tcpdump mailing list archives
Re: 'bogus savefile header'
From: Guy Harris <guy () alum mit edu>
Date: Mon, 23 Aug 2010 12:08:42 -0700
On Aug 22, 2010, at 4:15 PM, Aaron Turner wrote:
Long story short, tcpreplay allows users to replay traffic in "verbose mode" which basically involves forking tcpdump and writing each packet over a socketpair(). This has worked for quite a while (years now) but recently I've realized something broke along the way and I'm at a loss to as why.
What changed between when it worked and when it broke? tcpreplay, libpcap, tcpdump, some of the above, all of the above?
Basically, when I write my first packet over the socket to tcpdump, i get the error: tcpdump: pcap_loop: bogus savefile header I believe I've tracked that down to sf-pcap.c in libpcap, which indicates that the caplen > 65535. Seems straight forward, until I start debugging and see the pcap_t struct I'm using for pcap_dump_fopen()
That's for the side of the socket pair to which tcpreplay is writing, I presume.
has snapshot set to 65535:
That just means you're claiming that the max packet size is 65535; you could then write a packet with a caplen > 65535 with pcap_dump(). Doing so would be considered impolite, but it's not impossible.... - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 23)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 24)
- Re: 'bogus savefile header' Aaron Turner (Aug 24)
- Re: 'bogus savefile header' Michael Richardson (Aug 24)
- Re: 'bogus savefile header' Aaron Turner (Aug 23)
- Re: 'bogus savefile header' Guy Harris (Aug 23)