Problem with byte-swapped IP addresses
Peter Van Epp
vanepp at sfu.ca
Mon Mar 8 21:13:45 EST 2010
On Mon, Mar 08, 2010 at 09:44:38AM -0500, Carter Bullard wrote:
> The weirdest scenario that I can think of, is that under high load, the pf-ring
> could be passing up the same packet twice. we modify it, on the first pass, and
> so we get a modified packet as a new packet, the second time.
>
> Is this possible?
>
> Carter
>
>
Yes probably, which would make this a pf-ring bug :-). Pf-ring has a
circular buffer in kernel memory and uses mmap to remap the memory from
kernel space in to user space (presumably via the mmu) to avoid the memory
copy bpf normally does. So if argus modified the input buffer and pf-ring
became confused it could pass back a modifed (and incorrect) buffer as a new
packet. Finding if this is whats happening will probably be fun though :-).
Probably figuring out and recording somewhere that address of the buffer in
use for the packet would be the way to do it. I'd expect a linear progression
of addresses normally.
Peter Van Epp
More information about the argus
mailing list