[Snort-users] Problem with snort and AIX

Martin Roesch roesch at ...1...
Wed Sep 6 12:51:42 EDT 2000

Here's a message from the tcpdump-workers mailing list that discusses a
solution for this problem.  Try it out!  

If anyone has an AIX box they'd like to send me, I'd love to improve Snort's
AIX support. :)




I have managed to successfully compile and use the latest
snapshot of libpcap under AIX using DLPI.  bpf is majorly
brain-dead under AIX, and very unsupported.  Rather than
find all the bugs in AIX's bpf, I decided to try using
dlpi, which is officially supported.

The first step is to get the setup right.  To determine if
you have the dlpi driver loaded correctly, type:
strload -q -d dlpi

If the result is:
dlpi: yes

then you are ready to use dlpi.

If you get:
dlpi: no

Then you need to type:
strload -f /etc/dlpi.conf

Check again with strload -q -d dlpi that the dlpi driver is loaded.

I had to make one minor code change to pcap-dlpi.c.  Maybe someone
can explain it to me, because I am not familiar with dlpi or
streams programming.  It took me hours to figure this out, because
I'm not familiar with dlpi.

In pcap-dlpi.c, lines 316-320:
#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20) && !defined(sinix)
           if (dlbindreq(p->fd, 0, ebuf) < 0 ||
               dlbindack(p->fd, (char *)buf, ebuf) < 0)
                goto bad;

I changed it to:
#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20) && !defined(sinix)
           if (dlbindreq(p->fd, 1620, ebuf) < 0 ||
               dlbindack(p->fd, (char *)buf, ebuf) < 0)
                goto bad;

I picked the number 1620 out of thin air.  The second parameter
to dlbindreq() sets the value of dl_sap.  This dl_sap
value is then passed along to the DLPI driver through
the DL_BIND_REQ primitive.  I guess that it cannot be 0 under
AIX, but I'm not sure.

If someone knows anything about DLPI, I'd appreciate a clarification.
Basically, I am just using the DLPI specification at:
http://www.opengroup.org/onlinepubs/009638599/ which is pretty good.
The AIX documentation is not so well written.

But basically, after I fixed up pcap-dlpi.c, I managed to get libpcap
working under AIX.  This enabled me to successfully run Ethereal,
ie. all the packets on my Ethernet network correctly showed up
as Ethernet and not Token Ring in the Ethereal screen.

Craig Rodrigues        
rodrigc at ...422...    

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list