debugging argus on tun interface

Peter Van Epp vanepp at sfu.ca
Fri Feb 24 15:51:53 EST 2006 

On Fri, Feb 24, 2006 at 06:08:30PM +0000, poncenby smythe wrote:
> 
> this is the output from running tcpdump...
> 
> > tcpdump -i tun0 -w temp.pcap
> tcpdump: listening on tun0, link-type LOOP
> ^C
> 96 packets received by filter
> 0 packets dropped by kernel
> 
> reading the .pcap verifies that tcpdump is successfully capturing all  
> packets seen.
> 
> file type of the .pcap file...
> tmp.pcap: tcpdump capture file (little-endian) - version 2.4  
> (Loopback, capture length 96)
> 
> just to verify that both binaries are linked to the same libpcap  
> version (if that would make any difference)
> 
> -bash-3.00# ldd argus
> argus:
>         Start    End      Type Ref Name
>         00000000 00000000 exe   1  argus
>         0a2f0000 2a2fd000 rlib  1  /usr/lib/libpcap.so.3.0
>         051f2000 251f9000 rlib  1  /usr/lib/libm.so.2.0
>         0a6f8000 2a729000 rlib  1  /usr/lib/libc.so.38.2
>         07dd8000 07dd8000 rtld  1  /usr/libexec/ld.so
> -bash-3.00# ldd /usr/sbin/tcpdump
> /usr/sbin/tcpdump:
>         Start    End      Type Ref Name
>         00000000 00000000 exe   1  /usr/sbin/tcpdump
>         03c75000 23c82000 rlib  1  /usr/lib/libpcap.so.3.0
>         0b54b000 2b579000 rlib  1  /usr/lib/libcrypto.so.12.0
>         00f1c000 20f4d000 rlib  1  /usr/lib/libc.so.38.2
>         08fa2000 08fa2000 rtld  1  /usr/libexec/ld.so
> 
> so, tcpdump can listen on tun0 but argus cannot.
> i guess i need to start using gdb....
> 
> poncenby
> 

	Well thats a good start anyway, the tun device appears to have bpf
support (I assume a  tcpdump -r temp.pcap is able to display sensible 
packet output). You can feed argus_bpf the temp.pcap file which may make 
life a bit easier tracing. I had a look at the FreeBSD tun device and the 
argus source last night and I have some suspicion argus may only support
DLT_EN10MB (although it knows of other potential types). Carter would be the
best source on whats possible if he's around. I beleive there is an RFC on
the tcpdump format and that should tell you (as would tracing the code) what
type a tun device thinks it is (I think it may be encapsulated and thus need
to be supported which it may or may not be at present in argus).


server/ArgusSource.c:               ArgusPcap.linktype = DLT_EN10MB;
server/ArgusSource.c:               ArgusPcap.linktype = DLT_EN10MB;
server/ArgusSource.c:                     ArgusPcap.linktype = DLT_EN10MB;
server/ArgusSource.h:   { ArgusEtherPacket,     DLT_EN10MB,      "ArgusEtherPacket()" },
server/ArgusSource.h:   { ArgusEtherPacket,     DLT_IEEE802,     "ArgusEtherPacket()" },
server/ArgusSource.h:   { ArgusSlipPacket,      DLT_SLIP,        "ArgusSlipPacket()" },
server/ArgusSource.h:   { ArgusSlipPacket,      DLT_SLIP_BSDOS,  "ArgusSlipPacket()" },
server/ArgusSource.h:   { ArgusPppPacket,       DLT_PPP,         "ArgusPppPacket()" },
server/ArgusSource.h:   { ArgusPppBsdosPacket,  DLT_PPP_BSDOS,   "ArgusPppBsdosPacket()" },
server/ArgusSource.h:   { ArgusFddiPacket,      DLT_FDDI,        "ArgusFddiPacket()" },
server/ArgusSource.h:   { ArgusATMPacket,       DLT_ATM_RFC1483, "ArgusATMPacket()" },
server/ArgusSource.h:   { ArgusIpPacket,        DLT_RAW,         "ArgusIpPacket()" },
server/ArgusSource.h:#ifdef DLT_LINUX_SLL
server/ArgusSource.h:   { ArgusSllPacket,       DLT_LINUX_SLL,   "ArgusSllPacket()" },
server/ArgusSource.h:   { NULL,                 DLT_NULL,        "NULL" },

common/argus_util.c:{  0, "DLT_NULL", "no link-layer encapsulation"},
common/argus_util.c:{  1, "DLT_EN10MB", "Ethernet (10Mb)"},
common/argus_util.c:{  2, "DLT_EN3MB", "Experimental Ethernet (3Mb)"},
common/argus_util.c:{  3, "DLT_AX25", "Amateur Radio AX.25"},
common/argus_util.c:{  4, "DLT_PRONET", "Proteon ProNET Token Ring"},
common/argus_util.c:{  5, "DLT_CHAOS", "Chaos"},
common/argus_util.c:{  6, "DLT_IEEE802", "IEEE 802 Networks"},
common/argus_util.c:{  7, "DLT_ARCNET", "ARCNET"},
common/argus_util.c:{  8, "DLT_SLIP", "Serial Line IP"},
common/argus_util.c:{  9, "DLT_PPP",  "Point-to-point Protocol"},
common/argus_util.c:{ 10,"DLT_FDDI", "FDDI"},
common/argus_util.c:{ 11, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"},
common/argus_util.c:{ 12, "DLT_LOOP", "loopback"},
common/argus_util.c:{100, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"},
common/argus_util.c:{101, "DLT_RAW", "raw IP"},
common/argus_util.c:{102, "DLT_SLIP_BSDOS", "BSD/OS Serial Line IP"},
common/argus_util.c:{103, "DLT_PPP_BSDOS", "BSD/OS Point-to-point Protocol"},
common/argus_util.c:{104, "DLT_CHDLC", "Cisco HDLC"},

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list