Re: tcpdump under RedHat 6.1

From: Francois Morris (Francois.Morrisat_private)
Date: Wed Jan 19 2000 - 02:55:56 PST

Next message: Bill Fumerola: "Re: Nortel Contivity Vulnerability"

Previous message: Michael Howard: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Ken Lyon: "Re: tcpdump under RedHat 6.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another problem is that the -e flag doesn't work correctly.  For an outgoing
packet
the source  MAC address is 0:0:0:0:0:0, for an incoming packet the destination
MAC address is 0:0:0:0:0:1.  I have this problem with tcpdump-3.4-16,
with tcpdump-3.4-10 copied from another machine the source and destination
addresses are correct.

John Comeau wrote:

> Another nice gotcha is that -p now means the opposite of its old
> behavior (and what its manpage still reads): rather than disabling
> promiscuous mode, it now enables same (default is now nonpromiscuous -
> all you'll see is your own traffic plus broadcast and multicast) - jc
>
> Renaud Deraison wrote:
> >
> > RedHat 6.1 comes bundled with a modified version of tcpdump, which has
> > the ability to listen on all the interfaces at once, which is nice.
> >
> > However, the output format has changed. Whereas a typical tcpdump
> > line was :
> >
> > time source.port > dest.port:[.....]
> >
> > It is now :
> >
> > time interface > source.port > dest.port:[....]
> > or
> > time interface < source.port > dest.port:[....]
> >
> > If you explicitely ask tcpdump to listen on one interface, the
> > output will be :
> >
> > time > source.port > dest.port:[....]
> > or
> > time < source.port > dest.port:[....]
> >
> > Also, the 'port' is no longer a numeric value. It is taken from
> > /etc/services, even with the -n option set.
> >
> > This new behavior will make a lot of programs that use tcpdump's
> > output panic or produce bogus output. I think shadow is affected,
> > but it's not the only one.
> >
> > I have been looking through the man page, and I could not find an option
> > to issue a backward compatible output. What is worst is that
> > tcpdump --version will show up the same version numbers (3.4) than
> > the older tcpdumps, so this problem will only be detected at runtime.
> >
> > So, if you have written your own custom scripts or if some of the programs
> > you use are relying on tcpdump, then install the tcpdump that comes
> > bundled with RH 6.0, or modify your scripts so that they can handle this
> > modification.
> >
> >                                 -- Renaud
> >
> > (apologies if this was already known)
> >
> > --
> > Renaud Deraison
> > The Nessus Project
> > http://www.nessus.org
>
> --
> John Comeau - Chief Operating Officer
> Dialtone Internet - Extremely Fast Web Systems
> 954-581-0097  fax://954-581-7629
> jcomeauat_private
> http://www.dialtoneinternet.net

--
François MORRIS                Lab. Minéralogie-Cristallographie,
4, place Jussieu               F-75252 PARIS
Phone: +33 (0) 1 44 27 52 42   Fax: +33 (0) 1 44 27 37 85
E-mail: morrisat_private URL: http://www.lmcp.jussieu.fr/~morris

Next message: Bill Fumerola: "Re: Nortel Contivity Vulnerability"
Previous message: Michael Howard: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Ken Lyon: "Re: tcpdump under RedHat 6.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:02 PDT