[go: up one dir, main page]

tcpdump Mailing List

Covers the classic tcpdump text-based network sniffer and its libpcap sniffer library component.

List Archives

Latest Posts

activities report for December 2025 Denis Ovsienko (Jan 01)
December 2025
=============

The accounted activities in December stand for 120:10 working hours and
40 commits (5 in tcpdump, 20 in libpcap and 15 in tcpdump-htdocs).
There are 310 new tests in libpcap.

Most notably, tcpdump 4.99.6 and libpcap 1.10.6 have been released.
This libpcap release fixes two minor vulnerabilities (CVE-2025-11961
and CVE-2025-11964), a more detailed account of other improvements is
available in the change logs. In...

Re: capture and inject device capabilities in libpcap Guy Harris (Dec 19)
My inclination is to have libpcap supply devices regardless of whether they have no-capture or no-inject set, and have
the caller choose what to show.

That way, it can be changed at the application level if the existing application behavior is an issue. For example, a
sniffer could start out not showing no-capture devices and, if people ask why the XXX interface isn't showing up, and
it turns out that it's a device that doesn't...

Re: Improving DPDK support Stephen Hemminger via tcpdump-workers (Dec 12)

Re: Improving DPDK support Denis Ovsienko (Dec 12)
Yes. How much of the existing code to preserve, if any, would be up to
anyone who can get pcap-dpdk.c into shape.

One of the directions of work done in libpcap in recent few years has
been removing of modules that could/should not be maintained anymore
(e.g. AirPcap, Enetfilter, NIT, Septel, STREAMS NIT, TurboCap and
[Tru64/Ultrix] Packet Filter). Another was fixing of various bit rot
in the remaining modules where practicable (DAG, DLPI,...

Re: Improving DPDK support Guy Harris (Dec 12)
As this is talking about libpcap, presumably you mean "which would have a program using libpcap, such as tcpdump or
Wireshark, running as a seondary process"; they might be the *primary* users of libpcap, but they're not the *only*
users (Snort and scapy both use it).

Presumably this would still allow it to be used as a sniffer, as that's what tcpdump and Wireshark are, and as that's
the primary purpose of libpcap (to...

Improving DPDK support Stephen Hemminger via tcpdump-workers (Dec 11)

Re: BPF ISA web page Vadim Goncharov (Dec 06)
It should contain not only "mnemonics" (BTW, A and X registers are uppercase)
but also also layout of instruction and actual codes such as BPF_K or BPF_IND.
This will allow reader to understand potential of extensions. When I tried to
design next step of BPF ISA (alternative to eBPF and comaptible to classic
BPF), I've even drawed them like RFC-style diagrams:

https://github.com/nuclight/bpf64/blob/main/bpf64spec.md

Re: dlt_choice table in pcap.c Guy Harris (Dec 04)
The full fun story is at https://gitlab.com/wireshark/wireshark/-/issues/2010

Re: dlt_choice table in pcap.c Guy Harris (Dec 04)
I think the capture code in tcpdump, which I think later became the separate libpcap library, originally just supported
the BPF capture mechanism, which used DLT_ values to indicate link-layer types. Thus, libpcap used DLT_ values in its
APIs; there *were* no LINKTYPE_ values.

Unfortunately, when they added new link-layer types to BPF, various OSes that picked up BPF sometimes chose values such
that the same numerical value corresponded to...

dlt_choice table in pcap.c Michael Richardson (Dec 04)
Guy, we have this lovely table in pcap.c:

static struct dlt_choice dlt_choices[] = {
DLT_CHOICE(NULL, "BSD loopback"),
DLT_CHOICE(EN10MB, "Ethernet"),
DLT_CHOICE(EN3MB, "experimental Ethernet (3Mb/s)"),
DLT_CHOICE(AX25, "AX.25 layer 2"),
DLT_CHOICE(PRONET, "Proteon ProNET Token Ring"),
...

I feel like it ought to be indexed by LINKTYPE instead....

Re: serving git:// from git.tcpdump.org Michael Richardson (Dec 03)
Denis Ovsienko <denis () ovsienko info> wrote:
> git.tcpdump.org has been available for git cloning as both https:// and
> git:// for a while. I consider introducing Debian 13 to provide this
> service, but this version of this Linux distribution made it more
> difficult to serve git:// because "The git-daemon-run and
> git-daemon-sysvinit packages have been removed from trixie due to
>...

serving git:// from git.tcpdump.org Denis Ovsienko (Dec 03)
Hello all.

git.tcpdump.org has been available for git cloning as both https:// and
git:// for a while. I consider introducing Debian 13 to provide this
service, but this version of this Linux distribution made it more
difficult to serve git:// because "The git-daemon-run and
git-daemon-sysvinit packages have been removed from trixie due to
security reasons." [1] I do not know which security reasons these are
besides the obvious lack...

activities report for November 2025 Denis Ovsienko (Dec 02)
November 2025
=============

The accounted activities in November stand for 164:10 hours and 62
commits (3 in tcpdump, 44 in libpcap and 15 in tcpdump-htdocs). There
are 2171 new tests in libpcap.

In libpcap the main improvements are as follows:

* "(host|net) <IPv4 address>", "(arp|rarp) host <IPv4 address>",
"(ip|ip6) multicast", "ip broadcast" and the index operation now
compile to...

Re: Accurate ECN support in tcpdump/libpcap Scheffenegger, Richard via tcpdump-workers (Nov 24)

Re: linktype files should repeat the DLT value Michael Richardson (Nov 22)
I brain-farted and typed DLT in the email when I should have typed LINKTYPE!

Guy Harris <gharris () sonic net> wrote:
>> I don't think that these files were generated, but I wanted to be sure before
>> I hand-edit them to include a number.

> They're not generated, except by copy-and-paste-and modify.

thanks for confirming.

>> I think that it should be an h3 header after the h2 title....

More Lists

Dozens of other network security lists are archived at SecLists.Org.