Snort mailing list archives
OT-ish: libpcap apps on x86_64
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 26 Jul 2005 12:11:50 +0100
Hi -I'm having some problems with Phil Wood's libpcap on CentOS 4.1/x86_64 (a Free RHEL 4U1 clone for those not in the loop!). I've built i386 and x86_64 RPMs of libpcap, and installed them:
# rpm -qil libpcap.i386 libpcap.x86_64 Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none)Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:49:46 BST Install Date: Tue 26 Jul 2005 11:06:11 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm
Size : 424623 License: BSDSignature : DSA/SHA1, Mon 25 Jul 2005 16:49:46 BST, Key ID 2a598db7552ee4e4
URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib/libpcap-0.8.3.so /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap.so.0 /usr/lib/libpcap.so.0.7 /usr/lib/libpcap.so.0.8 /usr/lib/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Name : libpcap Relocations: /usr Version : 1.0.20050129 Vendor: (none)Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:50:53 BST Install Date: Tue 26 Jul 2005 11:06:12 BST Build Host: xxx.bristol.ac.uk Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm
Size : 520887 License: BSDSignature : DSA/SHA1, Mon 25 Jul 2005 16:50:54 BST, Key ID 2a598db7552ee4e4
URL : http://www.tcpdump.org Summary : A system-independent interface for user-level packet capture. Description : Libpcap provides a portable framework for low-level network monitoring. Libpcap can provide network statistics collection, security monitoring and network debugging. Since almost every system vendor provides a different interface for packet capture, the libpcap authors created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. Install libpcap if you need to do low-level network traffic monitoring on your network. /usr/include/net /usr/include/pcap-bpf.h /usr/include/pcap-namedb.h /usr/include/pcap.h /usr/lib64/libpcap-0.8.3.so /usr/lib64/libpcap.a /usr/lib64/libpcap.so /usr/lib64/libpcap.so.0 /usr/lib64/libpcap.so.0.7 /usr/lib64/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8.3 /usr/share/doc/libpcap-1.0.20050129 /usr/share/doc/libpcap-1.0.20050129/CHANGES /usr/share/doc/libpcap-1.0.20050129/LICENSE /usr/share/doc/libpcap-1.0.20050129/README /usr/share/man/man3/pcap.3.gz Applications appear to be linking OK: # ldd /usr/sbin/tcpdump libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000) /lib64/ld-linux-x86-64.so.2 (0x00000037d7200000) # ldd /usr/sbin/tethereal libwiretap.so.0 => /usr/lib64/libwiretap.so.0 (0x0000002a95583000) libethereal.so.0 => /usr/lib64/libethereal.so.0 (0x0000002a956a9000) libnetsnmp.so.5 => /usr/lib64/libnetsnmp.so.5 (0x00000037dad00000) libelf.so.1 => /usr/lib64/libelf.so.1 (0x00000037d9b00000) libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000037daf00000)libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00000037da300000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000037d7400000) libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00000037d9900000) libm.so.6 => /lib64/tls/libm.so.6 (0x00000037d7900000) libpcap-0.8.3.so => /usr/lib64/libpcap-0.8.3.so (0x0000002a96692000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000037da900000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000037da700000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000037da500000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00000037d8700000) libz.so.1 => /usr/lib64/libz.so.1 (0x00000037d7b00000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x00000037d8100000) libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000)libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000037dab00000)
/lib64/ld-linux-x86-64.so.2 (0x00000037d7200000)(that's a version of tethereal that's been rebuilt against the new libpcap, but subsequent behaviour is identical even if I use the CentOS-supplied tethereal).
But when I try to use it: # tcpdump -s 1514 -w foo.pcaptcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
11 packets captured 11 packets received by filter 0 packets dropped by kernel # tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet) 11:58:02.000182 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:02.000060 [|ether] 11:58:03.000062 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000134 [|ether] 11:58:03.000102 [|ether] 11:58:03.000060 [|ether] 11:58:03.000134 [|ether] # tethereal -r foo.pcap tethereal: "foo.pcap" appears to be damaged or corrupt. (pcap: File has 262152-byte packet, bigger than maximum of 65535) If I uninstall my local packages and revert to CentOS' own:# rpm -e --nodeps arpwatch tcpdump.i386 tcpdump.x86_64 libpcap.i386 libpcap.x86_64 ethereal ethereal-gnome
[root@vauxhallx ~]# yum install arpwatch tcpdump libpcap ethereal-gnome [...] Dependencies Resolved Transaction Listing: Install: arpwatch.x86_64 14:2.1a13-10.RHEL4 - update Install: ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 - base Install: libpcap.i386 14:0.8.3-9.RHEL4 - base Install: libpcap.x86_64 14:0.8.3-10.RHEL4 - update Install: tcpdump.i386 14:3.8.2-10.RHEL4 - update Install: tcpdump.x86_64 14:3.8.2-10.RHEL4 - update Performing the following to resolve dependencies: Install: ethereal.x86_64 0:0.10.11-1.EL4.1 - base Total download size: 7.6 M Is this ok [y/N]: y Downloading Packages: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: libpcap 100 % done 1/7 Installing: ethereal 100 % done 2/7 Installing: libpcap 100 % done 3/7 Installing: tcpdump 100 % done 4/7 Installing: arpwatch 100 % done 5/7 Installing: ethereal-gnome 100 % done 6/7 Installing: tcpdump 100 % done 7/7Installed: arpwatch.x86_64 14:2.1a13-10.RHEL4 ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 libpcap.i386 14:0.8.3-9.RHEL4 libpcap.x86_64 14:0.8.3-10.RHEL4 tcpdump.i386 14:3.8.2-10.RHEL4 tcpdump.x86_64 14:3.8.2-10.RHEL4
Dependency Installed: ethereal.x86_64 0:0.10.11-1.EL4.1 Complete! [root@vauxhallx ~]# tcpdump -s 1514 -w foo.pcaptcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@vauxhallx ~]# tcpdump -r foo.pcap reading from file foo.pcap, link-type EN10MB (Ethernet)12:03:12.069506 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 438264354:438264402(48) ack 562433326 win 13056 12:03:12.069938 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 48 win 16608 12:03:12.069965 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 48:160(112) ack 1 win 13056 12:03:12.088801 IP zzz.bris.ac.uk.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=0 addr=zzz.bris.ac.uk 12:03:12.188619 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 160 win 16496 12:03:13.076233 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 1:81(80) ack 160 win 16496 12:03:13.076328 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 160:208(48) ack 81 win 13056 12:03:13.194539 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 208 win 16448 12:03:13.337582 802.1d config 800a.00:14:69:ZZ:ZZ:ZZ.8004 root 600a.00:12:01:XX:XX:XX pathcost 4 age 1 max 14 hello 2 fdelay 10 12:03:13.564950 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 81:161(80) ack 208 win 16448
[root@vauxhallx ~]# tethereal -r foo.pcap1 0.000000 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 2 0.000432 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=48 Win=16608 Len=0 3 0.000459 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=112
4 0.019295 xxx.xxx.xxx.251 -> 224.0.0.2 HSRP Hello (state Active)5 0.119113 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=160 Win=16496 Len=0 6 1.006727 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80 7 1.006822 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48 8 1.125033 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=80 Ack=208 Win=16448 Len=0 9 1.268076 00:14:69:YY:YY:YY -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 24586/00:12:01:XX:XX:XX Cost = 4 Port = 0x8004 10 1.495444 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80
Anyone got any tips or patches? Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT-ish: libpcap apps on x86_64 Alex Butcher, ISC/ISYS (Jul 26)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Phil Wood (Jul 26)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Alex Butcher, ISC/ISYS (Jul 27)
- Re: [Snort-devel] OT-ish: libpcap apps on x86_64 Phil Wood (Jul 26)