Re: OS X 10.6 diagnosis: pcap timeout and bpf device access

[David Fifield <david () bamsoftware com>]

On Sat, Nov 07, 2009 at 11:01:30AM -0700, David Fifield wrote:
> I have been looking into this problem, and I think I have found the
> cause, or rather causes, both of which appear to be Apple bugs. The
> first is that setting timeouts for read events doesn't work unless the
> timeout is at least 1000 milliseconds. The second is that opening a
> /dev/bpf? device in O_WRONLY mode and binding it to an interface causes
> all other listeners on the interface to see only outgoing traffic. I
> don't know of a nice quick fix for these problems.
>
> How to handle this? The O_RDWR change, while ugly, is pretty innocuous.
> We use a short timeout for pcap reads on OS X because you can't select
> on a pcap file descriptor. However, apparently poll work for pcap
> descriptors in 10.6, where it didn't work before. So doing some kind of
> configuration detection and using poll when appropriate is an option.
> These tests were all with a stock installation of 10.6. I'll try
> updating to whatever the latest version is and see if anything is
> different.

I committed the O_RDWR change. With that, a temporary workaround for
this problem is to compile in 32-bit mode by configuring like this:

./configure CFLAGS="-m32" CXXFLAGS="-m32" LDFLAGS="-m32"

I'm going to try reinstalling MacPorts under 10.6 and see if I can make
a release like that. If not, I'll revert back to my 10.5 installation
for the next release.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/