debugging argus on tun interface

poncenby smythe smythe at poncenby.plus.com
Fri Feb 24 13:08:30 EST 2006 

> 	Indeed looks like libpcap isn't managing to open the tun device
> successfully. I expect you are hitting this !found in server/ 
> ArgusSource.c:
>
>             for (i = 0; i < ARGUS_MAXINTERFACE; i++)
>                if (ArgusPd[i]) {
>                   if (pcap_fileno(ArgusPd[i]) >= 0) {
>                      found ++;
>                      FD_SET(pcap_fileno(ArgusPd[i]), &ArgusReadMask);
>                      if (width < pcap_fileno(ArgusPd[i]))
>                         width = pcap_fileno(ArgusPd[i]);
>                   }
>                }
>
>             if (!found)
>                break;
>
> which exits and causes the shutdown. Trying tcpdump on the same  
> interface would
> be the first thing to try, then you may be in to grepping kernel  
> source to see
> if the tun driver has bpf support :-) if tcpdump can't see the  
> interface either
> :-).  There was a libpcap error message higher in this code that  
> you didn't
> seem to hit so I have some suspicion that the tun device may not  
> support
> bpf may be the problem here (if so tcpdump shouldn't work either).
>

this is the output from running tcpdump...

 > tcpdump -i tun0 -w temp.pcap
tcpdump: listening on tun0, link-type LOOP
^C
96 packets received by filter
0 packets dropped by kernel

reading the .pcap verifies that tcpdump is successfully capturing all  
packets seen.

file type of the .pcap file...
tmp.pcap: tcpdump capture file (little-endian) - version 2.4  
(Loopback, capture length 96)

just to verify that both binaries are linked to the same libpcap  
version (if that would make any difference)

-bash-3.00# ldd argus
argus:
         Start    End      Type Ref Name
         00000000 00000000 exe   1  argus
         0a2f0000 2a2fd000 rlib  1  /usr/lib/libpcap.so.3.0
         051f2000 251f9000 rlib  1  /usr/lib/libm.so.2.0
         0a6f8000 2a729000 rlib  1  /usr/lib/libc.so.38.2
         07dd8000 07dd8000 rtld  1  /usr/libexec/ld.so
-bash-3.00# ldd /usr/sbin/tcpdump
/usr/sbin/tcpdump:
         Start    End      Type Ref Name
         00000000 00000000 exe   1  /usr/sbin/tcpdump
         03c75000 23c82000 rlib  1  /usr/lib/libpcap.so.3.0
         0b54b000 2b579000 rlib  1  /usr/lib/libcrypto.so.12.0
         00f1c000 20f4d000 rlib  1  /usr/lib/libc.so.38.2
         08fa2000 08fa2000 rtld  1  /usr/libexec/ld.so

so, tcpdump can listen on tun0 but argus cannot.
i guess i need to start using gdb....

poncenby






> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> --
> This email has been verified as Virus free
> Virus Protection and more available at http://www.plus.net

More information about the argus mailing list