Re: New DLT needed for PPP active/passiv filtering

[Hannes Gredler <hannes () juniper net>]

karsten,

could you elaborate a bit more on "it creates binary incompatible filters";

in my testbed the linux machine creates 100% correct BPF filters;

e.g.

--->encaps is LINUX_SLL
# tcpdump -i ppp0 icmp   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

--->lets try the filter code for icmp ....
# tcpdump -i ppp0 -d icmp   
(000) ldh      [14]
(001) jeq      #0x800           jt 2    jf 5
(002) ldb      [25]
(003) jeq      #0x1             jt 4    jf 5
(004) ret      #96
(005) ret      #0

---> lets match on inbound direction
# tcpdump -d -i ppp0 inbound 
(000) ldh      [0]
(001) jeq      #0x0             jt 2    jf 3
(002) ret      #96
(003) ret      #0

---> and outbound
# tcpdump -d -i ppp0 outbound   
(000) ldh      [0]
(001) jeq      #0x4             jt 2    jf 3
(002) ret      #96
(003) ret      #0


/hannes


On Tue, Aug 17, 2004 at 12:53:54PM +0200, Karsten Keil wrote:
| Hi,
| 
| between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer
| support the faked IN/OUT flag which was needed to compile filter rules
| for the PPP activ/passiv filtering.
| The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag,
| so for traffic analysers it is confusing to have a faked first byte.
| 
| But for activ/passiv filtering, which is needed to determine for dial on
| demand which pakets are allowed to create a new connection or which pakets
| hold the current connection open, it is a strong demand to differ between
| own (OUT) and incoming traffic (which may contain unwanted pakets, like
| port scans or pakets from old lost connections (dynamic IPs maybe
| reassingned).
| 
| So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which
| used a faked 16 byte ethernet header instead of the 4 byte PPP header.
| I implement a solution based on this, but it has big disadventages:
| 
| - it creates binary incompatible filters, it need new core routines for
|   activ/passiv filter (which replace the 4 byte header with a 16 byte
|   header) 
| - waste of resources, the paket handler must extend the headspace from 4 to
|   16 byte only for executing the filter
| 
| Because the incompatibility this solutions was rejected by the PPP
| maintainers and I think they are right.
| 
| A solution may be to create a new DLT_PPP_INOUT (better names welcome),
| which take the first PPP byte, which is not needed for filtering as IN/OUT
| Flag (same behavior as libpcap 0.7 DLT_PPP had).
| This solution is backward compatible and need no changes in the PPP core
| routines. Old ppp binary (libpcap 0.7 based) will still work.
| The main DLT_PPP for traffic analyser stuff will remain clean and not
| got confused this extra stuff.
| 
| So I need a DLT number assigned for this new DLT_PPP_INOUT.
| 
| -- 
| Karsten Keil
| ISDN development
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.