> Red Hat 6.1 has a version of "libpcap" and "tcpdump" that includes
> Alexey Kuznetsov's patches:
>
> http://ftp.sunet.se/pub/os/Linux/ip-routing/lbl-tools/
>
> Unfortunately, Alexey's patches changes the format of the records within
> a "libpcap" file *WITHOUT CHANGING THE MAGIC NUMBER OR VERSION NUMBER IN
> THE HEADER OF THE FILE*, so any program - such as the "tcpdump" that
> comes with Red Hat 6.1 - that uses a "libpcap" with that patch produces
> capture files that cannot be read by programs that read standard
> "libpcap" files - such as, for example, *THE TCPDUMP THAT COMES WITH
> MOST OTHER LINUX DISTRIBUTIONS AND THE VARIOUS BSDs, AND THAT MANY
> PEOPLE HAVE INSTALLED ON THEIR SYSTEMS* - and cannot read capture files
> produced by programs that write standard "libpcap" files.
Hmm.
It appears that Alexey's current version of the patch changes the magic
number.
It may be that he realized that it was a Bad Idea not to change the
magic number, and changed it; however, unfortunately, the folks at Red
Hat may have picked up an earlier version of his code, without that fix,
and the world is now filling up with Linux systems whose "tcpdump"
writes out capture files that most other systems - including, I suspect,
most Linux systems - can't read.
I'll have to see if there's some address at Red Hat to which I can send
a complaint, in the hopes that they'll fix this ASAP.
