Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Reading directly from tcpdump stdout fails #504

Closed
uberhalit opened this issue Aug 26, 2018 · 1 comment
Closed

Reading directly from tcpdump stdout fails #504

uberhalit opened this issue Aug 26, 2018 · 1 comment

Comments

@uberhalit
Copy link

uberhalit commented Aug 26, 2018
edited
Loading

When trying to read the output of tcpdump with pcap.OpenOfflineFile(os.Stdin) one will continously receive io.EOF error but not a single valid packet.

tcpdump is used like tcpdump -i eth0 -U -s0 -w - | mygopacketapplication. Flag -w - will direct pcap output to standard output.

Wireshark can read from stdin like stated above just fine (using -k -i -). But even when saving this capture from within wireshark and then opening via pcap.OpenOffline("wireshark_capture_from_stdin.pcap") all one will recieve is io.EOF.
@uberhalit
Copy link
Author

uberhalit commented Aug 26, 2018
edited
Loading

After manually hex-editing some pcap files I've found the culprit:
tcpdump will insert a VLAN (802.1Q) layer when capturing from a virtual device. However there is a bug regarding BPF when you try to chain together some 'vlan' expressions: the-tcpdump-group/libpcap#158

So instead of vlan or ( tcp port 1111 or 2222 ) one would use ( tcp port 1111 or 2222 ) or vlan. Otherwise you'll never see any normal tcp traffic.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@uberhalit