Description of problem: tcpslice on RHEL5 doesn't work. Version-Release number of selected component (if applicable): RHEL5.3 tcpdump-3.6.4-14.el5.x86_64.rpm How reproducible: Always Steps to Reproduce: 1. Create a tcpdump capture file. # tcpdump -w abc123.bin 2. See the file # tcpslice -R ./abc1234.bin tcpslice: couldn't find final packet in file ./abc1234.bin 3. Split the file # tcpslice -w abc1234_slice.bin 1234761182.634226 +1 ./abc1234.bin tcpslice: problems finding end packet of file ./abc1234.bin Expected results: 2. First and last packets need to be listed. 3. The original tcpdump capture file need to be sliced. Additional info: Same symptom reproduced on RHEL4.7. (BZ#484851) This symptom does not reproduced on RHEL5.3 (x86) system. Only x86_64 system are affected.
This is caused by timeval structure which is 16 bytes on x86_64, but stored only in 8 bytes in the pcap file. Fedora tcpdump package includes a patch fixing this bug.
Download tcpdump-3.9.8-6.fc10.src.rpm from Fedora10 repo, and confirm following in Changelog. * Wed Jul 25 2007 Miroslav Lichvar <mlichvar> - 14:3.9.7-1 - update to 3.9.7 - with -C option, drop root privileges before opening first savefile (#244860) - update tcpslice to 1.2a3 - include time patch from Debian to fix tcpslice on 64-bit architectures Compile this src.rpm on RHEL5.3(x86_64) and confirm it works as expected. # ./tcpslice -R ./aaa.bin ./aaa.bin 1238638663.236078 1238638673.534904 Good one (from Fedora 10) # ./tcpslice -V Version 1.2a3 Usage: tcpslice [-DdlRrt] [-w file] [start-time [end-time]] file ... Bad one (from RHEL5) # tcpslice -V Version 1.1a3 Usage: tcpslice [-dRrt] [-w file] [start-time [end-time]] file ... Thanks for your support.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1605.html
For anyone else confused: This bugzilla was CLOSED ERRATA, but the referenced errata is only available to the FasTrack channel. Fully patched RHEL 5.4 (default and supplemental channels) still has the problem. You can either download the specific package from RHN, or join the system to the FasTrack channel, which will likely pull in other non-critical package updates.