Guy Harris wrote: > > > I have a question regarding the ethereal. I am using a pseudo network > > device driver for Solaris 2.6 developed at Ericsson and is not the DLPI > > compliant yet. The original author is gone unfortunately and it is my > > task to make it compliant. > > Sending packets through this device works fine, but when I try to > > capture packets on this device, the ethereal shows the error " recv_ack: > > bind error 0x0 " which means BAD LSAP selector. > > > > When I look in the debuging message of this device driver, it shows that > > ethereal tries to bind with the DLSAP address=0 which is not valid. > > > > Until now this device driver can only be established with a stream at > > the DLSAP = 2048 where the IP packets can be sent through. In the source > > code, when the PPA is equal to NULL, this device driver will bind the > > stream only with dl_bind_req.dl_sap = ETHERTYPE_IP ( or 2048). If I > > forced the device driver to bind with the DLSAP = 0, then ethereal > > continue to request DL_PROMISC_SAP mode. > > > > My question is that why ethereal binds with the DLSAP=0 when start > > capturing. Where should I look in this device driver so that it can be > > used to send and receive IP packets and the packets can be captures by > > Ethereal. > > Ethereal doesn't do that. > > libpcap, which is the library Ethereal uses to capture packets, does > that; I'm moving the discussion to the [EMAIL PROTECTED] > mailing list, which is the mailing list for tcpdump (which also uses > libpcap) and for libpcap itself. > > Libpcap requests DL_PROMISC_SAP mode because the purpose of libpcap is > to capture *all* packets, *regardless* of the SAP; libpcap is a library > for use in programs such as packet sniffers (tcpdump, Ethereal, > Ksnuffle, Analyzer, etc.), intrusion detection systems (Snort, etc.), > traffic monitors (Etherape, etc.), and those programs either want to see > all packets, or are specifying their own filter to libpcap, a filter > which doesn't necessarily have anything whatsoever to do with the SAP > for the packet. > > It binds with a SAP of 0 because it has to bind to *something*, and it > doesn't want a particular SAP, so it picks a SAP of 0. > > So I'd suggest that you modify the driver to support DL_PROMISC_SAP mode > and, if possible, to support binding to a DLSAP of 0, *even though it's > not valid*; you can have it supply packets on a stream bound to a DLSAP > of 0 only if DL_PROMISC_SAP mode is enabled, and ignore packets sent to > it on a stream bound to a DLSAP of 0.
Hi Guy Harris, thanks for the answer. If I understand correctly, I should let ethereal enable the promiscuous mode for this stream although it binds with DLSAP =0. After promisceous mode is enable, all packets which are sent through the device driver will be captured by the ethereal through this stream, won't they? How about the existing stream which already binded with DLSAP=2048? thanks Nisapol - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
