[Snort-devel] "any" interface lossage on linux 2.2.19 with 1-way cablemodem

James P. Anderson III anderson at ...241...
Wed Jan 31 14:40:36 EST 2001


Maybe you can help with this problem as I'd like to use your fine
program.

snort 1.7 is coughing up a hairball when I specify any as an interface.  I am
thinking it has to do with my 1-way cablemodem setup.

ioctl(SIOCGIFMTU): No such device
ERROR: Can not get MTU of an interface any!


Please include the following information with your report:

System Architecture (Sparc, x86, etc)

dual P133 128MB, 

eth0: 3c509 at 0x300 tag 1, AUI port, address  00 00 c5 38 27 51, IRQ
cm0: sb1000 at (0x100,0x120), csn 1, S/N 0x30ba122e,IRQ 11.
sb1000.c:v1.1.2 6/01/98 (fventuri at ...239...)

I have a 1-way cablemodem which uses ppp as the return datastream.

cm0       Link encap:Ethernet  HWaddr 00:00:30:BA:12:2E  
          inet addr:64.9.26.220  P-t-P:10.4.33.15  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:7703649 errors:2 dropped:0 overruns:0 frame:4
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          Interrupt:11 Base address:0x100 

eth0      Link encap:Ethernet  HWaddr 00:00:C5:38:27:51  
          inet addr:192.168.23.2  Bcast:192.168.23.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:80044 errors:0 dropped:0 overruns:0 frame:0
          TX packets:101905 errors:0 dropped:0 overruns:0 carrier:0
          collisions:45 txqueuelen:100 
          Interrupt:10 Base address:0x300 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:5581967 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5581967 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:64.9.26.220  P-t-P:10.4.33.15  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:552  Metric:1
          RX packets:1087 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10 



I am running tcpdump-3.6.1 and libpcap-0.6.1.  I can successfull
run tcpdump -i any and it will work.  If I specify tcpdump -i cm0, 
I get non-IP datadumps like this:

root at ...240... /usr/local/src/libpcap-0.6.1 25 % tcpdump -i cm0
tcpdump: listening on cm0
14:23:12.968622 0:0:36:6:20:c0 45:0:0:29:2d:67 c0a8 41: 
                         1b1b 4009 1adc 0050 1d12 2234 f2f7 bbfb
                         bbd4 5018 0000 9cc4 0000 32
14:23:13.302992 0:0:fd:1:b5:1c 45:0:0:38:0:0 9d82 56: 
                         1041 4009 1adc 0301 67cc 0000 0000 4500
                         0028 b51d 0000 fc06 d309 4009 1adc c0a8
                         1b1b 1d12 0050 bbfb bbd4
14:23:14.908823 40:0:ed:6:cf:0 45:0:0:ae:d5:52 8cb0 174: 
                         0161 4009 1adc 2b98 085f 5e3f be1c eb26
                         6cea 5018 6000 1f4e 0000 7c7d dfb6 b0c0
                         9288 0816 606f bed8 fc08 f42c b845 0573
                         31c6 51ee 4383
14:23:20.475617 40:0:ed:6:cf:85 45:0:0:28:d5:53 8cb0 40: 
                         0161 4009 1adc 2b98 085f 5e3f bea2 eb26
                         6cf4 5010 6000 bde9 0000

I can see that there is TCP embedded in the data frame; the sb1000
driver must know how to extract it and inject it into the TCP stack
since both cm0 and ppp0 have the same IP address.  tcpdump -i any
does the right thing and shows the IP level traffic coming from cm0
instead of the raw frames.

Operating System and version (Linux 2.0.22, IRIX 5.3, etc)

Linux monster-zero 2.2.19pre7 #2 SMP Tue Jan 9 21:58:32 EST 2001 i586 unknown

What rules (if any) you were using

none.  Just trying to run it in sniffer mode

What command line switches you were using

-dvi any

Any Snort error messages

I #defined DEBUG 1 and recompiled...

root at ...240... /usr/local/src/snort-1.7 144 % ./snort -d -v -i any 
Parsing command line...
Processing cmd line switch: d
Data Flag active
Processing cmd line switch: v
Verbose Flag active
Processing cmd line switch: i
Interface = any
pcap_cmd is NULL!

        --== Initializing Snort ==--
Opening interface: any

Initializing Network Interface any
snaplength info: set=1514/compiled=1514/wanted=0
ioctl(SIOCGIFMTU): No such device
ERROR: Can not get MTU of an interface any!


OK, so I think it has to do with trouble determining the mtu 
of some interface, so for fun  I edited snort.c and replaced

 /* lookup mtu */
        pv.mtus[num] = GetIfrMTU(pv.interfaces[num]);

with

 /* lookup mtu */                             
        pv.mtus[num] = 1500;

recompiled and here's what I got:

root at ...240... /usr/local/src/snort-1.7 148 % ./snort -d -v -i any
Parsing command line...
Processing cmd line switch: d
Data Flag active
Processing cmd line switch: v
Verbose Flag active
Processing cmd line switch: i
Interface = any
pcap_cmd is NULL!

        --== Initializing Snort ==--
Opening interface: any

Initializing Network Interface any
snaplength info: set=1514/compiled=1514/wanted=0
Setting Packet Processor

./snort cannot handle data link type 113
Exiting...



Hope this helps.  Please let me know if you need more information.

Thanks,

Jay Anderson





More information about the Snort-devel mailing list