[tcpdump-workers] tcpdump problem with DAG card

Carter Bullard carter at qosient.com
Thu Jan 10 06:49:41 EST 2008 

Hey Stephen,
Thanks, I'll take a look tonight, and make the changes.  

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Stephen Donnelly <stephen at endace.com>

Date: Thu, 10 Jan 2008 16:09:36 
To:tcpdump-workers at lists.tcpdump.org
Cc:argus-info at lists.andrew.cmu.edu
Subject: Re: [tcpdump-workers] tcpdump problem with DAG card


On Thu, 2008-01-10 at 14:53 +1300, Stephen Donnelly wrote:
> On Wed, 2008-01-09 at 17:25 -0800, Guy Harris wrote:
> > On Jan 9, 2008, at 3:37 PM, lei wei wrote:
> > 
> > > I'm actually trying to get Argus working with DAG but argus still  
> > > can't read
> > > anything from it.
> > 
> >  From a quick look at the source to Argus 2.0.6, it appears to be  
> > assuming that you can do a select() on the result of pcap_fileno(),  
> > which, as far as I know, is *NOT* the case for DAG devices; I don't  
> > think the DAG driver supports select() or poll().  That might cause it  
> > (and other applications using select() or poll() on pcap streams)  
> > never to see any incoming packets, or to fail in other ways.
> > 
> > Newer versions of libpcap (including 0.9.x) have  
> > pcap_get_selectable_fd(), which returns a file descriptor on which you  
> > can do select(), if such a descriptor exists, or -1, if no such file  
> > descriptor exists.
> 
> I agree. From ArgusGetPackets() in ArgusOutput.c it appears that Argus
> is intended to operate over multiple pcap interfaces, but incorrectly
> assumes that pcap descriptors are always selectable.
> 
> Because Argus does not check for selectable descriptors and work around
> any non-selectable descriptors it is not possible to use Argus with DAG
> cards without further modification.
> 
> Curiously under CYGWIN it does not assume selectable descriptors, but
> apparently works with only one interface in this case. It may be
> possible to use this as the basis for non-selectable descriptors in
> general.

As a workaround, pretending to be CYGWIN gets Argus running. Changing
#if defined(CYGWIN) to #if 1 at line 1797 in
argus-3.0.0/argus/ArgusSource.c in order to use the non-select version
of the code seems to work okay, although Argus will only be able to read
from one interface.

Cross-posting to the Argus list in case someone wants to have a better
go at fixing this upstream.

Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd at endace.com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

More information about the argus mailing list