0

Digging into tcpdump implementation, I can see that it actually loads the libpcap.so dynamic library in userspace.

However, by use of strace, I can't see any occurrence of calls to any function exported by libpcap.

Is the above an expected behaviour of tcpdump? Thank you.

root@eve-ng02:~# tcpdump --help
tcpdump version 4.9.2
libpcap version 1.7.4
OpenSSL 1.0.2g  1 Mar 2016

Edit: from received comments I tried with ltrace but it seems no call to dynamic library is done as well.

root@eve-ng02:~# ltrace tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
    
^C--- SIGINT (Interrupt) ---

0 packets captured
126 packets received by filter
98 packets dropped by kernel
+++ exited (status 0) +++
root@eve-ng02:~#
Improve this question
3
  • 1
    strace is meant for system calls not function calls as far as I know. Commented Nov 19, 2023 at 11:53
  • 1
    If you are tracing library calls, then use ltrace. Commented Nov 19, 2023 at 12:02
  • ah ok, so how should I do to trace both syscalls and library calls ? Commented Nov 19, 2023 at 12:36

1 Answer 1

Reset to default
2

strace shows only system calls. ltrace is a tool for showing library calls (see Difference between system call and library call).

If you want to see both system calls AND library calls, you can add the -S flag for ltrace ("Display system calls as well as library calls")

You can also add the -k to your strace ("Print the execution stack trace of the traced processes after each system call") if your strace version supports it. It won't show all the library calls, but it will show you the execution trace of every system call, in which you can see which library triggered the system call.

17212 eventfd2(0, EFD_NONBLOCK)         = 3
 > /lib64/libc-2.31.so(eventfd+0x7) [0x117b87]
 > /usr/lib64/libpcap.so.1.10.1() [0xb8fa]
 > /usr/lib64/libpcap.so.1.10.1(pcap_create+0xaa) [0x10a9a]
 > /usr/sbin/tcpdump() [0x3efbf]
 > /usr/sbin/tcpdump() [0x3c891]
 > /lib64/libc-2.31.so(__libc_start_main+0xee) [0x3524c]
 > /usr/sbin/tcpdump() [0x3e149]
17212 socket(AF_PACKET, SOCK_DGRAM, htons(0 /* ETH_P_??? */)) = 4
 > /lib64/libc-2.31.so(__socket+0x7) [0x1190d7]
 > /usr/lib64/libpcap.so.1.10.1() [0xa0c0]
 > /usr/lib64/libpcap.so.1.10.1(pcap_activate+0x1c) [0x1191c]
 > /usr/sbin/tcpdump() [0x3f0d2]
 > /usr/sbin/tcpdump() [0x3c891]
 > /lib64/libc-2.31.so(__libc_start_main+0xee) [0x3524c]
 > /usr/sbin/tcpdump() [0x3e149]
Improve this answer
6
  • 'ltrace -S tcpdump -n -i lo' actually shows only calls to syscalls and not to any dynamic libraries's function. Commented Nov 19, 2023 at 14:29
  • @CarloC check: No output when running ltrace Commented Nov 19, 2023 at 14:45
  • root@eve-ng02:~# readelf -h /usr/sbin/tcpdump | grep Type Type: DYN (Shared object file) So, according your link, there is no way to trace dynamic library calls. BTW my strace version doesn't support -k option. Commented Nov 19, 2023 at 16:19
  • root@eve-ng02:~# strace -V strace -- version 4.11 Commented Nov 19, 2023 at 16:29
  • @CarloC well, according to the answers in the link, it seems that your tcpdump doesn't support ltrace. And regarding -k for strace, check if it has the flag: strace -h | grep -- -k. Also the man pages of your strace, it might say seomthing such as: "this option is available only if strace is built with libunwind." If it does, you can check if it is compiled with this library: ldd /usr/bin/strace | grep libunwind. Commented Nov 19, 2023 at 16:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.