From owner-freebsd-hackers Fri Nov 21 14:57:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA21984 for hackers-outgoing; Fri, 21 Nov 1997 14:57:29 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from verdi.nethelp.no (verdi.nethelp.no [195.1.171.130]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id OAA21964 for ; Fri, 21 Nov 1997 14:57:18 -0800 (PST) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12899 invoked by uid 1001); 21 Nov 1997 22:56:43 +0000 (GMT) To: nate@mt.sri.com Cc: hackers@FreeBSD.ORG Subject: Re: Getting ethernet packets content under FreeBSD? In-Reply-To: Your message of "Fri, 21 Nov 1997 14:46:27 -0700" References: <199711212146.OAA15613@mt.sri.com> X-Mailer: Mew version 1.05+ on Emacs 19.28.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Fri, 21 Nov 1997 23:56:43 +0100 Message-ID: <12897.880153003@verdi.nethelp.no> Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Is it possible to easily? I'm trying to debug a protocol, and w/out the > contents of the data being sent in the packets it's awful hard to do. > Is there anyway of dumping out the actual packet contents somewhere > instead of dumping out the packet headers, which are less than useful > for upper-layer TCP/IP protocol debugging. libpcap is your friend. You need BPF in the kernel, of course. A good start would be ftp://ee.lbl.gov/pcapture-0.2.1.tar.Z, which is a program that uses libpcap to capture packets: DESCRIPTION Pcapture captures the last few packets that match the boolean expression. The packets are collected in a circu­ lar buffer; when a signal (TERM, INT, or HUP) is received, the are written out to the raw packet file. (Notice that a raw packet file must be specified using the -w flag.) Should be easy enough to modify to record the data continuously. Or you could just use 'tcpdump -w'. Steinar Haug, Nethelp consulting, sthaug@nethelp.no