segmentation fault when using "-Z root" and "-w"

[deelerke]

tcpdump version 4.99.4 libpcap version 1.10.4 (with TPACKET_V3) OpenSSL 3.1.4 24 Oct 2023 root@svr:~# uname -na Linux svr 6.5.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.3-1 (2023-09-13) x86_64 GNU/Linux

with both options: root@svr:~# tcpdump --print -Z root -A -n -i br0 net 224.1.1.1 and dst port 5556 -w /tmp/trace Segmentation fault

only with "-w" root@svr:~# tcpdump --print -A -n -i br0 net 224.1.1.1 and dst port 5556 -w /tmp/trace tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel

only with "-Z root" root@svr:~# tcpdump --print -Z root -A -n -i br0 net 224.1.1.1 and dst port 5556 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel

I have no idea how to troubleshoot this or what more information to give you...

[rfrancoise]

You seem to be running Debian, which ships a patched version of tcpdump and also confines it in AppArmor by default.

Some troubleshooting ideas:

• Do you get the same result with a filename that ends in .pcap?
• Any AppArmor violations in system logs?

[deelerke]

hi, no luck, changing the filename with .pcap also AppArmor and SElinux are disabled I'll try to get/compile the official version rather than the debian packaged one