fedora haven't adopted libpcap 1.x or tcpdump 4.x as of Fedora 11:

        https://bugzilla.redhat.com/show_bug.cgi?id=478969

> Now I'm using http://www.tcpdump.org/tcpdump_man.html.

That's more up-to-date than the Fedora 11 manual, but - as somebody  
noted here - it's not completely up-to-date; it's not showing the  
libpcap 1.0 man pages (plural - I split the pcap man page into a  
general libpcap man page and a bunch of individual man pages for  
individual functions, as it was driving me crazy that, if I just  
wanted to look up one function, I had to do "man pcap" and scroll  
through it) or the tcpdump 4.0 man page.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.