Argus, libpcap and ppp.

[Carter Bullard]

Hey David,
   Thanks for the pointer!  Hope all is well!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> David J Brumley
> Sent: Wednesday, November 07, 2001 8:42 PM
> To: Yotam Rubin
> Cc: argus at lists.andrew.cmu.edu
> Subject: Re: Argus, libpcap and ppp.
> 
> 
> 
> This was found in nmap's CHANGES file:
> 
> - Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
>   supply any "link layer" data.
> 
> 
> In the mean time, I think ppp's offset is 4 (given that ethernet is
> 14)
> 
> -djb
> 
> 
> > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > Greetings,
> > > 
> > > 	I recently received a bug report against argus indicating that 
> > > argus does not handle ppp. Evidently, pcap_datalink() in 
> > > ArgusInitSource() returns DLT_RAW even when handling a ppp 
> > > interface. DLT_RAW is not supported, thus causing argus 
> to exit. I 
> > > confirmed this libpcap behavior outside argus. I'm using Debian's 
> > > libpcap 0.6.2. I want to discuss the problem here prior 
> to migrating 
> > > the discussion to some libpcap related mailing list. Any 
> ideas? BTW, 
> > > the problem can be worked around by exchanging DLT_RAW's 
> and DLT_PPP 
> > > values in include/net/bpf.h, provided that you do not recompile 
> > > libpcap using the modified header files. Am I doing 
> something wrong 
> > > or what?
> > 
> > The problem is in libpcap. The subroutine responsible for mapping 
> > Linux
> > interface types to DLT interface types is mapping 
> ARPHRD_PPP to DLT_RAW.
> > I have no insight as to why this is done. I'll inquire the tcpdump
> > mailing list.
> > 
> > 	Regards, Yotam Rubin
> > 
> > > 
> > > 	Regards, Yotam Rubin
> 
> -- 
> David Brumley
> 650.723.2445
> 
>