RE: [Ntop] Unknown DLT types

Burton M. Strauss III Fri, 07 Nov 2003 09:08:05 -0800

So, we have...

eth1 - DLT_ is 1 - matches table (mtu 1514/header 14)


sit1 - DLT_ is 12 -
tun# - DLT_ is 12 -

The dlt table in Linux is in /usr/include/net/bpf.h

/*
 * These are values from the traditional libpcap "bpf.h".
 * Ports of this to particular platforms should replace these definitions
 * with the ones appropriate to that platform, if the values are
 * different on that platform.
 */
#define DLT_ATM_RFC1483 11      /* LLC/SNAP encapsulated atm */
#define DLT_RAW         12      /* raw IP */

Interestingly, in globals-core.c, we have a partial definition:

  /* _mtuSize[DLT_RAW] = ?                                        raw IP */
  _headerSize[DLT_RAW] = 0;


Here's the issue.  We use the MTU value to tag suspicious packets (longer
than they's 'supposed' to be) in pbuf.c.

That 1500 value everyone is fond of from ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:03:47:B1:62:26
          inet addr:192.168.42.36  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2950659 errors:0 dropped:0 overruns:0 frame:39
          TX packets:1996494 errors:0 dropped:0 overruns:5 carrier:2
          collisions:65950 txqueuelen:100
          RX bytes:669533955 (638.5 Mb)  TX bytes:359496893 (342.8 Mb)
          Interrupt:5 Base address:0xf000

is the Ethernet frame limit MTU.

BUT DLT_RAW means just that - a raw tcp/ip packet with no DLT header.  It
could be (e.g. tun/tap) a fake Ethernet device), so limited to 1500.  But it
could be ANYTHING, so that the packet length could be ANY length, up to the
theoretical limit of 64K-1-40 or 65495 (see RFC 879,
http://www.faqs.org/rfcs/rfc879.html) (oh, and don't forget the JumboGrams -
http://www.faqs.org/rfcs/rfc2147.html).

Plus we use the other derived value, headerSize, in the nfs plugin and we
use them both in pbuf without checking if the values are valid.

I can cleanup the logic a bit, but I still can't do more than issue the
warning and ignore the MTU/Header size where we don't know them
(incidentially disabling that part of the suspicious packet dump).


As to why ntop is failing, it's something else - that ERROR message isn't
fatal.  Usual answer is to fix your file permissions.

-----Burton

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Julien TOUCHE
Sent: Friday, November 07, 2003 8:03 AM
To: [EMAIL PROTECTED]
Subject: Re: [Ntop] Unknown DLT types


Burton Strauss wrote:

> You've gotta run it with -t 4 or -t 5, so we can see the DLT code # being
returned from libpcap. (I suppose I should add that to the error message
too).
>
> All the error is saying is that the values for the DLT_ code aren't in the
table, so the header length is zero, which is bad.

(gdb) run  -u ntop -w 192.168.2.1:3000 -p /etc/ntop/protocol.list -P
/var/lib/ntop -a /var/lib/ntop/access.log -i
eth1,sit1,tun3,tun4,tun7,tun9 -t 5 -O /var/log/ntop/ -M -m
192.168.2.0/24
Starting program: /export/opt/bin/ntop -u ntop -w 192.168.2.1:3000 -p
/etc/ntop/protocol.list -P /var/lib/ntop -a /var/lib/ntop/access.log -i
eth1,sit1,tun3,tun4,tun7,tun9 -t 5 -O /var/log/ntop/ -M -m 192.168.2.0/24
[New Thread 16384 (LWP 8498)]
07/Nov/2003 14:53:59 [util:2305] **WARNING** Trailing slash removed from
argument '/var/log/ntop/'
07/Nov/2003 14:53:59 [main:1099] ntop v.2.2.96 MT (SSL)
[i586-pc-linux-gnu (debian Linux 3.0)] (11/07/03 09:28:11 AM build)
07/Nov/2003 14:53:59 [main:1101] Copyright 1998-2003 by Luca Deri
<[EMAIL PROTECTED]>
07/Nov/2003 14:53:59 [main:1102] Get the freshest ntop from
http://www.ntop.org/
07/Nov/2003 14:53:59 [main:1106] Initializing ntop
07/Nov/2003 14:53:59 [initialize:117] Initializing IP services
07/Nov/2003 14:53:59 [ntop:432] PROTO_INIT: Processing protocol file:
'/etc/ntop/protocol.list', size: 424
07/Nov/2003 14:53:59 [initialize:1352] Initializing network devices
07/Nov/2003 14:53:59 [initialize:1070] Adding network device eth1
07/Nov/2003 14:53:59 [initialize:1231] Interface 'eth1' (netmask
255.255.255.0) computed network size is 606 hosts
07/Nov/2003 14:53:59 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'eth1' is  1.45MB
07/Nov/2003 14:53:59 [initialize:1294] Checking eth1 for additional devices
07/Nov/2003 14:53:59 [initialize:1300] Checking eth1:0
07/Nov/2003 14:53:59 [initialize:739] Resetting traffic statistics for
device eth1
07/Nov/2003 14:53:59 [initialize:1552] DLT: Device 0 [eth1] DLT_ is 1,
assuming mtu 1514, header 14
07/Nov/2003 14:53:59 [initialize:1070] Adding network device sit1
07/Nov/2003 14:53:59 [initialize:1231] Interface 'sit1' (netmask
255.255.255.255) computed network size is 1024 hosts
07/Nov/2003 14:53:59 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'sit1' is  4.05MB
07/Nov/2003 14:53:59 [initialize:1294] Checking sit1 for additional devices
07/Nov/2003 14:53:59 [initialize:1300] Checking sit1:0
07/Nov/2003 14:53:59 [initialize:739] Resetting traffic statistics for
device sit1
07/Nov/2003 14:53:59 [initialize:1552] DLT: Device 1 [sit1] DLT_ is 12,
assuming mtu 1500, header 0
07/Nov/2003 14:53:59 [initialize:1561] **WARNING** DLT: Device 1 [sit1]
MTU value is unknown
07/Nov/2003 14:53:59 [initialize:1566] DLT: Processing continues OK
07/Nov/2003 14:53:59 [initialize:1567] DLT: Please report your MTU
values (e.g. ifconfig) to the ntop-dev list
07/Nov/2003 14:53:59 [initialize:1571] **ERROR** DLT: Device 1 [sit1]
Header value for DLT_  is zero
07/Nov/2003 14:53:59 [initialize:1574] DLT: Processing continues OK -
don't use the nfs plugin
07/Nov/2003 14:53:59 [initialize:1575] DLT: Please report this to the
ntop-dev list
07/Nov/2003 14:53:59 [initialize:1070] Adding network device tun3
07/Nov/2003 14:54:00 [initialize:1231] Interface 'tun3' (netmask
255.255.255.255) computed network size is 51 hosts
07/Nov/2003 14:54:00 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'tun3' is  0.06MB
07/Nov/2003 14:54:00 [initialize:1294] Checking tun3 for additional devices
07/Nov/2003 14:54:00 [initialize:1300] Checking tun3:0
07/Nov/2003 14:54:00 [initialize:739] Resetting traffic statistics for
device tun3
07/Nov/2003 14:54:00 [initialize:1552] DLT: Device 2 [tun3] DLT_ is 12,
assuming mtu 1500, header 0
07/Nov/2003 14:54:00 [initialize:1561] **WARNING** DLT: Device 2 [tun3]
MTU value is unknown
07/Nov/2003 14:54:00 [initialize:1566] DLT: Processing continues OK
07/Nov/2003 14:54:00 [initialize:1567] DLT: Please report your MTU
values (e.g. ifconfig) to the ntop-dev list
07/Nov/2003 14:54:00 [initialize:1571] **ERROR** DLT: Device 2 [tun3]
Header value for DLT_  is zero
07/Nov/2003 14:54:00 [initialize:1574] DLT: Processing continues OK -
don't use the nfs plugin
07/Nov/2003 14:54:00 [initialize:1575] DLT: Please report this to the
ntop-dev list
07/Nov/2003 14:54:00 [initialize:1070] Adding network device tun4
07/Nov/2003 14:54:00 [initialize:1231] Interface 'tun4' (netmask
255.255.255.255) computed network size is 51 hosts
07/Nov/2003 14:54:00 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'tun4' is  0.06MB
07/Nov/2003 14:54:00 [initialize:1294] Checking tun4 for additional devices
07/Nov/2003 14:54:00 [initialize:1300] Checking tun4:0
07/Nov/2003 14:54:00 [initialize:739] Resetting traffic statistics for
device tun4
07/Nov/2003 14:54:00 [initialize:1552] DLT: Device 3 [tun4] DLT_ is 12,
assuming mtu 1500, header 0
07/Nov/2003 14:54:00 [initialize:1561] **WARNING** DLT: Device 3 [tun4]
MTU value is unknown
07/Nov/2003 14:54:00 [initialize:1566] DLT: Processing continues OK
07/Nov/2003 14:54:00 [initialize:1567] DLT: Please report your MTU
values (e.g. ifconfig) to the ntop-dev list
07/Nov/2003 14:54:00 [initialize:1571] **ERROR** DLT: Device 3 [tun4]
Header value for DLT_  is zero
07/Nov/2003 14:54:00 [initialize:1574] DLT: Processing continues OK -
don't use the nfs plugin
07/Nov/2003 14:54:00 [initialize:1575] DLT: Please report this to the
ntop-dev list
07/Nov/2003 14:54:00 [initialize:1070] Adding network device tun7
07/Nov/2003 14:54:00 [initialize:1231] Interface 'tun7' (netmask
255.255.255.255) computed network size is 51 hosts
07/Nov/2003 14:54:00 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'tun7' is  0.06MB
07/Nov/2003 14:54:00 [initialize:1294] Checking tun7 for additional devices
07/Nov/2003 14:54:00 [initialize:1300] Checking tun7:0
07/Nov/2003 14:54:00 [initialize:739] Resetting traffic statistics for
device tun7
07/Nov/2003 14:54:00 [initialize:1552] DLT: Device 4 [tun7] DLT_ is 12,
assuming mtu 1500, header 0
07/Nov/2003 14:54:00 [initialize:1561] **WARNING** DLT: Device 4 [tun7]
MTU value is unknown
07/Nov/2003 14:54:00 [initialize:1566] DLT: Processing continues OK
07/Nov/2003 14:54:00 [initialize:1567] DLT: Please report your MTU
values (e.g. ifconfig) to the ntop-dev list
07/Nov/2003 14:54:00 [initialize:1571] **ERROR** DLT: Device 4 [tun7]
Header value for DLT_  is zero
07/Nov/2003 14:54:00 [initialize:1574] DLT: Processing continues OK -
don't use the nfs plugin
07/Nov/2003 14:54:00 [initialize:1575] DLT: Please report this to the
ntop-dev list
07/Nov/2003 14:54:00 [initialize:1070] Adding network device tun9
07/Nov/2003 14:54:00 [initialize:1231] Interface 'tun9' (netmask
255.255.255.255) computed network size is 51 hosts
07/Nov/2003 14:54:00 [initialize:1246] MEMORY: ipTrafficMatrix base (no
TrafficEntry) for interface 'tun9' is  0.06MB
07/Nov/2003 14:54:00 [initialize:1294] Checking tun9 for additional devices
07/Nov/2003 14:54:00 [initialize:1300] Checking tun9:0
07/Nov/2003 14:54:00 [initialize:739] Resetting traffic statistics for
device tun9
07/Nov/2003 14:54:00 [initialize:1552] DLT: Device 5 [tun9] DLT_ is 12,
assuming mtu 1500, header 0
07/Nov/2003 14:54:00 [initialize:1561] **WARNING** DLT: Device 5 [tun9]
MTU value is unknown
07/Nov/2003 14:54:00 [initialize:1566] DLT: Processing continues OK
07/Nov/2003 14:54:00 [initialize:1567] DLT: Please report your MTU
values (e.g. ifconfig) to the ntop-dev list
07/Nov/2003 14:54:00 [initialize:1571] **ERROR** DLT: Device 5 [tun9]
Header value for DLT_  is zero
07/Nov/2003 14:54:00 [initialize:1574] DLT: Processing continues OK -
don't use the nfs plugin
07/Nov/2003 14:54:00 [initialize:1575] DLT: Please report this to the
ntop-dev list
07/Nov/2003 14:54:00 [globals-core:96] Initializing gdbm databases
07/Nov/2003 14:54:00 [util:3612] Now running as requested user 'ntop'
(105:105)
07/Nov/2003 14:54:00 [initialize:866] Opening database
'/var/lib/ntop/prefsCache.db'
07/Nov/2003 14:54:00 [initialize:866] Opening database
'/var/lib/ntop/ntop_pw.db'
07/Nov/2003 14:54:00 [initialize:866] Creating database
'/var/lib/ntop/addressQueue.db'
07/Nov/2003 14:54:00 [initialize:872] **FATAL_ERROR** ....open of
/var/lib/ntop/addressQueue.db failed: File write error
07/Nov/2003 14:54:00 [initialize:884] 1. Is another instance of ntop
running?
07/Nov/2003 14:54:00 [initialize:885] 2. Make sure that the use you
specified can write in the target directory

Program exited with code 0377.
(gdb)

Regards

                Julien

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

RE: [Ntop] Unknown DLT types

Reply via email to