Problem with byte-swapped IP addresses

Peter Van Epp vanepp at sfu.ca
Mon Mar 8 21:13:45 EST 2010


On Mon, Mar 08, 2010 at 09:44:38AM -0500, Carter Bullard wrote:
> The weirdest scenario that I can think of, is that under high load, the pf-ring
> could be passing up the same packet twice.  we modify it, on the first pass, and
> so we get a modified packet as a new packet, the second time.
> 
> Is this possible?
> 
> Carter
> 
> 

	Yes probably, which would make this a pf-ring bug :-). Pf-ring has a 
circular buffer in kernel memory and uses mmap to remap the memory from 
kernel space in to user space (presumably via the mmu) to avoid the memory
copy bpf normally does.  So if argus modified the input buffer and pf-ring 
became confused it could pass back a modifed (and incorrect) buffer as a new 
packet. Finding if this is whats happening will probably be fun though :-). 
Probably figuring out and recording somewhere that address of the buffer in
use for the packet would be the way to do it. I'd expect a linear progression
of addresses normally.

Peter Van Epp



More information about the argus mailing list