tcpdump mailing list archives
Re: Capturing in 32 bit vps
From: Guy Harris <guy () alum mit edu>
Date: Wed, 1 Feb 2012 16:17:01 -0800
On Feb 1, 2012, at 3:00 PM, Graeme Sheppard wrote:
Yes my remote system shares the same kernel as the other customers. Calling it a 32 bit guest isn't accurate. Sorry about that. Subject title changed. The kernel I've been told is Red Hat derived, 2.6.18-194.17.1.el5.028stab070.7 #1 SMP Fri Oct 1 14:17:14 MSD 2010
2.6.18 doesn't have TPACKET_V2 support, so you can't do captures with any 32-bit application that uses the standard libpcap. You'd need to: 1) upgrade to a newer kernel - it would have to be after 2.6.26.5, and I don't know which release after 2.6.26.5 introduced TPACKET_V2 support; 2) somehow capture with a 64-bit tcpdump (can you run tcpdump outside a container?); 3) download the libpcap and tcpdump source, tweak the libpcap source never to use the memory-mapped capture mechanism, build (a 32-bit) libpcap, build (a 32-bit) tcpdump with that version of libpcap, and capture with that; 4) download the libpcap and tcpdump source, tweak the libpcap source with this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=30;filename=pcap-linux_tpacket_v1_workaround.patch;att=1;bug=517098 build (a 32-bit) libpcap, build (a 32-bit) tcpdump with that version of libpcap, and capture with that *IF* you're running on a little-endian machine (e.g., x86-64), as that patch does *NOT* work on big-endian machines (which is why it's not in the standard libpcap distribution).- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Capturing in 32 bit vps Graeme Sheppard (Feb 01)
- Re: Capturing in 32 bit vps Guy Harris (Feb 01)
- <Possible follow-ups>
- Re: Capturing in 32 bit vps Graeme Sheppard (Feb 02)