Argus, libpcap and ppp.

Carter Bullard carter at qosient.com
Fri Nov 9 11:36:31 EST 2001 

Hey Yotam,
   I've got argus-2.0.4.beta.3 on the server, which
has the DLT_RAW defined.  I'm basically doing what
tcpdump is doing, so it should be as good as its
going to get.  I do hope that libpcap strips any
headers off before it hands the packet up.

Any chance we can get it into testers hands?

   On the LFS issue, I'm thinking that I can test to
see if lseek64() exists as a routine. This is suppose
to be included when LFS is enabled.  If true, it
maybe all that we need.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Yotam Rubin [mailto:yotam at makif.omer.k12.il] 
> Sent: Friday, November 09, 2001 11:16 AM
> To: argus at lists.andrew.cmu.edu
> Cc: Carter Bullard
> Subject: Re: Argus, libpcap and ppp.
> 
> 
> On Fri, Nov 09, 2001 at 10:41:54AM -0500, Carter Bullard wrote:
> > Hey Yotam,
> >    It seems that the most straight forward solution is
> > to create an Argus decoder for when libpcap returns 
> DLT_RAW. I've done 
> > this, but I don't have anything to test against.  Can we impose on 
> > your bug reporter to test the changes?
> 
> Sure. I can probably find other testers. But if what Guy 
> Harris told me is 
> true, then the raw packet decoder might yield unreliable 
> results, since the header is occasionally included and a few 
> random bits might prefix the packet. It's the best one can do, though.
> 
> As for LFS support, the AC_TRY_RUN macro could run a program 
> which creates 
> a large sparse file. The program would return 0 if the file 
> was successfully created, and 1 otherwise. 
> 
> 	Regards, Yotam Rubin
> 
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York  10022
> > 
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax   +1 212 588-9134
> > http://qosient.com
> > 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Yotam Rubin
> > > Sent: Thursday, November 08, 2001 2:43 AM
> > > To: David J Brumley
> > > Cc: Yotam Rubin; argus at lists.andrew.cmu.edu
> > > Subject: Re: Argus, libpcap and ppp.
> > > 
> > > 
> > > On Wed, Nov 07, 2001 at 05:42:08PM -0800, David J Brumley wrote:
> > > > 
> > > > This was found in nmap's CHANGES file:
> > > > 
> > > > - Change Linux PPP and SLIP to use DLT_RAW since the 
> kernel does not
> > > >   supply any "link layer" data.
> > > > 
> > > > 
> > > > In the mean time, I think ppp's offset is 4 (given that 
> ethernet 
> > > > is
> > > > 14)
> > > 
> > > After asking the tcpdump-workers mailing list, it appears
> > > that the kernel does provide a PPP header, but it does not do 
> > > so consistently. You'll get a header most of the time, but 
> > > not consistently enough to allow a program to rely on 
> > > it.
> > > 
> > > 	Regards, Yotam Rubin
> > > 
> > > > 
> > > > -djb
> > > > 
> > > > 
> > > > > On Wed, Nov 07, 2001 at 08:59:37PM +0200, Yotam Rubin wrote:
> > > > > > Greetings,
> > > > > > 
> > > > > > 	I recently received a bug report against argus
> > > indicating that
> > > > > > argus does not handle ppp. Evidently, pcap_datalink() in
> > > > > > ArgusInitSource() returns DLT_RAW even when handling a ppp 
> > > > > > interface. DLT_RAW is not supported, thus causing argus 
> > > to exit. I
> > > > > > confirmed this libpcap behavior outside argus. I'm
> > > using Debian's
> > > > > > libpcap 0.6.2. I want to discuss the problem here prior to
> > > > > > migrating the discussion to some libpcap related 
> > > mailing list. Any
> > > > > > ideas? BTW, the problem can be worked around by exchanging
> > > > > > DLT_RAW's and DLT_PPP values in include/net/bpf.h, 
> > > provided that
> > > > > > you do not recompile libpcap using the modified header
> > > files. Am I
> > > > > > doing something wrong or what?
> > > > > 
> > > > > The problem is in libpcap. The subroutine responsible for 
> > > > > mapping
> > > > > Linux
> > > > > interface types to DLT interface types is mapping 
> > > ARPHRD_PPP to DLT_RAW.
> > > > > I have no insight as to why this is done. I'll inquire the 
> > > > > tcpdump mailing list.
> > > > > 
> > > > > 	Regards, Yotam Rubin
> > > > > 
> > > > > > 
> > > > > > 	Regards, Yotam Rubin
> > > > 
> > > > --
> > > > David Brumley
> > > > 650.723.2445
> > > 
> > > 
> > 
> > 
> 
>

More information about the argus mailing list