Page MenuHomePhabricator

Replace tshark with tcpdump
Closed, ResolvedPublic


People are already complaining about image size bloat, and tshark contributes a lot to it. Its installed size is 77Mbytes, second only to the kernel and the mellanox drivers (whether we can reduce the size of mellanox drivers is another question).

It depends on the same libraries as the big wireshark, but is obviously not capable of analysis and most other cool things we love wireshark for. On the routers, people normally just save a dump to a PCAP file and copy it to their workstation for analysis. While tshark offers more advanced filters and some nice options for VoIP, tcpdump is sufficient for the job.

When tshark is no longer required for any of the vyos packages, it will be safe to install it from Debian repos, if someone really needs it.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Event Timeline

dmbaturin created this object with visibility "Public (No Login Required)".
pasik added a subscriber: pasik.May 15 2018, 9:54 PM

fair warning, there's a security research currently fuzzing tcpdump who has been finding some stack overflow bugs so expect a package update or two in the not so far future...

dmbaturin closed this task as Resolved.May 20 2018, 7:48 AM

@Asteroza Our tcpdump comes straight from Debian, so the update should be picked automatically when they update theirs.

Got a link to the findings? To be fair, it seems unlikely that any vulnerability in tcpdump could be practically exploited remotely since you'd need to start sending specially crafted packets exactly when someone is running it.

Otherwise, the op mode now uses tcpdump, so the task is complete.

I wasn't sure if we were maintaining our own package or not. If we're pulling updates from Debian security updates directly, then I see no problem. The researcher is still collecting and analyzing the fuzzer run so no published reports as of yet.

Hello @dmbaturin

Do you know what the outcome of this old task was?

I'm not sure if my findings are related to this task.

I can see both Tcpdump and tshark are currently installed.

vyos@vyos:~$ sudo apt list --installed | grep 'tcpdump\|tshark'

WARNING: apt does not have a stable CLI interface yet. Use with caution in scripts.

tcpdump/now 4.9.3-1~deb8u1 amd64 [installed,local]
tshark/now 1.12.1+g01b65bf-4+deb8u19 amd64 [installed,local]

However, through VyOS CLI, I only manage to get Tcpdump working.

Once I understand what happens, I will update the manual.

The manual, on the one hand, shows the alleged VyOS commands for tshark, which do not seem to work.

vyos@vyos:~$ monitor interfaces ethernet eth0 traffic

  Invalid command: monitor [interfaces]


On the other hand, it does not mention anything about tcpdump, which does have working VyOS commands.

vyos@vyos:~$ monitor traffic interface eth0 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:54:28.581601 IP > vyos: ICMP echo request, id 1870, seq 3848, length 64
15:54:28.581660 IP vyos > ICMP echo reply, id 1870, seq 3848, length 64
15:54:29.583399 IP > vyos: ICMP echo request, id 1870, seq 3849, length 64
15:54:29.583454 IP vyos > ICMP echo reply, id 1870, seq 3849, length 64
4 packets captured
4 packets received by filter
0 packets dropped by kernel

We took other steps that allows us to take the image back to a manageable size, and this task lost its immediate relevance.

In my new modular build system, that is covered by making the vyos-utils list optional.