RE: Arpd on FC3

["Christopher Cook" <cookc () ritacacas net>]

Maximillian,

You asked about the problems with arpd on Fedora Core 3.  Here's what I came
up with back in March.  

Chris

-------------------

I ran into compilation problems with arpd as will.  I'm not sure if my
problem is your problem, but if you're running Fedora Core 3, it's likely.

The problem is the "__FUNCTION__" sorta-macro.  In previous versions of gcc,
__FUNCTION__ expanded into the name of the current C function like a macro.
The code treated it like a string literal, so you used it like this (taken
from arpd.c):

        if (op == ARP_OP_REQUEST) {
                syslog(LOG_DEBUG, __FUNCTION__ ": who-has %s tell %s",
                    addr_ntoa(tpa), addr_ntoa(spa));
        }

The strings concatenated with the quote, and everything worked.

Starting with some version of gcc that I'm too lazy to look up right now,
__FUNCTION__ began to work more like a function, and in FC3, it stopped
working like a string at all.  TO get it to work now, you simply have to
shift it to the function side of the printf-like syslog():

        if (op == ARP_OP_REQUEST) {
                syslog(LOG_DEBUG, "%s: who-has %s tell %s", __FUNCTION__,
                    addr_ntoa(tpa), addr_ntoa(spa));
        }

I don't want to admit how much time this took me to figure out.

Here's a diff between the released 0.20 code and what finally compiled for
me:
--------------------

[chris@julian]$ diff arpd.c ../arpd-patched/arpd.c
268c268
<               syslog(LOG_DEBUG, __FUNCTION__ ": who-has %s tell %s",
---
>               syslog(LOG_DEBUG, "%s: who-has %s tell %s",
__FUNCTION__,
285c285
<               syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
---
>               syslog(LOG_DEBUG, "%s: %s at %s", __FUNCTION__,
294c294
<               syslog(LOG_DEBUG, __FUNCTION__ ": no entry for %s",
---
>               syslog(LOG_DEBUG, "%s: no entry for %s", __FUNCTION__,
297c297
<               syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
---
>               syslog(LOG_DEBUG, "%s: %s at %s", __FUNCTION__,
426c426
<                       syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
---
>                       syslog(LOG_DEBUG, "%s: %s at %s", __FUNCTION__,

----------------------

I hope that helps.

Chris


-----Original Message-----
From: news [mailto:news () sea gmane org] On Behalf Of Maximillian Dornseif
Sent: Friday, August 05, 2005 5:32 AM
To: honeypots () securityfocus com
Subject: Re: Arpd on FC3

On 2005-07-08 14:18:49 +0200, seamus blarnum <crpyt0k1d () yahoo com> said:

> Has anyone come up with a fix or work-around for Arpd on Fedora Core 3? I
>  keep getting syntax errors and from reading insecure.org and a few other
>  sources I seem to not be the only one dealing with this issue.

You should consider to avoid using arpd at all. If your network is not 
that big you should be able to use the wonderful new honeyd 1.0 
features to get your traffic to honeyd. If your network is complex you 
for sure should avoid arpd because it will break to much stuff. If your 
network is really big (e.g. /17) you shouldn't use arp at all but 
routing to get traffic to your system because most network equipment 
can't really handle tenthousands of notes on the same segments.

See http://blogs.23.nu/antlab/stories/4485/ and 
http://md.hudora.de/presentations/2005-bh-honeypots-03-honeyd.pdf 
(slide 7pp)

Also be aware that some morons (debian?) decided to rename arpd into 
'farpd'. There is another arpd wich is meant as an userland replacement 
for the kernel's arp cache. So be sure to actually use the correct arpd 
if you insist on using arpd at all.

Regards

Maximillian Dornseif

-- 
Maximillian Dornseif
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/