tcpdump mailing list archives
Re: New DLT needed for PPP active/passiv filtering
From: Karsten Keil <kkeil () suse de>
Date: Tue, 17 Aug 2004 14:52:20 +0200
On Tue, Aug 17, 2004 at 01:55:11PM +0200, Hannes Gredler wrote:
karsten, could you elaborate a bit more on "it creates binary incompatible filters";
The filter needed for PPP activ/passiv filtering work on the raw PPP paket with the modified 4 byte PPP header, all prior kernel use this format. If I compile a filter with LINUX_SLL the filter offsets are for an 16 byte header, so the routine which pass the paket through the filter must add this 16 byte header, which make the kernel incompatible (you need new kernel and new pppd). Unfortunatly the kernel filter API have no field to determine for which DLT a filter was compiled, so it is not possible to detect a mismatch and workaround. So if you just try a new kernel, PPP activ/passiv filtering is not longer working, without any notice (if you have a time based internet tarif you will see that on your bill, if you use dial on demand).
in my testbed the linux machine creates 100% correct BPF filters;
Yes for capturing PPP data it's OK, since it was implemented for LINUX_SLL. The activ/passiv PPP filtering was implemented for DLT_PPP.
e.g. --->encaps is LINUX_SLL # tcpdump -i ppp0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes --->lets try the filter code for icmp .... # tcpdump -i ppp0 -d icmp (000) ldh [14] (001) jeq #0x800 jt 2 jf 5 (002) ldb [25] (003) jeq #0x1 jt 4 jf 5 (004) ret #96 (005) ret #0 ---> lets match on inbound direction # tcpdump -d -i ppp0 inbound (000) ldh [0] (001) jeq #0x0 jt 2 jf 3 (002) ret #96 (003) ret #0 ---> and outbound # tcpdump -d -i ppp0 outbound (000) ldh [0] (001) jeq #0x4 jt 2 jf 3 (002) ret #96 (003) ret #0 /hannes On Tue, Aug 17, 2004 at 12:53:54PM +0200, Karsten Keil wrote: | Hi, | | between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer | support the faked IN/OUT flag which was needed to compile filter rules | for the PPP activ/passiv filtering. | The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag, | so for traffic analysers it is confusing to have a faked first byte. | | But for activ/passiv filtering, which is needed to determine for dial on | demand which pakets are allowed to create a new connection or which pakets | hold the current connection open, it is a strong demand to differ between | own (OUT) and incoming traffic (which may contain unwanted pakets, like | port scans or pakets from old lost connections (dynamic IPs maybe | reassingned). | | So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which | used a faked 16 byte ethernet header instead of the 4 byte PPP header. | I implement a solution based on this, but it has big disadventages: | | - it creates binary incompatible filters, it need new core routines for | activ/passiv filter (which replace the 4 byte header with a 16 byte | header) | - waste of resources, the paket handler must extend the headspace from 4 to | 16 byte only for executing the filter | | Because the incompatibility this solutions was rejected by the PPP | maintainers and I think they are right. | | A solution may be to create a new DLT_PPP_INOUT (better names welcome), | which take the first PPP byte, which is not needed for filtering as IN/OUT | Flag (same behavior as libpcap 0.7 DLT_PPP had). | This solution is backward compatible and need no changes in the PPP core | routines. Old ppp binary (libpcap 0.7 based) will still work. | The main DLT_PPP for traffic analyser stuff will remain clean and not | got confused this extra stuff. | | So I need a DLT number assigned for this new DLT_PPP_INOUT. | | -- | Karsten Keil | ISDN development | - | This is the tcpdump-workers list. | Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
-- Karsten Keil ISDN development - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)