Another nice gotcha is that -p now means the opposite of its old behavior (and what its manpage still reads): rather than disabling promiscuous mode, it now enables same (default is now nonpromiscuous - all you'll see is your own traffic plus broadcast and multicast) - jc Renaud Deraison wrote: > > RedHat 6.1 comes bundled with a modified version of tcpdump, which has > the ability to listen on all the interfaces at once, which is nice. > > However, the output format has changed. Whereas a typical tcpdump > line was : > > time source.port > dest.port:[.....] > > It is now : > > time interface > source.port > dest.port:[....] > or > time interface < source.port > dest.port:[....] > > If you explicitely ask tcpdump to listen on one interface, the > output will be : > > time > source.port > dest.port:[....] > or > time < source.port > dest.port:[....] > > Also, the 'port' is no longer a numeric value. It is taken from > /etc/services, even with the -n option set. > > This new behavior will make a lot of programs that use tcpdump's > output panic or produce bogus output. I think shadow is affected, > but it's not the only one. > > I have been looking through the man page, and I could not find an option > to issue a backward compatible output. What is worst is that > tcpdump --version will show up the same version numbers (3.4) than > the older tcpdumps, so this problem will only be detected at runtime. > > So, if you have written your own custom scripts or if some of the programs > you use are relying on tcpdump, then install the tcpdump that comes > bundled with RH 6.0, or modify your scripts so that they can handle this > modification. > > -- Renaud > > (apologies if this was already known) > > -- > Renaud Deraison > The Nessus Project > http://www.nessus.org -- John Comeau - Chief Operating Officer Dialtone Internet - Extremely Fast Web Systems 954-581-0097 fax://954-581-7629 jcomeauat_private http://www.dialtoneinternet.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:47 PDT