[13414] in bugtraq
Re: tcpdump under RedHat 6.1
daemon@ATHENA.MIT.EDU (John Comeau)
Tue Jan 18 17:05:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3883DF23.7D9A1E10@dialtoneinternet.net>
Date: Mon, 17 Jan 2000 22:33:55 -0500
Reply-To: jcomeau@dialtoneinternet.net
From: John Comeau <jcomeau@DIALTONEINTERNET.NET>
X-To: Renaud Deraison <deraison@CVS.NESSUS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Another nice gotcha is that -p now means the opposite of its old
behavior (and what its manpage still reads): rather than disabling
promiscuous mode, it now enables same (default is now nonpromiscuous -
all you'll see is your own traffic plus broadcast and multicast) - jc
Renaud Deraison wrote:
>
> RedHat 6.1 comes bundled with a modified version of tcpdump, which has
> the ability to listen on all the interfaces at once, which is nice.
>
> However, the output format has changed. Whereas a typical tcpdump
> line was :
>
> time source.port > dest.port:[.....]
>
> It is now :
>
> time interface > source.port > dest.port:[....]
> or
> time interface < source.port > dest.port:[....]
>
> If you explicitely ask tcpdump to listen on one interface, the
> output will be :
>
> time > source.port > dest.port:[....]
> or
> time < source.port > dest.port:[....]
>
> Also, the 'port' is no longer a numeric value. It is taken from
> /etc/services, even with the -n option set.
>
> This new behavior will make a lot of programs that use tcpdump's
> output panic or produce bogus output. I think shadow is affected,
> but it's not the only one.
>
> I have been looking through the man page, and I could not find an option
> to issue a backward compatible output. What is worst is that
> tcpdump --version will show up the same version numbers (3.4) than
> the older tcpdumps, so this problem will only be detected at runtime.
>
> So, if you have written your own custom scripts or if some of the programs
> you use are relying on tcpdump, then install the tcpdump that comes
> bundled with RH 6.0, or modify your scripts so that they can handle this
> modification.
>
> -- Renaud
>
> (apologies if this was already known)
>
> --
> Renaud Deraison
> The Nessus Project
> http://www.nessus.org
--
John Comeau - Chief Operating Officer
Dialtone Internet - Extremely Fast Web Systems
954-581-0097 fax://954-581-7629
jcomeau@dialtoneinternet.net
http://www.dialtoneinternet.net
