Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upReading directly from tcpdump stdout fails #504
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
uberhalit
Aug 26, 2018
After manually hex-editing some pcap files I've found the culprit:
tcpdump will insert a VLAN (802.1Q) layer when capturing from a virtual device. However there is a bug regarding BPF when you try to chain together some 'vlan' expressions: the-tcpdump-group/libpcap#158
So instead of vlan or ( tcp port 1111 or 2222 ) one would use ( tcp port 1111 or 2222 ) or vlan. Otherwise you'll never see any normal tcp traffic.
uberhalit
commented
Aug 26, 2018
•
|
After manually hex-editing some pcap files I've found the culprit: So instead of |
uberhalit commentedAug 26, 2018
•
edited
When trying to read the output of tcpdump with
pcap.OpenOfflineFile(os.Stdin)one will continously receiveio.EOFerror but not a single valid packet.tcpdump is used like
tcpdump -i eth0 -U -s0 -w - | mygopacketapplication. Flag-w -will direct pcap output to standard output.Wireshark can read from stdin like stated above just fine (using
-k -i -). But even when saving this capture from within wireshark and then opening viapcap.OpenOffline("wireshark_capture_from_stdin.pcap")all one will recieve is io.EOF.