Argus, libpcap and ppp.
David J Brumley
dbrumley at rtfm.stanford.edu
Wed Nov 7 20:42:08 EST 2001
This was found in nmap's CHANGES file:
- Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
supply any "link layer" data.
In the mean time, I think ppp's offset is 4 (given that ethernet is
14)
-djb
> On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > Greetings,
> >
> > I recently received a bug report against argus indicating that argus
> > does not handle ppp. Evidently, pcap_datalink() in ArgusInitSource() returns
> > DLT_RAW even when handling a ppp interface. DLT_RAW is not supported, thus
> > causing argus to exit. I confirmed this libpcap behavior outside argus.
> > I'm using Debian's libpcap 0.6.2. I want to discuss the problem here prior
> > to migrating the discussion to some libpcap related mailing list.
> > Any ideas? BTW, the problem can be worked around by exchanging DLT_RAW's
> > and DLT_PPP values in include/net/bpf.h, provided that you do not recompile
> > libpcap using the modified header files. Am I doing something wrong or what?
>
> The problem is in libpcap. The subroutine responsible for mapping Linux
> interface types to DLT interface types is mapping ARPHRD_PPP to DLT_RAW.
> I have no insight as to why this is done. I'll inquire the tcpdump
> mailing list.
>
> Regards, Yotam Rubin
>
> >
> > Regards, Yotam Rubin
--
David Brumley
650.723.2445
More information about the argus
mailing list