Argus, libpcap and ppp.
Yotam Rubin
yotam at makif.omer.k12.il
Thu Nov 8 02:42:56 EST 2001
On Wed, Nov 07, 2001 at 05:42:08PM -0800, David J Brumley wrote:
>
> This was found in nmap's CHANGES file:
>
> - Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
> supply any "link layer" data.
>
>
> In the mean time, I think ppp's offset is 4 (given that ethernet is
> 14)
After asking the tcpdump-workers mailing list, it appears that the kernel does
provide a PPP header, but it does not do so consistently. You'll get a header
most of the time, but not consistently enough to allow a program to rely on
it.
Regards, Yotam Rubin
>
> -djb
>
>
> > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > Greetings,
> > >
> > > I recently received a bug report against argus indicating that argus
> > > does not handle ppp. Evidently, pcap_datalink() in ArgusInitSource() returns
> > > DLT_RAW even when handling a ppp interface. DLT_RAW is not supported, thus
> > > causing argus to exit. I confirmed this libpcap behavior outside argus.
> > > I'm using Debian's libpcap 0.6.2. I want to discuss the problem here prior
> > > to migrating the discussion to some libpcap related mailing list.
> > > Any ideas? BTW, the problem can be worked around by exchanging DLT_RAW's
> > > and DLT_PPP values in include/net/bpf.h, provided that you do not recompile
> > > libpcap using the modified header files. Am I doing something wrong or what?
> >
> > The problem is in libpcap. The subroutine responsible for mapping Linux
> > interface types to DLT interface types is mapping ARPHRD_PPP to DLT_RAW.
> > I have no insight as to why this is done. I'll inquire the tcpdump
> > mailing list.
> >
> > Regards, Yotam Rubin
> >
> > >
> > > Regards, Yotam Rubin
>
> --
> David Brumley
> 650.723.2445
More information about the argus
mailing list