Last time I brought this up, Guy Harris said that the default behavior for
Ethereal was to save a file with a 0600 filemask, makes sense, but I haven't
been seeing this as the standard behavior on our sniffers. I've been using
tethereal to capture traffic on an interface, and noticed an odd behavior.
Running with ring buffer behavior enabled gave me that 0600 filemask, but
without it, I was getting a 0644 filemask.
Running tethereal with the "-b <num>" flag:
root 6065 6064 3 15:35 ? 00:00:00 /usr/local/bin/tethereal -a
filesize:100000 -b 2 -i eth3 -w /sniffer/gpreston41a24d81dd7b7 -q
Gave me a filemask like this:
-rw------- 1 root root 92176384 Nov 22 15:36
gpreston41a24d81dd7b7_00001_20041122153514
While running tethereal without the "-b <num>" flag:
root 2698 2697 0 15:21 ? 00:00:01 /usr/local/bin/tethereal -a
filesize:100000 -i eth1 -w /sniffer/gpreston41a24a63c03c3 -q
Gave me a filemask like this:
-rw-r--r-- 1 root root 24444928 Nov 22 15:37
gpreston41a24a63c03c3
I am using Ethereal 0.10.7 without GTK2 support, and the output from
"tethereal -v" is:
tethereal 0.10.7
Compiled with GLib 1.2.10, with libpcap 0.7.2, with libz 1.1.4, without
libpcre,
with Net-SNMP 5.0.9, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap (version unknown) on Linux 2.4.21-20.ELsmp.
Has anyone else noticed this type of behavior and/or maybe have an idea what
is causing it?
Sincerely,
Gabriel D. Preston
Concord EFS
gpreston@xxxxxxxxxxxxxx
302/791.8451