Red Hat Bugzilla – Bug 485670
tcpslice doesn't work on x86_64 on RHEL5
Last modified: 2014-01-27 03:26:49 EST
Description of problem:
tcpslice on RHEL5 doesn't work.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a tcpdump capture file.
# tcpdump -w abc123.bin
2. See the file
# tcpslice -R ./abc1234.bin
tcpslice: couldn't find final packet in file ./abc1234.bin
3. Split the file
# tcpslice -w abc1234_slice.bin 1234761182.634226 +1 ./abc1234.bin
tcpslice: problems finding end packet of file ./abc1234.bin
2. First and last packets need to be listed.
3. The original tcpdump capture file need to be sliced.
Same symptom reproduced on RHEL4.7. (BZ#484851)
This symptom does not reproduced on RHEL5.3 (x86) system.
Only x86_64 system are affected.
This is caused by timeval structure which is 16 bytes on x86_64, but stored only in 8 bytes in the pcap file.
Fedora tcpdump package includes a patch fixing this bug.
Download tcpdump-3.9.8-6.fc10.src.rpm from Fedora10 repo,
and confirm following in Changelog.
* Wed Jul 25 2007 Miroslav Lichvar <email@example.com> - 14:3.9.7-1
- update to 3.9.7
- with -C option, drop root privileges before opening first savefile (#244860)
- update tcpslice to 1.2a3
- include time patch from Debian to fix tcpslice on 64-bit architectures
Compile this src.rpm on RHEL5.3(x86_64) and confirm it works as expected.
# ./tcpslice -R ./aaa.bin
./aaa.bin 1238638663.236078 1238638673.534904
Good one (from Fedora 10)
# ./tcpslice -V
Usage: tcpslice [-DdlRrt] [-w file] [start-time [end-time]] file ...
Bad one (from RHEL5)
# tcpslice -V
Usage: tcpslice [-dRrt] [-w file] [start-time [end-time]] file ...
Thanks for your support.
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
For anyone else confused:
This bugzilla was CLOSED ERRATA, but the referenced errata is only available to the FasTrack channel. Fully patched RHEL 5.4 (default and supplemental channels) still has the problem. You can either download the specific package from RHN, or join the system to the FasTrack channel, which will likely pull in other non-critical package updates.