headers
Guy Harris | 1 Apr 2005 02:06
Picon
Favicon

Re: PCAP Port range filtering


On Mar 31, 2005, at 7:20 AM, Gabriel wrote:

> Hello, I tried using tcpdump -xs 1500 -i eth0
> "tcp[2:2]>=1000 and tcp[2:2]<=2000" but it doesn't
> capture anything. When I tried tcpdump -xs 1500 -i
> eth0 tcp[2:2]=1500 it worked out fine (it captured
> everything with the dst port 1500). I'm using linux
> with bash as a shell. What am I doing wrong?

What you're doing wrong might be "assuming that libpcap is bug-free".

Does

     tcpdump -O -xs 1500 -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000"

work?

If so, what do

     tcpdump -d -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000"

and

     tcpdump -O -d -i eth0 "tcp[2:2]>=1000 and tcp[2:2]<=2000"

print?
Permalink | Reply | 0 comments |
headers
Gabriel | 1 Apr 2005 12:56
Picon
Favicon

Re: PCAP Port range filtering


--- Guy Harris <guy <at> alum.mit.edu> wrote:
> 
> On Mar 31, 2005, at 7:20 AM, Gabriel wrote:
> 
> > Hello, I tried using tcpdump -xs 1500 -i eth0
> > "tcp[2:2]>=1000 and tcp[2:2]<=2000" but it doesn't
> > capture anything. When I tried tcpdump -xs 1500 -i
> > eth0 tcp[2:2]=1500 it worked out fine (it captured
> > everything with the dst port 1500). I'm using
> linux
> > with bash as a shell. What am I doing wrong?
> 
> What you're doing wrong might be "assuming that
> libpcap is bug-free".
> 
> Does
> 
>      tcpdump -O -xs 1500 -i eth0 "tcp[2:2]>=1000 and
> tcp[2:2]<=2000"
> 
> work?

Yes, it works when I use the -O option. Thanks.

> If so, what do
> 
>      tcpdump -d -i eth0 "tcp[2:2]>=1000 and
> tcp[2:2]<=2000"
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Guy Harris | 2 Apr 2005 00:29
Picon
Favicon

Re: PCAP Port range filtering


On Apr 1, 2005, at 2:56 AM, Gabriel wrote:

> Yes, it works when I use the -O option. Thanks.

So it's probably an optimizer bug, and...

> The output of the first one is:
> ---------
> jarod <at> server:~> sudo tcpdump -d -i eth0
> "tcp[2:2]>=1000 and tcp[2:2]<=2000"
> (000) ldh      [12]
> (001) jeq      #0x800           jt 2    jf 12
> (002) ldb      [23]
> (003) jeq      #0x6             jt 4    jf 12
> (004) ldh      [20]
> (005) jset     #0x1fff          jt 12   jf 6
> (006) ldxb     4*([14]&0xf)
> (007) ldh      [x + 16]
> (008) ldx      #0x3e8
> (009) jge      x                jt 10   jf 12
> (010) jgt      x                jt 12   jf 11
> (011) ret      #96
> (012) ret      #0

...that sure looks like the optimizer bug in action (the "optimized"  
code is comparing against 0x3e8, i.e. 1000, but not against 2000).

> I'm using libcap 0.8.3 which is the latest version
> afaik.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gabriel | 2 Apr 2005 20:35
Picon
Favicon

Re: PCAP Port range filtering

I've upgraded to -current and now it works without the
-O. Thanks again for your help.

--- Guy Harris <guy <at> alum.mit.edu> wrote:
> 
> On Apr 1, 2005, at 2:56 AM, Gabriel wrote:
> 
> > Yes, it works when I use the -O option. Thanks.
> 
> So it's probably an optimizer bug, and...
> 
> > The output of the first one is:
> > ---------
> > jarod <at> server:~> sudo tcpdump -d -i eth0
> > "tcp[2:2]>=1000 and tcp[2:2]<=2000"
> > (000) ldh      [12]
> > (001) jeq      #0x800           jt 2    jf 12
> > (002) ldb      [23]
> > (003) jeq      #0x6             jt 4    jf 12
> > (004) ldh      [20]
> > (005) jset     #0x1fff          jt 12   jf 6
> > (006) ldxb     4*([14]&0xf)
> > (007) ldh      [x + 16]
> > (008) ldx      #0x3e8
> > (009) jge      x                jt 10   jf 12
> > (010) jgt      x                jt 12   jf 11
> > (011) ret      #96
> > (012) ret      #0
> 
> ...that sure looks like the optimizer bug in action
(Continue reading)

Permalink | Reply | 4 comments |
headers
Automatic cvs log generator /tcpdump/bin/makelog | 3 Apr 2005 11:08
Picon

Automatic report from sources (tcpdump libpcap htdocs) between 02.04.2005 - 03.04.2005 GMT

CVS log entries from 02.04.2005 (Sat) 10:06:59 - 03.04.2005 (Sun) 09:06:45 GMT
=====================================================
Summary by authors
=====================================================
Author: hannes
	File: tcpdump/print-isoclns.c; Revisions: 1.132

=====================================================
Log entries
=====================================================
Description:
only attempt to print non-header data if there is something to print
Modified files:
	File: tcpdump/print-isoclns.c; Revision: 1.132;
	Date: 2005/04/02 18:32:41; Author: hannes; Lines:  (+5 -4)
=====================================================
Summary of modified files
=====================================================
File: tcpdump/print-isoclns.c
Revisions: 1.132
Authors: hannes (+5 -4)
--

-- 
Automatic cron job from /tcpdump/bin/makelog
Permalink | Reply | 0 comments |
headers
gilbert HOYEK | 2 Apr 2005 15:17
Picon
Favicon

DLT-request

hi i would like to request a new DLT_SEPTEL for Intel/Septel cards used in 
ss7 messages transfer .....
i think it's one of 139 140 140 142 .... as it is mentioned in the bpf.h 
header file ....so plz tell me which one i choose ...
Next i would like to know how to impement it ...it means what changes to the 
source codes of pcap i have to do so that it works ...

Thanks in advance .....

GILBERT

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Permalink | Reply | 1 comment |
headers
gilbert HOYEK | 3 Apr 2005 23:58
Picon
Favicon

new media support(Intel/Septel)

hi i would like to  be able to capture online traffic using Ethereal  on 
Intel/Septel cards used in ss7 messages transfer .....

for this reasoni must first assign a new DLT in libpcap . as it is mentioned 
in the savefile.c of libpcap it should be one of these :

#define LINKTYPE_RAWSS7         139                  /* see rawss7.h for */
#define LINKTYPE_RAWSS7_MTP2    140        /* information  on these */
#define LINKTYPE_RAWSS7_MTP3    141             /* definitions */
#define LINKTYPE_RAWSS7_SCCP    142

i think i should choose 139 or 140 for the simple reason that my ss7 packets 
includes MTP2 protocols
so plz tell me which one i choose ...

Next i would like to know how to impement it ...it means what changes to 
source codes of libpcap i have to do so that it works ...

i first sent this message to ethreal and i got the following answer from Mr 
. Guy Harris (thanks 2 him).
so it helped me a lot but still the part about the pcap-dag.c , idid not get 
it well .....so if you can explain it to me i would be gratefu:

l From :  Guy Harris <gharris <at> sonic.net>
Reply-To :  Ethereal development <ethereal-dev <at> ethereal.com>
Sent :  Sunday, April 3, 2005 1:49 AM
To :  Ethereal development <ethereal-dev <at> ethereal.com>
Subject :  Re: [Ethereal-dev] new media support(Intel/Septel cards)

  |  |  | Inbox
(Continue reading)

Permalink | Reply | 2 comments |
headers
Guy Harris | 4 Apr 2005 00:54
Picon
Favicon

Re: DLT-request

gilbert HOYEK wrote:
> hi i would like to request a new DLT_SEPTEL for Intel/Septel cards used 
> in ss7 messages transfer .....

DLT_SEPTEL, or DLT_MTP2/DLT_MTP3/whatever?

Unless there's some extra header on the packet that includes information 
from the Septel cards, the DLT_ name probably shouldn't mention Septel - 
if, for example, the packet data starts with an MTP2 header, it should 
be DLT_MTP2.

> i think it's one of 139 140 140 142 .... as it is mentioned in the bpf.h 
> header file ....so plz tell me which one i choose ...

That depends on the header that appears in the packets.

If the packets all start with MTP2 headers, 140, for 
LINKTYHPE_RAWSS7_MTP2, would be the right choice, and it'd be DLT_MTP2.

If the packets don't have MTP2 headers, and all start with MTP3 headers, 
141, for LINKTYPE_RAWSS7_MTP3, would be the right choice, and it'd be 
DLT_MTP3.

If the packets have neither MTP2 nor MTP3 headers, and all start with 
SCCP headers, 142, for LINKTYPE_RAWSS7_SCCP, would be the right choice, 
and it'd be DLT_SCCP.

If the packets don't all have the same headers - for example, if some 
have MTP2 headers, some have no MTP2 headers but have MTP3 headers, and 
some have neither MTP2 nor MTP3 headers but have SCCP headers - 139, for
(Continue reading)

Permalink | Reply | 0 comments |
headers
Guy Harris | 4 Apr 2005 01:04
Picon
Favicon

Re: new media support(Intel/Septel)

gilbert HOYEK wrote:

> i think i should choose 139 or 140 for the simple reason that my ss7 
> packets includes MTP2 protocols

If all the packets start with MTP2 headers, you'd use 
LINKTYPE_RAWSS7_MTP2, and that'd be DLT_MTP2.

> i first sent this message to ethreal and i got the following answer from 
> Mr . Guy Harris (thanks 2 him).
> so it helped me a lot but still the part about the pcap-dag.c , idid not 
> get it well .....so if you can explain it to me i would be gratefu:

There isn't anything about pcap-dag.c in my message; pcap-dag.c is an 
example of a way to add support for capture devices other than regular 
network interfaces, but it's an example that is probably easier to 
understand if you're familiar with the API that Endace has for their DAG 
network traffic capture cards.

Adding support for new capture devices isn't easy; the DAG cards were 
the first devices for which that was done, and we don't have a "HOWTO" 
document on it.  I could probably give you some more information if you 
tell us what OS you're doing this on - one Intel manual I saw indicated 
that they support Windows, Linux, and Solaris, and my guess is that 
you're doing this on Linux, but I don't know that you're using Linux.
Permalink | Reply | 1 comment |
headers
Automatic cvs log generator /tcpdump/bin/makelog | 4 Apr 2005 11:08
Picon

Automatic report from sources (tcpdump libpcap htdocs) between 03.04.2005 - 04.04.2005 GMT

CVS log entries from 03.04.2005 (Sun) 09:06:45 - 04.04.2005 (Mon) 09:06:48 GMT
=====================================================
Summary by authors
=====================================================
Author: guy
	File: libpcap/pcap-dag.c; Revisions: 1.21
	File: libpcap/optimize.c; Revisions: 1.85

=====================================================
Log entries
=====================================================
Description:
Add a little more information to a comment.
Modified files:
	File: libpcap/optimize.c; Revision: 1.85;
	Date: 2005/04/04 08:42:18; Author: guy; Lines:  (+5 -3)
-------------------------------
Description:
"install_bpf_program()" already sets "p->errbuf" to an error string if
it fails; there's no need for "dag_setfilter()" to do so.
Modified files:
	File: libpcap/pcap-dag.c; Revision: 1.21;
	Date: 2005/04/03 23:56:47; Author: guy; Lines:  (+2 -5)
=====================================================
Summary of modified files
=====================================================
File: libpcap/optimize.c
Revisions: 1.85
Authors: guy (+5 -3)
-------------------------------
(Continue reading)

Permalink | Reply | 0 comments |

Gmane