[13436] in bugtraq
Re: tcpdump under RedHat 6.1
daemon@ATHENA.MIT.EDU (Francois Morris)
Wed Jan 19 16:49:59 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <3885983A.21B23C2E@lmcp.jussieu.fr>
Date: Wed, 19 Jan 2000 11:55:56 +0100
Reply-To: Francois.Morris@LMCP.JUSSIEU.FR
From: Francois Morris <Francois.Morris@LMCP.JUSSIEU.FR>
X-To: jcomeau@dialtoneinternet.net
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Another problem is that the -e flag doesn't work correctly. For an outgoing
packet
the source MAC address is 0:0:0:0:0:0, for an incoming packet the destination
MAC address is 0:0:0:0:0:1. I have this problem with tcpdump-3.4-16,
with tcpdump-3.4-10 copied from another machine the source and destination
addresses are correct.
John Comeau wrote:
> Another nice gotcha is that -p now means the opposite of its old
> behavior (and what its manpage still reads): rather than disabling
> promiscuous mode, it now enables same (default is now nonpromiscuous -
> all you'll see is your own traffic plus broadcast and multicast) - jc
>
> Renaud Deraison wrote:
> >
> > RedHat 6.1 comes bundled with a modified version of tcpdump, which has
> > the ability to listen on all the interfaces at once, which is nice.
> >
> > However, the output format has changed. Whereas a typical tcpdump
> > line was :
> >
> > time source.port > dest.port:[.....]
> >
> > It is now :
> >
> > time interface > source.port > dest.port:[....]
> > or
> > time interface < source.port > dest.port:[....]
> >
> > If you explicitely ask tcpdump to listen on one interface, the
> > output will be :
> >
> > time > source.port > dest.port:[....]
> > or
> > time < source.port > dest.port:[....]
> >
> > Also, the 'port' is no longer a numeric value. It is taken from
> > /etc/services, even with the -n option set.
> >
> > This new behavior will make a lot of programs that use tcpdump's
> > output panic or produce bogus output. I think shadow is affected,
> > but it's not the only one.
> >
> > I have been looking through the man page, and I could not find an option
> > to issue a backward compatible output. What is worst is that
> > tcpdump --version will show up the same version numbers (3.4) than
> > the older tcpdumps, so this problem will only be detected at runtime.
> >
> > So, if you have written your own custom scripts or if some of the programs
> > you use are relying on tcpdump, then install the tcpdump that comes
> > bundled with RH 6.0, or modify your scripts so that they can handle this
> > modification.
> >
> > -- Renaud
> >
> > (apologies if this was already known)
> >
> > --
> > Renaud Deraison
> > The Nessus Project
> > http://www.nessus.org
>
> --
> John Comeau - Chief Operating Officer
> Dialtone Internet - Extremely Fast Web Systems
> 954-581-0097 fax://954-581-7629
> jcomeau@dialtoneinternet.net
> http://www.dialtoneinternet.net
--
François MORRIS Lab. Minéralogie-Cristallographie,
4, place Jussieu F-75252 PARIS
Phone: +33 (0) 1 44 27 52 42 Fax: +33 (0) 1 44 27 37 85
E-mail: morris@lmcp.jussieu.fr URL: http://www.lmcp.jussieu.fr/~morris
