tcpdump mailing list archives
New DLT needed for PPP active/passiv filtering
From: Karsten Keil <kkeil () suse de>
Date: Tue, 17 Aug 2004 12:53:54 +0200
Hi, between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer support the faked IN/OUT flag which was needed to compile filter rules for the PPP activ/passiv filtering. The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag, so for traffic analysers it is confusing to have a faked first byte. But for activ/passiv filtering, which is needed to determine for dial on demand which pakets are allowed to create a new connection or which pakets hold the current connection open, it is a strong demand to differ between own (OUT) and incoming traffic (which may contain unwanted pakets, like port scans or pakets from old lost connections (dynamic IPs maybe reassingned). So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which used a faked 16 byte ethernet header instead of the 4 byte PPP header. I implement a solution based on this, but it has big disadventages: - it creates binary incompatible filters, it need new core routines for activ/passiv filter (which replace the 4 byte header with a 16 byte header) - waste of resources, the paket handler must extend the headspace from 4 to 16 byte only for executing the filter Because the incompatibility this solutions was rejected by the PPP maintainers and I think they are right. A solution may be to create a new DLT_PPP_INOUT (better names welcome), which take the first PPP byte, which is not needed for filtering as IN/OUT Flag (same behavior as libpcap 0.7 DLT_PPP had). This solution is backward compatible and need no changes in the PPP core routines. Old ppp binary (libpcap 0.7 based) will still work. The main DLT_PPP for traffic analyser stuff will remain clean and not got confused this extra stuff. So I need a DLT number assigned for this new DLT_PPP_INOUT. -- Karsten Keil ISDN development - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)