tcpdump mailing list archives
Re: New DLT needed for PPP active/passiv filtering
From: Hannes Gredler <hannes () juniper net>
Date: Tue, 17 Aug 2004 13:55:11 +0200
karsten, could you elaborate a bit more on "it creates binary incompatible filters"; in my testbed the linux machine creates 100% correct BPF filters; e.g. --->encaps is LINUX_SLL # tcpdump -i ppp0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes --->lets try the filter code for icmp .... # tcpdump -i ppp0 -d icmp (000) ldh [14] (001) jeq #0x800 jt 2 jf 5 (002) ldb [25] (003) jeq #0x1 jt 4 jf 5 (004) ret #96 (005) ret #0 ---> lets match on inbound direction # tcpdump -d -i ppp0 inbound (000) ldh [0] (001) jeq #0x0 jt 2 jf 3 (002) ret #96 (003) ret #0 ---> and outbound # tcpdump -d -i ppp0 outbound (000) ldh [0] (001) jeq #0x4 jt 2 jf 3 (002) ret #96 (003) ret #0 /hannes On Tue, Aug 17, 2004 at 12:53:54PM +0200, Karsten Keil wrote: | Hi, | | between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer | support the faked IN/OUT flag which was needed to compile filter rules | for the PPP activ/passiv filtering. | The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag, | so for traffic analysers it is confusing to have a faked first byte. | | But for activ/passiv filtering, which is needed to determine for dial on | demand which pakets are allowed to create a new connection or which pakets | hold the current connection open, it is a strong demand to differ between | own (OUT) and incoming traffic (which may contain unwanted pakets, like | port scans or pakets from old lost connections (dynamic IPs maybe | reassingned). | | So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which | used a faked 16 byte ethernet header instead of the 4 byte PPP header. | I implement a solution based on this, but it has big disadventages: | | - it creates binary incompatible filters, it need new core routines for | activ/passiv filter (which replace the 4 byte header with a 16 byte | header) | - waste of resources, the paket handler must extend the headspace from 4 to | 16 byte only for executing the filter | | Because the incompatibility this solutions was rejected by the PPP | maintainers and I think they are right. | | A solution may be to create a new DLT_PPP_INOUT (better names welcome), | which take the first PPP byte, which is not needed for filtering as IN/OUT | Flag (same behavior as libpcap 0.7 DLT_PPP had). | This solution is backward compatible and need no changes in the PPP core | routines. Old ppp binary (libpcap 0.7 based) will still work. | The main DLT_PPP for traffic analyser stuff will remain clean and not | got confused this extra stuff. | | So I need a DLT number assigned for this new DLT_PPP_INOUT. | | -- | Karsten Keil | ISDN development | - | This is the tcpdump-workers list. | Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)