#5 ngrep and linux 3.x kernels

[Tim Sailer]

I'm not sure if this project is still being maintained. If not, that's too bad.

The issue is that with the 3.x versions of the Linux kernel, vlan handling has changed dramatically. ngrep no longer can grok vlan tagged packets. Would it be possible to get this functionality repaired?

[Jordan Ritter]

Thanks for the report.

Can you confirm which distribution, version of libpcap and ngrep you're using? Are you passing any special options on the cmdline?

[Tim Sailer]

I have compiled against libpcap-1.0.0 through libpcap-1.5.0. No difference.
I've been testing on Debian and Ubuntu, most recently Debian 6 and Ubuntu 12.04.

I created a staticly linked binary, and tested it on both current Debian and Ubuntu, with the 'broken' behaviour. I moved the binary to an older Debian box still running a 2.6.x kernel, and it worked perfectly.

[Tim Sailer]

Oh... I'm using ngrep 1.46 CSV as that has the support for vlans.

[Jordan Ritter]

Thanks for the helpful info! I really appreciate the effort.

I had hoped this might just be a pcap issue, but it looks like I added some manual VLAN support
back in commit 24600b6b: https://github.com/jpr5/ngrep/commit/24600b6b So that's a good starting point for me.

What cmdline options are you passing to ngrep? Any BPF filter? etc.

Also, can you clarify "can't grok"? Do you mean ngrep sees the packets (dot emitted) but doesn't detect, or doesn't see the packets at all, or?

[Tim Sailer]

ngrep -i -t -q -l -d eth1 'get|post|put|delete' 'dst port 80'

if I change the BPF to 'vlan and (dst port 80)' I get nothing. Without the vlan checking, the first few bytes of the packet are mostly non-printable characters. I can send you a small (few k) of the output from 'good' and 'bad' sessions... I don't want to have to sanitize them to post them up here.