Snort mailing list archives

Previous By Date Next
Previous By Thread Next

OT-ish: libpcap apps on x86_64

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 26 Jul 2005 12:11:50 +0100
Hi -
I'm having some problems with Phil Wood's libpcap on CentOS 4.1/x86_64 (a Free RHEL 4U1 clone for those not in the loop!). I've built i386 and x86_64 RPMs of libpcap, and installed them: 

# rpm -qil libpcap.i386 libpcap.x86_64
Name        : libpcap                      Relocations: /usr
Version     : 1.0.20050129                      Vendor: (none)
Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:49:46 BST Install Date: Tue 26 Jul 2005 11:06:11 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm 
Size        : 424623                           License: BSD
Signature : DSA/SHA1, Mon 25 Jul 2005 16:49:46 BST, Key ID 2a598db7552ee4e4 
URL         : http://www.tcpdump.org
Summary     : A system-independent interface for user-level packet capture.
Description :
Libpcap provides a portable framework for low-level network
monitoring. Libpcap can provide network statistics collection,
security monitoring and network debugging. Since almost every system
vendor provides a different interface for packet capture, the libpcap
authors created this system-independent API to ease in porting and to
alleviate the need for several system-dependent packet capture modules
in each application.

Install libpcap if you need to do low-level network traffic monitoring
on your network.
/usr/include/net
/usr/include/pcap-bpf.h
/usr/include/pcap-namedb.h
/usr/include/pcap.h
/usr/lib/libpcap-0.8.3.so
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.7
/usr/lib/libpcap.so.0.8
/usr/lib/libpcap.so.0.8.3
/usr/share/doc/libpcap-1.0.20050129
/usr/share/doc/libpcap-1.0.20050129/CHANGES
/usr/share/doc/libpcap-1.0.20050129/LICENSE
/usr/share/doc/libpcap-1.0.20050129/README
/usr/share/man/man3/pcap.3.gz
Name        : libpcap                      Relocations: /usr
Version     : 1.0.20050129                      Vendor: (none)
Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:50:53 BST Install Date: Tue 26 Jul 2005 11:06:12 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm 
Size        : 520887                           License: BSD
Signature : DSA/SHA1, Mon 25 Jul 2005 16:50:54 BST, Key ID 2a598db7552ee4e4 
URL         : http://www.tcpdump.org
Summary     : A system-independent interface for user-level packet capture.
Description :
Libpcap provides a portable framework for low-level network
monitoring. Libpcap can provide network statistics collection,
security monitoring and network debugging. Since almost every system
vendor provides a different interface for packet capture, the libpcap
authors created this system-independent API to ease in porting and to
alleviate the need for several system-dependent packet capture modules
in each application.

Install libpcap if you need to do low-level network traffic monitoring
on your network.
/usr/include/net
/usr/include/pcap-bpf.h
/usr/include/pcap-namedb.h
/usr/include/pcap.h
/usr/lib64/libpcap-0.8.3.so
/usr/lib64/libpcap.a
/usr/lib64/libpcap.so
/usr/lib64/libpcap.so.0
/usr/lib64/libpcap.so.0.7
/usr/lib64/libpcap.so.0.8
/usr/lib64/libpcap.so.0.8.3
/usr/share/doc/libpcap-1.0.20050129
/usr/share/doc/libpcap-1.0.20050129/CHANGES
/usr/share/doc/libpcap-1.0.20050129/LICENSE
/usr/share/doc/libpcap-1.0.20050129/README
/usr/share/man/man3/pcap.3.gz

Applications appear to be linking OK:

# ldd /usr/sbin/tcpdump
       libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000)
       /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000)
# ldd /usr/sbin/tethereal
       libwiretap.so.0 => /usr/lib64/libwiretap.so.0 (0x0000002a95583000)
       libethereal.so.0 => /usr/lib64/libethereal.so.0 (0x0000002a956a9000)
       libnetsnmp.so.5 => /usr/lib64/libnetsnmp.so.5 (0x00000037dad00000)
       libelf.so.1 => /usr/lib64/libelf.so.1 (0x00000037d9b00000)
       libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000037daf00000)
libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00000037da300000) 
       libdl.so.2 => /lib64/libdl.so.2 (0x00000037d7400000)
       libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00000037d9900000)
       libm.so.6 => /lib64/tls/libm.so.6 (0x00000037d7900000)
       libpcap-0.8.3.so => /usr/lib64/libpcap-0.8.3.so (0x0000002a96692000)
       libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000037da900000)
       libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000037da700000)
       libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000037da500000)
       libresolv.so.2 => /lib64/libresolv.so.2 (0x00000037d8700000)
       libz.so.1 => /usr/lib64/libz.so.1 (0x00000037d7b00000)
       libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x00000037d8100000)
       libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000037dab00000) 
       /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000)
(that's a version of tethereal that's been rebuilt against the new libpcap, but subsequent behaviour is identical even if I use the CentOS-supplied tethereal). 

But when I try to use it:

# tcpdump -s 1514 -w foo.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 


11 packets captured
11 packets received by filter
0 packets dropped by kernel
# tcpdump -r foo.pcap
reading from file foo.pcap, link-type EN10MB (Ethernet)
11:58:02.000182 [|ether]
11:58:02.000060 [|ether]
11:58:02.000060 [|ether]
11:58:02.000060 [|ether]
11:58:03.000062 [|ether]
11:58:03.000134 [|ether]
11:58:03.000102 [|ether]
11:58:03.000134 [|ether]
11:58:03.000102 [|ether]
11:58:03.000060 [|ether]
11:58:03.000134 [|ether]
# tethereal -r foo.pcap
tethereal: "foo.pcap" appears to be damaged or corrupt.
(pcap: File has 262152-byte packet, bigger than maximum of 65535)

If I uninstall my local packages and revert to CentOS' own:
# rpm -e --nodeps arpwatch tcpdump.i386 tcpdump.x86_64 libpcap.i386 libpcap.x86_64 ethereal ethereal-gnome 
[root@vauxhallx ~]# yum install arpwatch tcpdump libpcap ethereal-gnome

[...]

Dependencies Resolved
Transaction Listing:
 Install: arpwatch.x86_64 14:2.1a13-10.RHEL4 - update
 Install: ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 - base
 Install: libpcap.i386 14:0.8.3-9.RHEL4 - base
 Install: libpcap.x86_64 14:0.8.3-10.RHEL4 - update
 Install: tcpdump.i386 14:3.8.2-10.RHEL4 - update
 Install: tcpdump.x86_64 14:3.8.2-10.RHEL4 - update

Performing the following to resolve dependencies:
 Install: ethereal.x86_64 0:0.10.11-1.EL4.1 - base
Total download size: 7.6 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: libpcap 100 % done 1/7
Installing: ethereal 100 % done 2/7
Installing: libpcap 100 % done 3/7
Installing: tcpdump 100 % done 4/7
Installing: arpwatch 100 % done 5/7
Installing: ethereal-gnome 100 % done 6/7
Installing: tcpdump 100 % done 7/7
Installed: arpwatch.x86_64 14:2.1a13-10.RHEL4 ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 libpcap.i386 14:0.8.3-9.RHEL4 libpcap.x86_64 14:0.8.3-10.RHEL4 tcpdump.i386 14:3.8.2-10.RHEL4 tcpdump.x86_64 14:3.8.2-10.RHEL4 
Dependency Installed: ethereal.x86_64 0:0.10.11-1.EL4.1
Complete!
[root@vauxhallx ~]# tcpdump -s 1514 -w foo.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes 

10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@vauxhallx ~]# tcpdump -r foo.pcap
reading from file foo.pcap, link-type EN10MB (Ethernet)
12:03:12.069506 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 438264354:438264402(48) ack 562433326 win 13056 12:03:12.069938 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 48 win 16608 12:03:12.069965 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 48:160(112) ack 1 win 13056 12:03:12.088801 IP zzz.bris.ac.uk.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=0 addr=zzz.bris.ac.uk 12:03:12.188619 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 160 win 16496 12:03:13.076233 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 1:81(80) ack 160 win 16496 12:03:13.076328 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 160:208(48) ack 81 win 13056 12:03:13.194539 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 208 win 16448 12:03:13.337582 802.1d config 800a.00:14:69:ZZ:ZZ:ZZ.8004 root 600a.00:12:01:XX:XX:XX pathcost 4 age 1 max 14 hello 2 fdelay 10 12:03:13.564950 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 81:161(80) ack 208 win 16448 
[root@vauxhallx ~]# tethereal -r foo.pcap
1 0.000000 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 2 0.000432 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=48 Win=16608 Len=0 3 0.000459 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=112 
 4   0.019295 xxx.xxx.xxx.251 -> 224.0.0.2    HSRP Hello (state Active)
5 0.119113 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=160 Win=16496 Len=0 6 1.006727 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 7 1.006822 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 8 1.125033 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=80 Ack=208 Win=16448 Len=0 9 1.268076 00:14:69:YY:YY:YY -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 24586/00:12:01:XX:XX:XX Cost = 4 Port = 0x8004 10 1.495444 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 

Anyone got any tips or patches?

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: