Argus, libpcap and ppp.

Carter Bullard carter at qosient.com
Fri Nov 9 10:41:54 EST 2001 

Hey Yotam,
   It seems that the most straight forward solution is
to create an Argus decoder for when libpcap returns DLT_RAW.
I've done this, but I don't have anything to test
against.  Can we impose on your bug reporter to test
the changes?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Yotam Rubin
> Sent: Thursday, November 08, 2001 2:43 AM
> To: David J Brumley
> Cc: Yotam Rubin; argus at lists.andrew.cmu.edu
> Subject: Re: Argus, libpcap and ppp.
> 
> 
> On Wed, Nov 07, 2001 at 05:42:08PM -0800, David J Brumley wrote:
> > 
> > This was found in nmap's CHANGES file:
> > 
> > - Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
> >   supply any "link layer" data.
> > 
> > 
> > In the mean time, I think ppp's offset is 4 (given that ethernet is
> > 14)
> 
> After asking the tcpdump-workers mailing list, it appears 
> that the kernel does provide a PPP header, but it does not do 
> so consistently. You'll get a header most of the time, but 
> not consistently enough to allow a program to rely on 
> it.
> 
> 	Regards, Yotam Rubin
> 
> > 
> > -djb
> > 
> > 
> > > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > > Greetings,
> > > > 
> > > > 	I recently received a bug report against argus 
> indicating that 
> > > > argus does not handle ppp. Evidently, pcap_datalink() in 
> > > > ArgusInitSource() returns DLT_RAW even when handling a ppp 
> > > > interface. DLT_RAW is not supported, thus causing argus 
> to exit. I 
> > > > confirmed this libpcap behavior outside argus. I'm 
> using Debian's 
> > > > libpcap 0.6.2. I want to discuss the problem here prior to 
> > > > migrating the discussion to some libpcap related 
> mailing list. Any 
> > > > ideas? BTW, the problem can be worked around by exchanging 
> > > > DLT_RAW's and DLT_PPP values in include/net/bpf.h, 
> provided that 
> > > > you do not recompile libpcap using the modified header 
> files. Am I 
> > > > doing something wrong or what?
> > > 
> > > The problem is in libpcap. The subroutine responsible for mapping 
> > > Linux
> > > interface types to DLT interface types is mapping 
> ARPHRD_PPP to DLT_RAW.
> > > I have no insight as to why this is done. I'll inquire the tcpdump
> > > mailing list.
> > > 
> > > 	Regards, Yotam Rubin
> > > 
> > > > 
> > > > 	Regards, Yotam Rubin
> > 
> > --
> > David Brumley
> > 650.723.2445
> 
>

More information about the argus mailing list