Re: Capturing in 32 bit vps

[Guy Harris <guy () alum mit edu>]

On Feb 1, 2012, at 3:00 PM, Graeme Sheppard wrote:

> Yes my remote system shares the same kernel as the other customers.
> Calling it a 32 bit guest isn't accurate. Sorry about that. Subject title
> changed.
>
> The kernel I've been told is Red Hat derived,
>
> 2.6.18-194.17.1.el5.028stab070.7 #1 SMP Fri Oct 1 14:17:14 MSD 2010

2.6.18 doesn't have TPACKET_V2 support, so you can't do captures with any 32-bit application that uses the standard 
libpcap.  You'd need to:

        1) upgrade to a newer kernel - it would have to be after 2.6.26.5, and I don't know which release after 
2.6.26.5 introduced TPACKET_V2 support;

        2) somehow capture with a 64-bit tcpdump (can you run tcpdump outside a container?);

        3) download the libpcap and tcpdump source, tweak the libpcap source never to use the memory-mapped capture 
mechanism, build (a 32-bit) libpcap, build (a 32-bit) tcpdump with that version of libpcap, and capture with that;

        4) download the libpcap and tcpdump source, tweak the libpcap source with this patch:

                
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=30;filename=pcap-linux_tpacket_v1_workaround.patch;att=1;bug=517098

           build (a 32-bit) libpcap, build (a 32-bit) tcpdump with that version of libpcap, and capture with that *IF* 
you're running on a little-endian machine (e.g., x86-64), as that patch does *NOT* work on big-endian machines (which 
is why it's not in the standard libpcap distribution).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.