RedHat's enhanced tcpdump ignores /etc/protocols; it has hard-coded strings for the protocol names it recognizes: all others are only accepted by number. To fix: #include <netdb.h> Then, update eth_p_parse: if (!strcmp(id, "x25")) return htons(ETH_P_X25); /* Check for protocol in /etc/protocols: */ if (pe = getprotobyname (id)) return htons (pe->p_proto); return htons(atoi(id)); libpcap seems to already do this it seems. --binkley
Fixed in tcpdump-3.4-17. Thanks for the patch.
I have seen this problem in my lab (at least its seems to be the same thing). I have had to move a machine in my lab back to 6.0 to get a reliable tcpdump. I'd love to try the fixed version, but i'm at a loss as to where I would find the tcpdump-3.4-17 package. Can you let me know where it is? Thanks. Rich
ftp://rawhide.redhat.com/pub/rawhide