Argus, libpcap and ppp.

Yotam Rubin yotam at makif.omer.k12.il
Fri Nov 9 11:16:01 EST 2001 

On Fri, Nov 09, 2001 at 10:41:54AM -0500, Carter Bullard wrote:
> Hey Yotam,
>    It seems that the most straight forward solution is
> to create an Argus decoder for when libpcap returns DLT_RAW.
> I've done this, but I don't have anything to test
> against.  Can we impose on your bug reporter to test
> the changes?

Sure. I can probably find other testers. But if what Guy Harris told me is 
true, then the raw packet decoder might yield unreliable results, since
the header is occasionally included and a few random bits might prefix the
packet. It's the best one can do, though.

As for LFS support, the AC_TRY_RUN macro could run a program which creates 
a large sparse file. The program would return 0 if the file was successfully
created, and 1 otherwise. 

	Regards, Yotam Rubin

> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > Yotam Rubin
> > Sent: Thursday, November 08, 2001 2:43 AM
> > To: David J Brumley
> > Cc: Yotam Rubin; argus at lists.andrew.cmu.edu
> > Subject: Re: Argus, libpcap and ppp.
> > 
> > 
> > On Wed, Nov 07, 2001 at 05:42:08PM -0800, David J Brumley wrote:
> > > 
> > > This was found in nmap's CHANGES file:
> > > 
> > > - Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
> > >   supply any "link layer" data.
> > > 
> > > 
> > > In the mean time, I think ppp's offset is 4 (given that ethernet is
> > > 14)
> > 
> > After asking the tcpdump-workers mailing list, it appears 
> > that the kernel does provide a PPP header, but it does not do 
> > so consistently. You'll get a header most of the time, but 
> > not consistently enough to allow a program to rely on 
> > it.
> > 
> > 	Regards, Yotam Rubin
> > 
> > > 
> > > -djb
> > > 
> > > 
> > > > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > > > Greetings,
> > > > > 
> > > > > 	I recently received a bug report against argus 
> > indicating that 
> > > > > argus does not handle ppp. Evidently, pcap_datalink() in 
> > > > > ArgusInitSource() returns DLT_RAW even when handling a ppp 
> > > > > interface. DLT_RAW is not supported, thus causing argus 
> > to exit. I 
> > > > > confirmed this libpcap behavior outside argus. I'm 
> > using Debian's 
> > > > > libpcap 0.6.2. I want to discuss the problem here prior to 
> > > > > migrating the discussion to some libpcap related 
> > mailing list. Any 
> > > > > ideas? BTW, the problem can be worked around by exchanging 
> > > > > DLT_RAW's and DLT_PPP values in include/net/bpf.h, 
> > provided that 
> > > > > you do not recompile libpcap using the modified header 
> > files. Am I 
> > > > > doing something wrong or what?
> > > > 
> > > > The problem is in libpcap. The subroutine responsible for mapping 
> > > > Linux
> > > > interface types to DLT interface types is mapping 
> > ARPHRD_PPP to DLT_RAW.
> > > > I have no insight as to why this is done. I'll inquire the tcpdump
> > > > mailing list.
> > > > 
> > > > 	Regards, Yotam Rubin
> > > > 
> > > > > 
> > > > > 	Regards, Yotam Rubin
> > > 
> > > --
> > > David Brumley
> > > 650.723.2445
> > 
> > 
> 
>

More information about the argus mailing list