tcpdump problem with DAG card

Stephen Donnelly stephen at endace.com
Wed Jan 9 22:09:36 EST 2008 

On Thu, 2008-01-10 at 14:53 +1300, Stephen Donnelly wrote:
> On Wed, 2008-01-09 at 17:25 -0800, Guy Harris wrote:
> > On Jan 9, 2008, at 3:37 PM, lei wei wrote:
> > 
> > > I'm actually trying to get Argus working with DAG but argus still  
> > > can't read
> > > anything from it.
> > 
> >  From a quick look at the source to Argus 2.0.6, it appears to be  
> > assuming that you can do a select() on the result of pcap_fileno(),  
> > which, as far as I know, is *NOT* the case for DAG devices; I don't  
> > think the DAG driver supports select() or poll().  That might cause it  
> > (and other applications using select() or poll() on pcap streams)  
> > never to see any incoming packets, or to fail in other ways.
> > 
> > Newer versions of libpcap (including 0.9.x) have  
> > pcap_get_selectable_fd(), which returns a file descriptor on which you  
> > can do select(), if such a descriptor exists, or -1, if no such file  
> > descriptor exists.
> 
> I agree. From ArgusGetPackets() in ArgusOutput.c it appears that Argus
> is intended to operate over multiple pcap interfaces, but incorrectly
> assumes that pcap descriptors are always selectable.
> 
> Because Argus does not check for selectable descriptors and work around
> any non-selectable descriptors it is not possible to use Argus with DAG
> cards without further modification.
> 
> Curiously under CYGWIN it does not assume selectable descriptors, but
> apparently works with only one interface in this case. It may be
> possible to use this as the basis for non-selectable descriptors in
> general.

As a workaround, pretending to be CYGWIN gets Argus running. Changing
#if defined(CYGWIN) to #if 1 at line 1797 in
argus-3.0.0/argus/ArgusSource.c in order to use the non-select version
of the code seems to work okay, although Argus will only be able to read
from one interface.

Cross-posting to the Argus list in case someone wants to have a better
go at fixing this upstream.

Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd at endace.com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

More information about the argus mailing list