From owner-freebsd-net@FreeBSD.ORG Fri Sep 11 22:56:49 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD17F1065679 for ; Fri, 11 Sep 2009 22:56:49 +0000 (UTC) (envelope-from edwin@mavetju.org) Received: from k7.mavetju.org (ppp113-58.static.internode.on.net [150.101.113.58]) by mx1.freebsd.org (Postfix) with ESMTP id B4DAD8FC2B for ; Fri, 11 Sep 2009 22:56:47 +0000 (UTC) Received: by k7.mavetju.org (Postfix, from userid 1001) id BB071450DA; Sat, 12 Sep 2009 08:37:02 +1000 (EST) Date: Sat, 12 Sep 2009 08:37:02 +1000 From: Edwin Groothuis To: sthaug@nethelp.no Message-ID: <20090911223702.GA4562@mavetju.org> References: <20090911215006.GA31432@server.vk2pj.dyndns.org> <20090912.001205.74713342.sthaug@nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090912.001205.74713342.sthaug@nethelp.no> User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org, peterjeremy@acm.org Subject: Re: New tcpdump in 8.x X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2009 22:56:49 -0000 On Sat, Sep 12, 2009 at 12:12:05AM +0200, sthaug@nethelp.no wrote: > > Who has used tcpdump on FreeBSD 8.x and likes it? Is it just me or is > > it now far harder to investigate network problems using it? > > > > Prior to 8.x, the default output includes SEQ number ranges for any > > TCP packets with data, so a 'tcpdump -n' looks like the following and > > it's immediately obvious that there's 2920 bytes of data missing: > ... > > The same output on 8.x looks like the following. Whilst the last ACK > > packet looks anomolous, there's no useful information to analyse further. > > I agree that this change is rather unhelpful. However, this is the > default for tcpdump 4.0.0. Thus the choice is between the old tcpdump, > the new one (with bugfixes and more protocol decoding), or possibly > the new one plus local patches. Not an easy choice, is it? While I agree with the original poster that you are missing some data, I also agree that talking to the "vendors" of tcpdump is a better way. Peter, if you are keen on it, submit a port (net/tcpdump39) which gives you the old functionality and alert me about it. Edwin, who at least now knows why tcpdump on 8.0B3 did look so trange. -- Edwin Groothuis Website: http://www.mavetju.org/ edwin@mavetju.org Weblog: http://www.mavetju.org/weblog/