Bug 213968 - tcpdump prints erroneously large port numbers
tcpdump prints erroneously large port numbers
Product: Fedora
Classification: Fedora
Component: tcpdump (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Lichvar
Depends On:
  Show dependency treegraph
Reported: 2006-11-03 19:52 EST by Wolfgang Rupprecht
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-07 03:21:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Wolfgang Rupprecht 2006-11-03 19:52:26 EST
Description of problem:

# tcpdump -vvvvvv -n -s 1500
16:38:57.336507 arp reply is-at 00:0e:a6:8d:2c:a7
16:39:14.935220 IP (tos 0x0, ttl  64, id 30439, offset 0, flags [+], proto: UDP
(17), length: 1500) > 1472 write fh
150,140/3805627648 4096 (4096) bytes @ 0 <filesync>

Notice the source port it prints is 3796435621.  Thats pretty amazing
concidering the port numbers top out at 64k.  I suspect some format string
problem is being uncovered by the amd64 64-bit code.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. tcpdump -vvvvvv -n -s 1500
2. look for port number > 64k
Actual results:
Ports over 64k printed

Expected results:
Ports with numbers 1-64k

Additional info:
Comment 1 Miroslav Lichvar 2006-11-06 05:53:50 EST
Can you send me a file created with tcpdump -w, which shows the large port number?
Comment 2 Wolfgang Rupprecht 2006-11-06 14:41:30 EST
(In reply to comment #1)
> Can you send me a file created with tcpdump -w, which shows the large port number?

I've only seen the large port numbers occur with nfs over udp packets. 
Unfortunately, tcpdumps of nfs traffic is the one thing I feel very
uncomfortable posting.

Looking at the code in /usr/src/redhat/BUILD/tcpdump-3.9.4/tcpdump-3.9.4/print-nfs.c
nfsreply_print and nfsreq_print, it appears that the large numbers that are
printed in the port-number position are not the port numbers at all but the XID
(some 32-bit nfs transaction ID number).    Just to make it more confusing, the 
"port" number printed for the server's side of the address.port is indeed the
nfs port.  It is only the client's side that gets the XID printed where tcpdump
normally prints the port number.

This is a highly confusing interface design, and will probably continue to be
flagged as a bug until it is changed.  It isn't a coding error though.
Comment 3 Miroslav Lichvar 2006-11-07 03:21:10 EST
Ok, thanks for the analysis.

But I have to close it as NOTABUG since it's documented in the man page. Output
of tcpdump is protocol dependent and for NFS requests and replies the
transaction id is printed.

Note You need to log in before you can comment on or make changes to this bug.