Date: Sat, 9 Oct 1999 10:32:47 +0200 From: Renaud Deraison <deraison@CVS.NESSUS.ORG> Subject: tcpdump under RedHat 6.1 To: BUGTRAQ@SECURITYFOCUS.COM RedHat 6.1 comes bundled with a modified version of tcpdump, which has the ability to listen on all the interfaces at once, which is nice. However, the output format has changed. Whereas a typical tcpdump line was : time source.port > dest.port:[.....] It is now : time interface > source.port > dest.port:[....] or time interface < source.port > dest.port:[....] If you explicitely ask tcpdump to listen on one interface, the output will be : time > source.port > dest.port:[....] or time < source.port > dest.port:[....] Also, the 'port' is no longer a numeric value. It is taken from /etc/services, even with the -n option set. This new behavior will make a lot of programs that use tcpdump's output panic or produce bogus output. I think shadow is affected, but it's not the only one. I have been looking through the man page, and I could not find an option to issue a backward compatible output. What is worst is that tcpdump --version will show up the same version numbers (3.4) than the older tcpdumps, so this problem will only be detected at runtime. So, if you have written your own custom scripts or if some of the programs you use are relying on tcpdump, then install the tcpdump that comes bundled with RH 6.0, or modify your scripts so that they can handle this modification. -- Renaud (apologies if this was already known) -- Renaud Deraison The Nessus Project http://www.nessus.org