Bug 485670

Summary: tcpslice doesn't work on x86_64 on RHEL5
Product: Red Hat Enterprise Linux 5 Reporter: masanari iida <masanari_iida>
Component: tcpdumpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: low Docs Contact:
Priority: low    
Version: 5.3CC: bzeranski, mmalik, rgraves, rvokal
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-26 07:51:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description masanari iida 2009-02-16 05:30:14 UTC 
Description of problem:
tcpslice on RHEL5 doesn't work.

Version-Release number of selected component (if applicable):
RHEL5.3
tcpdump-3.6.4-14.el5.x86_64.rpm

How reproducible:
Always


Steps to Reproduce:
1. Create a tcpdump capture file.
   # tcpdump -w abc123.bin

2. See the file
# tcpslice -R ./abc1234.bin
tcpslice: couldn't find final packet in file ./abc1234.bin

3. Split the file
# tcpslice -w abc1234_slice.bin 1234761182.634226 +1 ./abc1234.bin
tcpslice: problems finding end packet of file ./abc1234.bin
  

Expected results:
2. First and last packets need to be listed.
3. The original tcpdump capture file need to be sliced.

Additional info:
Same symptom reproduced on RHEL4.7. (BZ#484851)
This symptom does not reproduced on RHEL5.3 (x86) system.
Only x86_64 system are affected.
Comment 1 Miroslav Lichvar 2009-03-31 13:48:28 UTC 
This is caused by timeval structure which is 16 bytes on x86_64, but stored only in 8 bytes in the pcap file.

Fedora tcpdump package includes a patch fixing this bug.
Comment 2 masanari iida 2009-04-02 02:22:37 UTC 
Download tcpdump-3.9.8-6.fc10.src.rpm from Fedora10 repo,
and confirm following in Changelog.


* Wed Jul 25 2007 Miroslav Lichvar <mlichvar> - 14:3.9.7-1
- update to 3.9.7
- with -C option, drop root privileges before opening first savefile (#244860)
- update tcpslice to 1.2a3
- include time patch from Debian to fix tcpslice on 64-bit architectures

Compile this src.rpm on RHEL5.3(x86_64) and confirm it works as expected.


# ./tcpslice -R ./aaa.bin
./aaa.bin       1238638663.236078       1238638673.534904

Good one (from Fedora 10)
# ./tcpslice -V
Version 1.2a3
Usage: tcpslice [-DdlRrt] [-w file] [start-time [end-time]] file ...

Bad one (from RHEL5)

# tcpslice -V
Version 1.1a3
Usage: tcpslice [-dRrt] [-w file] [start-time [end-time]] file ...

Thanks for your support.
Comment 3 RHEL Program Management 2009-11-06 18:45:05 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 11 errata-xmlrpc 2009-11-26 07:51:27 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1605.html
Comment 12 Rich Graves 2010-02-03 15:34:49 UTC 
For anyone else confused:

This bugzilla was CLOSED ERRATA, but the referenced errata is only available to the FasTrack channel. Fully patched RHEL 5.4 (default and supplemental channels) still has the problem. You can either download the specific package from RHN, or join the system to the FasTrack channel, which will likely pull in other non-critical package updates.