Argus, libpcap and ppp.

Carter Bullard carter at qosient.com
Thu Nov 8 08:27:05 EST 2001 

Hey Yotam,
   I've seen your thread on tcpdump and was wondering how
do we do this then for PPP?  I'll have to go to the latest
libpcap code and look to see what we can do for PPP.

   Thanks Yotam!!

   On another note, did you have any thoughts on our
LARGE_FILE_SUPPORT problem?  We were getting core dumps
in a write() routine on Debian, writing over the limit,
and so .......   Any thoughts on how ./configure can
know when to put in the defines for Large File support
on Debian?

Thanks again!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Yotam Rubin
> Sent: Thursday, November 08, 2001 2:43 AM
> To: David J Brumley
> Cc: Yotam Rubin; argus at lists.andrew.cmu.edu
> Subject: Re: Argus, libpcap and ppp.
> 
> 
> On Wed, Nov 07, 2001 at 05:42:08PM -0800, David J Brumley wrote:
> > 
> > This was found in nmap's CHANGES file:
> > 
> > - Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
> >   supply any "link layer" data.
> > 
> > 
> > In the mean time, I think ppp's offset is 4 (given that ethernet is
> > 14)
> 
> After asking the tcpdump-workers mailing list, it appears 
> that the kernel does provide a PPP header, but it does not do 
> so consistently. You'll get a header most of the time, but 
> not consistently enough to allow a program to rely on 
> it.
> 
> 	Regards, Yotam Rubin
> 
> > 
> > -djb
> > 
> > 
> > > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > > Greetings,
> > > > 
> > > > 	I recently received a bug report against argus 
> indicating that 
> > > > argus does not handle ppp. Evidently, pcap_datalink() in 
> > > > ArgusInitSource() returns DLT_RAW even when handling a ppp 
> > > > interface. DLT_RAW is not supported, thus causing argus 
> to exit. I 
> > > > confirmed this libpcap behavior outside argus. I'm 
> using Debian's 
> > > > libpcap 0.6.2. I want to discuss the problem here prior to 
> > > > migrating the discussion to some libpcap related 
> mailing list. Any 
> > > > ideas? BTW, the problem can be worked around by exchanging 
> > > > DLT_RAW's and DLT_PPP values in include/net/bpf.h, 
> provided that 
> > > > you do not recompile libpcap using the modified header 
> files. Am I 
> > > > doing something wrong or what?
> > > 
> > > The problem is in libpcap. The subroutine responsible for mapping 
> > > Linux
> > > interface types to DLT interface types is mapping 
> ARPHRD_PPP to DLT_RAW.
> > > I have no insight as to why this is done. I'll inquire the tcpdump
> > > mailing list.
> > > 
> > > 	Regards, Yotam Rubin
> > > 
> > > > 
> > > > 	Regards, Yotam Rubin
> > 
> > --
> > David Brumley
> > 650.723.2445
> 
>

More information about the argus mailing list