[j-nsp] "monitor traffic" broken?

[Richard A Steenbergen]

On Mon, Nov 01, 2004 at 07:45:36PM +0100, Daniel Roesen wrote:
> On Mon, Nov 01, 2004 at 10:32:58AM -0800, Harry Reynolds wrote:
> > AFAIK protocol based matched at the CLI have been broken for some time.
> > This is because the L2 encap is stripped at ingress. You can work around
> > by capturing to a file and then reading back the contents of the file;
> > when writing to a file pseudo L2 headers are added back (as I
> > understand). This can be done at a root shell using standard TCPDUMP, or
> > via hidden write-file and read-file CLI switches. Note these are hidden
> > due to concern about someone writing a huge file to /var causing a lack
> > of disk space.
> 
> Thanks. Using write/read-file I'm now able to match on host IP etc.
> Unfortunately I'm still seeing only incoming packets, not egress DNS
> queries done by the RE.
> 
> BTW, is there a PR open to get either "monitor traffic" fixed or
> the documentation for the matching stuff removed? :-)

Using pcap expressions to match traffic in tcpdump has been broken since 
as far back as I can remember. I'd have asked about this before, but I 
just assumed that it was so obvious that someone must have known about it 
and had a good reason for not fixing it.

I'm just taking a shot in the dark since I have no idea what is really 
going on here, but is the problem just with the bpf filter being generated 
by pcap? Clearly at some point the BSD code must know that there isn't a 
link layer header on packets coming off the PFE (i.e. you don't want to be 
calling ether_input() on junk), so shouldn't it be possible to hack up bpf 
to handle the offsets? I suppose you could also just turn off the bpf 
filter completely (or "tcpdump -w - | tcpdump -r -" as a hack on the cli 
for that matter), but it would probably be easier to just fix it right. :P

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)