tcpdump & bpf system calls

tcpdump & bpf system calls

Post by Simon Chan » Tue, 17 Sep 2002 10:08:08



Howdy y'all,

Hope y'all had a nice weekend.  This morning I was playing with my
4.5-release machine and I attempted the following:

tcpdump -r /usr/home/trial1 -w /dev/bpf0

on a machine that has three NICs, with fxp0 being set to DHCP.  But the
machine responded that the "device was busy".  I am also running ipfw on it
so that may explain why I got the error message.  I then tried to do it on
bpf1 and it just returned me to the shell with no error messages.

Now, according to the man page for bpf, when a particular system call is
made to the bpf device and then if I try to dump data to the interface
(which is what I am doing in the example above), I would get the error
message.  So the phenomenon I witnessed may be due to that.  However, at the
end of the man page, it also said something about a bug in bpf such that the
raw data dumped to a bpf* associated with one interface may also end up with
other bpf* device and possibly other interfaces.  So the questions I have
are:

1)  By dumping the raw data from that file into bpf1 instead of bpf0, did
the data get written to (and egress) the fxp0 interface?  Keep in mind that
that is the ONLY interface configured as DHCP.

2)  What else would I have to see to rule out that this"bug" was acting up
instead of a normal system function?  In other words, was the error "device
was busy" caused by ipfw locking the device or was it caused by something
else?

TIA,

Simon Chang

 
 
 

tcpdump & bpf system calls

Post by Lowell Gilber » Fri, 20 Sep 2002 00:04:14



> tcpdump -r /usr/home/trial1 -w /dev/bpf0

> on a machine that has three NICs, with fxp0 being set to DHCP.  But the
> machine responded that the "device was busy".  I am also running ipfw on it
> so that may explain why I got the error message.

bpf0 was probably busy with DHCP.

Quote:>                                                   I then tried to do it on
> bpf1 and it just returned me to the shell with no error messages.

Sounds like /usr/home/trial1 was empty.  

Quote:> Now, according to the man page for bpf, when a particular system call is
> made to the bpf device and then if I try to dump data to the interface
> (which is what I am doing in the example above), I would get the error
> message.  So the phenomenon I witnessed may be due to that.  However, at the
> end of the man page, it also said something about a bug in bpf such that the
> raw data dumped to a bpf* associated with one interface may also end up with
> other bpf* device and possibly other interfaces.  So the questions I have
> are:

> 1)  By dumping the raw data from that file into bpf1 instead of bpf0, did
> the data get written to (and egress) the fxp0 interface?  Keep in mind that
> that is the ONLY interface configured as DHCP.

> 2)  What else would I have to see to rule out that this"bug" was acting up
> instead of a normal system function?  In other words, was the error "device
> was busy" caused by ipfw locking the device or was it caused by something
> else?

I think you're misunderstanding tcpdump's -r flag.  It doesn't send
anything to the network; it just sets where the packet data is taken
*from*.  It is normally used to interpret the contents of a file that
was created with tcpdumps -w flag.

 
 
 

1. /dev/bpf* & tcpdump

Hi Guys

can anyone tell me if the standard FreeBSD 2.0 and NetBSD 1.0 kernels
have the needed drivers for tcpdump compiled into them. I've made the
devices (/dev/bpf*) and called the prog. - only to receive the error
message "device not configured".

The progs are part of the binary releases, so I expected the kernel
to support them. Do I have to compile two new kernels?

Help much appreciated, Les


2. hardware failure or e2fs/e2fsck bugs?

3. TCPDUMP,LIBPCAP & BPF WHERE CAN I FIND A PORT TO LINUX

4. Where's my memory and cache?

5. bpf config for tcpdump

6. Problem with D-Link DE-220P

7. tcpdump problem (BPF unconfigured)

8. Please help me find a Modem Driver

9. ex0 bpf tcpdump does not see all traffic

10. tcpdump/bpf [/dev/bpf0 - device not configured]

11. Q] Set up bpf so I can use tcpdump?

12. LBL tcpdump, libpcap and bpf released (Linux now supported)

13. BPF Information AIX 4.1 for tcpdump