[Snort-devel] "any" interface lossage on linux 2.2.19 with 1-way cablemodem

Eugene Tsyrklevich eugene at ...223...
Thu Feb 1 01:05:32 EST 2001


Your snort binary was probably linked with an older version of libpcap which
doesn't understand device "any"

run 

ldd /usr/local/src/snort-1.7/snort

and

ldd /usr/local/src/tcpdump-3.6.1

and compare the version numbers on -lpcap
try relinking snort with libpcap installed in /usr/local/src/libpcap-0.6.1
and than try again


cheers


On Wed, Jan 31, 2001 at 02:40:36PM -0500, James P. Anderson III wrote:
> Maybe you can help with this problem as I'd like to use your fine
> program.
> 
> snort 1.7 is coughing up a hairball when I specify any as an interface.  I am
> thinking it has to do with my 1-way cablemodem setup.
> 
> ioctl(SIOCGIFMTU): No such device
> ERROR: Can not get MTU of an interface any!
> 
> 
> Please include the following information with your report:
> 
> System Architecture (Sparc, x86, etc)
> 
> dual P133 128MB, 
> 
> eth0: 3c509 at 0x300 tag 1, AUI port, address  00 00 c5 38 27 51, IRQ
> cm0: sb1000 at (0x100,0x120), csn 1, S/N 0x30ba122e,IRQ 11.
> sb1000.c:v1.1.2 6/01/98 (fventuri at ...239...)
> 
> I have a 1-way cablemodem which uses ppp as the return datastream.
> 
> cm0       Link encap:Ethernet  HWaddr 00:00:30:BA:12:2E  
>           inet addr:64.9.26.220  P-t-P:10.4.33.15  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
>           RX packets:7703649 errors:2 dropped:0 overruns:0 frame:4
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           Interrupt:11 Base address:0x100 
> 
> eth0      Link encap:Ethernet  HWaddr 00:00:C5:38:27:51  
>           inet addr:192.168.23.2  Bcast:192.168.23.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:80044 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:101905 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:45 txqueuelen:100 
>           Interrupt:10 Base address:0x300 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:3924  Metric:1
>           RX packets:5581967 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:5581967 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
> 
> ppp0      Link encap:Point-to-Point Protocol  
>           inet addr:64.9.26.220  P-t-P:10.4.33.15  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:552  Metric:1
>           RX packets:1087 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:25899 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:10 
> 
> 
> 
> I am running tcpdump-3.6.1 and libpcap-0.6.1.  I can successfull
> run tcpdump -i any and it will work.  If I specify tcpdump -i cm0, 
> I get non-IP datadumps like this:
> 
> root at ...240... /usr/local/src/libpcap-0.6.1 25 % tcpdump -i cm0
> tcpdump: listening on cm0
> 14:23:12.968622 0:0:36:6:20:c0 45:0:0:29:2d:67 c0a8 41: 
>                          1b1b 4009 1adc 0050 1d12 2234 f2f7 bbfb
>                          bbd4 5018 0000 9cc4 0000 32
> 14:23:13.302992 0:0:fd:1:b5:1c 45:0:0:38:0:0 9d82 56: 
>                          1041 4009 1adc 0301 67cc 0000 0000 4500
>                          0028 b51d 0000 fc06 d309 4009 1adc c0a8
>                          1b1b 1d12 0050 bbfb bbd4
> 14:23:14.908823 40:0:ed:6:cf:0 45:0:0:ae:d5:52 8cb0 174: 
>                          0161 4009 1adc 2b98 085f 5e3f be1c eb26
>                          6cea 5018 6000 1f4e 0000 7c7d dfb6 b0c0
>                          9288 0816 606f bed8 fc08 f42c b845 0573
>                          31c6 51ee 4383
> 14:23:20.475617 40:0:ed:6:cf:85 45:0:0:28:d5:53 8cb0 40: 
>                          0161 4009 1adc 2b98 085f 5e3f bea2 eb26
>                          6cf4 5010 6000 bde9 0000
> 
> I can see that there is TCP embedded in the data frame; the sb1000
> driver must know how to extract it and inject it into the TCP stack
> since both cm0 and ppp0 have the same IP address.  tcpdump -i any
> does the right thing and shows the IP level traffic coming from cm0
> instead of the raw frames.
> 
> Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
> 
> Linux monster-zero 2.2.19pre7 #2 SMP Tue Jan 9 21:58:32 EST 2001 i586 unknown
> 
> What rules (if any) you were using
> 
> none.  Just trying to run it in sniffer mode
> 
> What command line switches you were using
> 
> -dvi any
> 
> Any Snort error messages
> 
> I #defined DEBUG 1 and recompiled...
> 
> root at ...240... /usr/local/src/snort-1.7 144 % ./snort -d -v -i any 
> Parsing command line...
> Processing cmd line switch: d
> Data Flag active
> Processing cmd line switch: v
> Verbose Flag active
> Processing cmd line switch: i
> Interface = any
> pcap_cmd is NULL!
> 
>         --== Initializing Snort ==--
> Opening interface: any
> 
> Initializing Network Interface any
> snaplength info: set=1514/compiled=1514/wanted=0
> ioctl(SIOCGIFMTU): No such device
> ERROR: Can not get MTU of an interface any!
> 
> 
> OK, so I think it has to do with trouble determining the mtu 
> of some interface, so for fun  I edited snort.c and replaced
> 
>  /* lookup mtu */
>         pv.mtus[num] = GetIfrMTU(pv.interfaces[num]);
> 
> with
> 
>  /* lookup mtu */                             
>         pv.mtus[num] = 1500;
> 
> recompiled and here's what I got:
> 
> root at ...240... /usr/local/src/snort-1.7 148 % ./snort -d -v -i any
> Parsing command line...
> Processing cmd line switch: d
> Data Flag active
> Processing cmd line switch: v
> Verbose Flag active
> Processing cmd line switch: i
> Interface = any
> pcap_cmd is NULL!
> 
>         --== Initializing Snort ==--
> Opening interface: any
> 
> Initializing Network Interface any
> snaplength info: set=1514/compiled=1514/wanted=0
> Setting Packet Processor
> 
> ./snort cannot handle data link type 113
> Exiting...
> 
> 
> 
> Hope this helps.  Please let me know if you need more information.
> 
> Thanks,
> 
> Jay Anderson




More information about the Snort-devel mailing list