Wireshark · Ethereal-dev: Re: [Ethereal-dev] Re: TCP Packets

Ethereal-dev: Re: [Ethereal-dev] Re: TCP Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Thu, 26 Oct 2000 01:57:17 -0700

On Wed, Oct 25, 2000 at 09:06:02AM -0600, John McDermott wrote:
> Neither message says what OS is being run, but recall that there are
> problems with RedHat and some versions of libpcap.

To which problems are you referring?

There is a generic Linux problem with libpcap, mentioned in question 3.2
in the Ethereal FAQ:

	Q 3.2: Under Linux, the program freezes while trying to do a
	live capture. 

	A: If you're running version 0.8.2 or later, this problem
	shouldn't present itself.

	Ethereal uses the libpcap library to perform live captures.  The
	stock libpcap doesn't implement a feature that returns control
	to the calling application if the network is idle.  In Ethereal
	versions prior to 0.8.2, the program would freeze during
	captures as a result.  0.8.2 introduced code to work around the
	problem.

but

	1) that's not a problem only with Red Hat;

	2) Ethereal has worked around it since 0.8.2

> If you are running a
> recent RH, be sure to get the correct libpcap from the ethereal ftp
> site: ftp.zing.org (possibly:
> ftp://ftp.zing.org/pub/ethereal/rpms/libpcap-0.4-16ethereal.i386.rpm
> depending on your system).

...so you don't need to get an updated libpcap to work around that
problem, at least.

There is another problem with Red Hat, which is that the RH 6.1 libpcap
writes out files that are *not* in the standard libpcap format but that
have the standard libpcap magic number; however

	1) Ethereal doesn't use libpcap to write its capture files

and

	2) Ethereal doesn't use libpcap to read its capture files *and*
	   the library it uses performs some unnatural acts in order to
	   try to figure out which of the four count 'em four different
	   flavors of libpcap format a file is in

and

	3) Red Hat upgraded libpcap in 6.2 to a version that writes out
	   the files with a changed magic number and that can read
	   standard libpcap files as well

so the only problem there is that files written by Ethereal are readable
by the standard RH 6.1 libpcap only if you choose "Red Hat Linux 6.1
libpcap" format in the "Save As" dialog box.

(Note also that the Ethereal FTP site is now "ftp.ethereal.com", not
"ftp.zing.org".)

Follow-Ups:
- Re: [Ethereal-dev] Re: TCP Packets
  - From: Richard Sharpe

References:
- [Ethereal-dev] Re: TCP Packets
  - From: Richard Sharpe
- Re: [Ethereal-dev] Re: TCP Packets
  - From: John McDermott

Prev by Date: [Ethereal-dev] Wiretap as DLL, again
Next by Date: Re: [Ethereal-dev] IGRP dissector, please commit
Previous by thread: Re: [Ethereal-dev] Re: TCP Packets
Next by thread: Re: [Ethereal-dev] Re: TCP Packets
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$