Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mysterious packet loss during capture

From: Guy Harris <guy () alum mit edu>
Date: Fri, 9 Oct 2009 15:52:20 -0700

On Oct 9, 2009, at 2:27 PM, Stuart Kendrick wrote:


I've read about Gulp (http://staff.washington.edu/corey/gulp/)


It's now

        http://corey.elsewhere.org/gulp/

as he no longer works at the U of Washington, as per his home page:

        http://corey.elsewhere.org/

Note: when he says
3. I think "struct pcap_pkthdr" in pcap.h should be re-defined to be independent of sizeof(long). In pcap files, a struct pcap_pkthdr precedes every packet. Unfortunately, the size of struct pcap_pkthdr (which contains a struct timeval) depends upon sizeof(long). This makes pcap files from 64-bit linux systems incompatible with those from 32-bit systems. Apparently as a workaround, some 64-bit linux distributions are providing tcpdump and wireshark binaries which read/ write 32-bit compatible pcap files (which makes Gulp's pcap output appear to be corrupt).
(To build Gulp on 64-bit linux systems so that it reads/writes 32-bit compatible pcap files, try installing the 32-bit (i386) "libpcap- devel" package and making Gulp with "-m32" added to CFLAGS.)
"32-bit compatible pcap files" can also just be called "pcap files" - Ethereal/Wireshark, and all programs using libpcap, including tcpdump, expect 32-bit time stamps. (And, no, "struct pcap_pkthdr" shouldn't be redefined to be independent of sizeof(long); programs that write pcap files without using libpcap should not write a "struct pcap_pkthdr" before each packet, it should write a structure that has a 32-bit seconds value, a 32-bit microseconds value, a 32-bit captured length, and a 32-bit on-the-wire length before each packet. The libpcap man pages say that a "struct pcap_pkthdr" starts with a "struct timeval", and a "struct timeval", on many platforms, depends on sizeof(long), so changing "struct pcap_pkthdr" will break source and binary compatibility.
So you should apply the attached patch to Gulp before building. I'll send that patch to Corey.

Attachment: patch.txt
Description: 



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: