[531] in linux-net channel archive
Re: tcpdump expressions?
daemon@ATHENA.MIT.EDU (Peter Belding)
Sat Jun 17 04:04:34 1995
Date: Sat, 17 Jun 1995 00:20:02 -0700 (PDT)
From: Peter Belding <pbelding@qualcomm.com>
To: Kayvan Sylvan <kayvan@Sylvan.COM>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <m0sMh1P-000234C@satyr.sylvan.com>
On Fri, 16 Jun 1995, Kayvan Sylvan wrote:
> >>>>> "Michael" == Michael Callahan <callahan@maths.ox.ac.uk> writes:
>
> >> Does anyone have tcpdump working with expressions?
>
> Michael> "tcpdump 'host foobar'" works for me.
>
> What version? I'm using tcpdump version 3.0 from sunsite, with the PPP
> patch (patch02) and patch03 applied.
>
> Neither "tcpdump 'host foobar'" nor "tcpdump host foobar" work. :-(
The packet filter code that tcpdump generates attempts to match the
protocol field in the PPP link header. The link header is not actually
received - tcpdump just leaves space at the beginning of the buffer - so
the protocol field never gets set. The following patch against sunsite
tcpdump 3.0 with patches 2 and 3 applied workes for me.
--- pcap-linux.c.save Fri Jun 16 23:04:24 1995
+++ pcap-linux.c Fri Jun 16 23:04:00 1995
@@ -65,6 +65,7 @@
buf = (char *)p->buffer+4;
bufsize = p->bufsize - 4;
memset(p->buffer,0,4);
+ (p->buffer)[3] = 0x21;
} else {
buf = (char *)p->buffer;
bufsize = p->bufsize;
-Peter
