#6 Kernel 2.6.13 - libnet problem?

[Anonymous]

I need a TCP traceroute (traceroute using TCP/SYN packets).

I have four such programmes.

1: Hping in traceroute mode.
Poor. If it hits a router which does not respond, it just sits
and waits.
2: LFT
OK.
a: Does not work in Fedora Core2 - without patching.
The source code expects a header of zero bytes in the
pcap output of zero bytes (hard coded in the source).
My captures have a "linux cooked capture" header of sixteen bytes.
Changing an offset from zero to sixteen gets it to work.
b: Requires traffic on the interface.
It seems it gets into a loop and awaits some traffic.
It examines it - if it is data it expects it uses it.
If it is other data from other programmes accessing the 'net
it does nothing with it.
In both those cases it moves on and starts over.
What if there is no traffic? Unless there is something for it
either to use or ignore, it seems to hang. To get it to work
I have to, say, read the NY Times online while running it.
Output is OK - but I don't really like it.
3: Tcptraceroute
I have used this since kernel 2.2, through 2.4 and
2.6.5, 2.6.7, 2.6.9, 2.6.10, 2.6.11, 2.6.12
It was my favourite until I got traceproto.
4: Traceproto
I have used this in kernels 2.4,
2.6.5, 2.6.7, 2.6.9, 2.6.10, 2.6.11, 2.6.12
Good.

In kernel 2.6.13: [patching 2.1.12 with the patch file]

Standard "traceroute" works.
LFT works.
HPING works (also in traceroute mode).
tcptraceroute fails.
traceproto (tcp or udp mode) fails.

How do they fail?

A TCPDUMP shows that they do send out the packets.
I do get back ICMP "time exceeded" error messages.
They no longer recognize them.

Something that had never changed before has now changed
and has broken traceproto and tcptraceroute.

LIBNET?
-------
Do both tcptraceroute and traceproto rely on libnet?
Does kernel 2.6.13 break libnet? What other programmes use libnet?

I tried getting the latest libnet (Stable Version: 1.1.2.1),
recompiling and then recompiling traceproto - this did not help.

TRISKAIDEKAPHOBIA
-----------------
Ah well ... this *is* 2.6.*THIRTEEN*, after all.

[Nobody/Anonymous]

Logged In: NO

It may be that kernel 2.6.13 broke libpcap.

It may be libpcap that is broken.

tcpdump -w 1.cap
tcpdump -f "ip proto \icmp" -r 1.cap

(write a file first)

shows ICMP messages.

tcpdump -f "ip proto \icmp"

(just capture ICMP error messages)

does NOT show ICMP messages

[Nobody/Anonymous]

Logged In: NO

From the changelog for kernel 2.6.13.1

[PATCH] 2.6.13 breaks libpcap (and tcpdump)

[NET]: 2.6.13 breaks libpcap (and tcpdump)

Patrick McHardy says:

Never mind, I got it, we never fall through to the second switch
statement anymore. I think we could simply break when load_pointer
returns NULL. The switch statement will fall through to the default
case and return 0 for all cases but 0 > k >= SKF_AD_OFF.

Here's a patch to do just that.

So it looks like it is fixed in the latest (2.6.13.1) kernel.