Re: tcpdump problem with DAG card

["lei wei" <weilei1983 () gmail com>]

Hi Guy and Stephen,
Thanks for this info. I've been trying to get argus working with DAG for a
while. Based on your suggestions I guess I should quit doing that. What I'm
really doing is to monitor border traffic with an inbound link and an
outbound link. I'm trying to use DAG card to merge the traffic and feed it
to Argus. But if argus is not possible to work with DAG, I guess I have no
other options now....


On 1/9/08, Stephen Donnelly <stephen () endace com> wrote:
> On Wed, 2008-01-09 at 17:25 -0800, Guy Harris wrote:
> > On Jan 9, 2008, at 3:37 PM, lei wei wrote:
> >
> > > I'm actually trying to get Argus working with DAG but argus still
> > > can't read
> > > anything from it.
> >
> >  From a quick look at the source to Argus 2.0.6, it appears to be
> > assuming that you can do a select() on the result of pcap_fileno(),
> > which, as far as I know, is *NOT* the case for DAG devices; I don't
> > think the DAG driver supports select() or poll().  That might cause it
> > (and other applications using select() or poll() on pcap streams)
> > never to see any incoming packets, or to fail in other ways.
> >
> > Newer versions of libpcap (including 0.9.x) have
> > pcap_get_selectable_fd(), which returns a file descriptor on which you
> > can do select(), if such a descriptor exists, or -1, if no such file
> > descriptor exists.
>
> I agree. From ArgusGetPackets() in ArgusOutput.c it appears that Argus
> is intended to operate over multiple pcap interfaces, but incorrectly
> assumes that pcap descriptors are always selectable.
>
> Because Argus does not check for selectable descriptors and work around
> any non-selectable descriptors it is not possible to use Argus with DAG
> cards without further modification.
>
> Curiously under CYGWIN it does not assume selectable descriptors, but
> apparently works with only one interface in this case. It may be
> possible to use this as the basis for non-selectable descriptors in
> general.
>
> Stephen.
> --
> -----------------------------------------------------------------------
>    Stephen Donnelly BCMS PhD           email: sfd () endace com
>    Endace Technology Ltd               phone: +64 7 839 0540
>    Hamilton, New Zealand               cell:  +64 21 1104378
> -----------------------------------------------------------------------
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.



-- 
Wei, Lei
Department of Computer Science
University of North Carolina at Chapel Hill,
NC 27599-3175
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.