Re: 'bogus savefile header'

[Guy Harris <guy () alum mit edu>]

On Aug 22, 2010, at 4:15 PM, Aaron Turner wrote:

> Long story short, tcpreplay allows users to replay traffic in "verbose
> mode" which basically involves forking tcpdump and writing each packet
> over a socketpair().  This has worked for quite a while (years now)
> but recently I've realized something broke along the way and I'm at a
> loss to as why.

What changed between when it worked and when it broke?  tcpreplay, libpcap, tcpdump, some of the above, all of the 
above?

> Basically, when I write my first packet over the socket to tcpdump, i
> get the error:
>
> tcpdump: pcap_loop: bogus savefile header
>
> I believe I've tracked that down to sf-pcap.c in libpcap, which
> indicates that the caplen > 65535.  Seems straight forward, until I
> start debugging and see the pcap_t struct I'm using for
> pcap_dump_fopen()

That's for the side of the socket pair to which tcpreplay is writing, I presume.

> has snapshot set to 65535:

That just means you're claiming that the max packet size is 65535; you could then write a packet with a caplen > 65535 
with pcap_dump().  Doing so would be considered impolite, but it's not impossible....

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.