[tcpdump-workers] Coredump Without Much Info?

Guy Harris guy at alum.mit.edu
Sat Jul 11 00:08:37 EDT 2015

On Jul 10, 2015, at 10:41 AM, Hei Chan <structurechart at yahoo.com> wrote:

> Thanks for your quick reply.
> Here is my code:
> 		pcap_t* m_pPcap;
> 		char *packet;
> 		struct pcap_pkthdr header;
> 		m_pPcap = pcap_open_offline(pcapFile, errbuf);
> 		if (pcapFile == NULL) {
> 			exit(1);
> 		}

If pcapFile were null, that would already have crashed in the pcap_open_offline() call!

What you want instead is

		m_pPcap = pcap_open_offline(pcapFile, errbuf);
		if (m_pPcap == NULL) {
			fprintf(stderr, "Can't open capture file %s: %s\n",
			    pcapFile, errbuf);

I.e., as I said:

> First, read your code to make sure that, in your pcap_open_offline() call, you're checking whether it returns a NULL pointer and, if it does, print an error message (using the string put into the "errbuf" second argument to pcap_open_offline(), so that you not only know why the call failed, you know *why* it failed).

You *weren't checking whether pcap_open_offline() returned a null pointer, so, if, for some reason, it weren't able to open the capture file, it would pass a null pointer to pcap_next(), which would crash - in exactly the place where it did crash.

> The code above hasn't been changed for like a year.  It used to work long time back with other pcap files.
> So I suspect that it has something to do with my pcap file.

It used to work with files that could be opened.  For whatever reason, it's not succeeding in opening your pcap file.

We cannot determine why unless we either see the file or see the error message that the code I wrote above prints.

More information about the tcpdump-workers mailing list