Wireshark · Ethereal-users: [Ethereal-users] Problems with libpcap and AIX

Ethereal-users: [Ethereal-users] Problems with libpcap and AIX

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Jon Leichter" <jonleichter@xxxxxxxxx>

Date: Sat, 27 Apr 2002 12:15:43 -0700

Hello all.

I'm trying to get a better handle on a set of problems that I am having with
libpcap on AIX. These problems have been mentioned a few times on the
Ethereal-Users mailing list. I have read through the archives, but there do
not seem to be any final solutions.

The most recent posting to the mailing list that addressed my problems was:

  http://www.ethereal.com/lists/ethereal-users/200204/msg00119.html

Then, Guy Harris responded with:

  http://www.ethereal.com/lists/ethereal-users/200204/msg00131.html

To recap, I have the following problems with libpcap on AIX:

1) A call to pcap_open_live with 'device' set to "en0" and 'promisc' set to
a non-zero value (i.e. TRUE) generates 2 warning messages:

  WARNING: DL_PROMISC_MULTI failed (recv_ack: promisc_multi error 0x3)
  WARNING: DL_PROMISC_SAP failed (recv_ack: promisc_sap error 0x3)

2) libpcap is unable to capture its own outgoing packets.

I view problem #2 as more serious than problem #1.

Now, for a bunch of details:

Originally, I was using a binary distribution of libpcap 0.6.2 for AIX. I am
running AIX 4.3.3. The binary distribution of libpcap that I downloaded
(from where I can't remember right now) had debug symbols in it. So, I
downloaded the source code for libpcap 0.6.2. The rcsid strings in the
source and library matched exactly. (As it turns out, the person who
compiled the binary distribution had to edit the source code a bit. One
noticeable change is the fact that pcap-dlpi.c (rcsid 1.63) unconditionally
defines PCAP_DEV_PREFIX as "/dev". Yet in the distributed library, the
string has been compiled in as "/dev/dlpi", as it should be and as it is in
libpcap 0.7.1 source).

In any event, the library operates exactly as the source code suggests: A
call to pcap_open_live attaches with PPA 0, binds to SAP 1537 (AIX's
bastardized SAP value for ethernet), and makes three DL_PROMISCON_REQ
requests. The first request, for DL_PROMISC_PHYS mode, succeeds without
issue. The second two requests, for DL_PROMISC_MULTI and DL_PROMISC_SAP,
fail with DL_OUTSTATE (0x3) as the error. Libpcap notifies of this situation
with warnings but continues on.

According to AIX's DLPI documentation, a DL_OUTSTATE error for
DL_PROMISCON_REQ suggests that the request was done when the DLPI driver was
in an "invalid" state. The documentation has this to say about issuing this
request:

  The primitive is valid in any state in which an acknowledgement is
  not pending, with the exception of DL_UNATTACH.

When I debugged the library, I verified the state. It was DL_IDLE.

Aside from these failed DLPI requests, the driver seems unable to capture
its own outbound traffic.

It would be irresponsible of me to post this email without trying Guy's
suggestion: download the latest version of libpcap, 0.7.1. So I did this and
got identical results. There really isn't a significant difference between
0.6.2 and 0.7.1, where AIX is concerned. The library does just about all the
same things. 0.7.1 is a little more informative about error messages, e.g.
translating 0x3 into a "meaningful" string. Overall, however, there are no
significant differences.

Believe it or not, I suspect that the promiscuous mode warnings are
unrelated to the lack of ability to capture outbound traffic. I think that
DLPI just might be broken.

So, then, I turned my attention to AIX's implementation of DLPI. In this
area, I am a little lost. Through the mailing list archives, I've learned
that I need to take a look at the bos.rte.tty fileset. However, I'm somewhat
unclear on the meanings of AIX's version and fileset numbers.

$ oslevel
4.3.3.0

$ lslpp -l bos.rte.tty
4.3.2.0 bos.rte.tty COMMITTED

$ lslpp -la bos.rte.tty
4.3.2.0 bos.rte.tty COMMITTED
4.3.3.0 bos.rte.tty COMMITTED

- How do all of these numbers relate to each other?

- How do I unambiguously determine which version of DLPI I've got?

- Which patches, if any, should I download from:
ftp://ftp.software.ibm.com/aix/fixes/v4/os/ ?

- Has ANYBODY used libpcap/tcpdump/ethereal on any version of AIX without
these problems?

I would appreciate any insight that anybody can offer. I may also be able to
work on this problem in more depth and contribute patches back to libpcap,
if applicable.

Regards,
Jon

Prev by Date: Re: [Ethereal-users] display filter -- comparing a literal string value
Next by Date: [Ethereal-users] Ascii Search tool
Previous by thread: Re: [Ethereal-users] problems sniffing Gigabit
Next by thread: [Ethereal-users] Ascii Search tool
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$