Re: Sniffing a network interface with libpcap in a Solaris Zone

[Guy Harris <guy () alum mit edu>]

On Aug 7, 2012, at 7:53 AM, Joseph Freemaker wrote:

> Using libpcap 1.3.0.
>
> libpcap had a patch applied in October of 2011 for the Solaris Zone.
>
> However when libpcap is used with a C program (that is very similar to tcpdump - makes the same calls) that is run in 
> a Solaris Zone (Solaris 10) the 
> following message is received:
>
> A network mask
> lookup for ce0 could not be completed
> due to a
> 'SIOCGIFADDR: ce0: No such device or address' error condition.
>
> Is anyone familiar with what the procedure is to use libpcap for a Solaris Zone?

The same as anywhere else - if you need to call pcap_lookupnet(), and it returns -1, print a message, make the message 
clearly a *warning* rather than an *error*, and just use 0 as the network address and:

        if PCAP_NETMASK_UNKNOWN is #defined, use it as the netmask;

        otherwise, use 0 as the netmask.

If you do that, then you will receive a message such as

        WARNING: A network mask lookup for ce0 could not be completed due to a 'SIOCGIFADDR: ce0: No such device or 
address' error condition.

(that condition is *NOT* unique to sniffing in a Solaris zone:

        $ tcpdump -i en0
        tcpdump: WARNING: en0: no IPv4 address assigned

and that isn't even being done on Solaris, much less in a Solaris zone), and, as long as nothing else goes wrong, the 
capture will continue.  The warning lets the user know that any capture filter expression that requires the network 
address or netmask, such as "ip broadcast", will not work on that interface (and, if you set the netmask to 
PCAP_NETMASK_UNKNOWN, filter expressions of that sort will fail to compile, so a capture attempt using that filter will 
fail, as it should).

Note, however, that:

        1) The patch in question applies only to BPF, not DLPI, so it only applies, as far as I know, on Solaris 11, 
and will only work if you've configured and built libpcap on Solaris 11 (if you configure and build it on Solaris 10, 
which lacks BPF, it won't use BPF).

        2) What it did was provide a *syntax* by which a libpcap-based program running in a global zone can capture on 
network interfaces in non-global zones - you do that by prefixing the interface name with the zone name, with a slash 
separating the zone name and the interface name.  It did *NOT* affect any other situations, e.g. capturing, on a 
program running in a zone, on an interface that belongs to that zone.

        3) It did not affect the code used to fetch the network address and mask, so that might not work if you've 
specified something such as "foo/xx0" as the interface when running the program in a global zone and telling it to 
capture on the interface "xx0" in the non-global zone "foo".

So is ce0 an interface in the zone in which you're running the program?

If not, you presumably have to run the program in a global zone and specify {zonename}/ce0 as the interface on which to 
capture.

If so, then what does "ifconfig -a" print when run in the zone in question?  Does it list ce0?

(See also

        http://ask.wireshark.org/questions/13371/can-wireshark-sniff-a-network-interface-in-a-solaris-zone

for some additional information on Solaris zones and traffic capture; it applies to any program capturing traffic, not 
just Wireshark.)
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers