[tcpdump-workers] Coredump Without Much Info?

Guy Harris guy at alum.mit.edu
Fri Jul 10 13:32:50 EDT 2015

On Jul 10, 2015, at 7:53 AM, Hei Chan <structurechart at yahoo.com> wrote:

> I am using libpcap 1.4.0 to read in pcap.
> And my application crashed at pcap_next() when it read the first packet from my pcap file:(gdb) bt#0  0x00007ffff715a044 in pcap_next () from /usr/lib64/libpcap.so.1
> I used wireshark to open the pcap and wireshark doesn't show any error (e.g. no highlight in red, etc).
> Any idea how I can debug further?

First, read your code to make sure that, in your pcap_open_offline() call, you're checking whether it returns a NULL pointer and, if it does, print an error message (using the string put into the "errbuf" second argument to pcap_open_offline(), so that you not only know why the call failed, you know *why* it failed).

Second, read your code to make sure that you have declared a "struct pcap_pkthdr" - *not* a "struct pcap_pkthdr *"! - and are passing a pointer to that "struct pcap_pkthdr" to pcap_next().

Third, if you are doing both of those (or have changed the code so that it does both of those), and it still crashes, show us the code in your program so that we can see whether it's doing anything else wrong.

More information about the tcpdump-workers mailing list