tcpprep TCPDUMP_POLL_TIMEOUT error

[fklassen]

Reported in mail list. Apparently this only happens with the --verbose flag. The version was not reported ...

I have a couple of pcaps that I am trying to generate a cachefile from, but each time I run tcpprep it errors saying:

$ tcpprep --auto=router --cachefile=example.cache --pcap=example.pcap --verbose 

reading from file -, link-type EN10MB (Ethernet)

Fatal Error:
poll() timeout... tcpdump seems to be having a problem keeping up
Try increasing TCPDUMP_POLL_TIMEOUT
tcpdump: pcap_loop: truncated dump file; tried to read 37383 captured bytes, only got 94

This is occurring with a number of different pcaps that have been created using both tcpdump and wireshark.

Is there any additional troubleshooting I can perform to understand what is happening? Is increasing TCPDUMP_POLL_TIMEOUT likely to help? I tried exporting this as an environment variable but it appears to have no effect, how can this be modified at runtime?

[petegallagher]

Hi Fred, thanks for responding. The version I'm using is 4.2.5.

This is actually a secondary issue to my current blocker, I think. Without using the --verbose flag the command completes successfully. However whenever I use the resultant cache file as an input to tcprewrite I get the following error:

Fatal Error: Cache data length (256 bytes) doesn't match cache header (1493495 bytes)

I then tried using the --verbose flag to get more information and incorrectly thought this was the underlying problem. However I now believe they are 2 distinct issues.

[bugg1]

Hello Fred,
I'm also hitting this issue, I've found that the issue occurs when I try to process a PCAP with more than 1024 packets.

I have tried recompiling with a significant TCPDUMP_POLL_TIMEOUT to no avail.
Similar to what Pete has observed, I found is that while the process exits without error if I omit the --verbose flag, the cache file is invalid if I verify it with tcpprep --print-stats=<file> I see the same error

Fatal Error in cache.c:read_cache() line 138:
Cache data length (256 bytes) doesn't match cache header (529 bytes)

// As stated above, this is likely a separate issue //
With fewer than 1024 packets, the cache file is generated successfully unless I use --verbose, when I'll see:

[user@host path]# tcpprep -a bridge -i test17.pcap -o test17.pcap.cache -v
reading from file -, link-type EN10MB (Ethernet)

Fatal Error in tcpdump.c:tcpdump_print() line 127:
poll() timeout... tcpdump seems to be having a problem keeping up
Try increasing TCPDUMP_POLL_TIMEOUT
tcpdump: pcap_loop: truncated dump file; tried to read 132356 captured bytes, only got 155
[user@host path]# tcpprep --print-stats=test17.pcap.cache

Fatal Error in cache.c:read_cache() line 88:
Cache file test17.pcap.cache doesn't contain a full header

[fklassen]

@bugg1 thanks for investigating. I'll see if I can get someone on this, otherwise I will have to work around my vacation schedule. I suspect I will have time starting in 2 weeks.

[petegallagher]

@bugg1 FYI I raised a 2nd bug report for the exact issue you are facing (#415). I will post a workaround in that issue thread.

[fklassen]

Duplicate of #398