Packet sniffing broken recently?
Sometime in the last month or so (when I wasn't looking) my
~x86 and ~amd64 machines quit working when I try to run wireshark or tcpdump, etc, but I don't know exactly when or why. (My amd64 machine still sniffs packets normally.) I get this same error from any packet sniffing app: Can't open netlink socket 93:Protocol not supported Strace shows that this is the failing system call: socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not supported) That makes me think of some missing kernel config that may have been added or modified in recent kernels, so I tried gentoo-sources-3.0.6 (same as my working amd64 machine) with no joy. Same error message. Have I missed some important gentoo bulletin about networking recently? Anyone have working packet sniffing on ~arch? |
Packet sniffing broken recently?
walt, Wed, 28 Dec 2011 17:01:59 -0800:
> Sometime in the last month or so (when I wasn't looking) my ~x86 and > ~amd64 machines quit working when I try to run wireshark or tcpdump, > etc, but I don't know exactly when or why. (My amd64 machine still > sniffs packets normally.) > > I get this same error from any packet sniffing app: > > Can't open netlink socket 93:Protocol not supported > > Strace shows that this is the failing system call: > > socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not > supported) > > That makes me think of some missing kernel config that may have been > added or modified in recent kernels, so I tried gentoo-sources-3.0.6 > (same as my working amd64 machine) with no joy. Same error message. > > Have I missed some important gentoo bulletin about networking recently? > Anyone have working packet sniffing on ~arch? Hi, If I remember correctly, I needed to set Networking support -> Networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration -> Netfilter connection tracking support It has been a while though, so it may be another option in the netfilter config - just try it :) Lubos |
Packet sniffing broken recently?
On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote:
> walt, Wed, 28 Dec 2011 17:01:59 -0800: > > Sometime in the last month or so (when I wasn't looking) my ~x86 and > > ~amd64 machines quit working when I try to run wireshark or tcpdump, > > etc, but I don't know exactly when or why. (My amd64 machine still > > sniffs packets normally.) > > > > I get this same error from any packet sniffing app: > > > > Can't open netlink socket 93:Protocol not supported > > > > Strace shows that this is the failing system call: > > > > socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not > > supported) > > > > That makes me think of some missing kernel config that may have been > > added or modified in recent kernels, so I tried gentoo-sources-3.0.6 > > (same as my working amd64 machine) with no joy. Same error message. > > > > Have I missed some important gentoo bulletin about networking recently? > > Anyone have working packet sniffing on ~arch? > > Hi, > > If I remember correctly, I needed to set > Networking support -> Networking options -> Network packet filtering > framework (Netfilter) -> Core Netfilter Configuration -> Netfilter > connection tracking support > > It has been a while though, so it may be another option in the > netfilter config - just try it :) > > Lubos tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors. $ cat /usr/src/linux/.config | grep CONNTRACK CONFIG_NF_CONNTRACK=y CONFIG_NF_CONNTRACK_MARK=y # CONFIG_NF_CONNTRACK_EVENTS is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y # CONFIG_NF_CONNTRACK_AMANDA is not set CONFIG_NF_CONNTRACK_FTP=y # CONFIG_NF_CONNTRACK_H323 is not set CONFIG_NF_CONNTRACK_IRC=y CONFIG_NF_CONNTRACK_BROADCAST=y # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set CONFIG_NF_CONNTRACK_SNMP=y # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SANE is not set CONFIG_NF_CONNTRACK_SIP=y # CONFIG_NF_CONNTRACK_TFTP is not set CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_NF_CONNTRACK_IPV6=y HTH. -- Regards, Mick |
Packet sniffing broken recently?
On 12/29/2011 02:09 AM, Mick wrote:
On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote: walt, Wed, 28 Dec 2011 17:01:59 -0800: Sometime in the last month or so (when I wasn't looking) my ~x86 and ~amd64 machines quit working when I try to run wireshark or tcpdump, etc, but I don't know exactly when or why. (My amd64 machine still sniffs packets normally.) I get this same error from any packet sniffing app: Can't open netlink socket 93:Protocol not supported Strace shows that this is the failing system call: socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not supported) That makes me think of some missing kernel config that may have been added or modified in recent kernels, so I tried gentoo-sources-3.0.6 (same as my working amd64 machine) with no joy. Same error message. Have I missed some important gentoo bulletin about networking recently? Anyone have working packet sniffing on ~arch? Hi, If I remember correctly, I needed to set Networking support -> Networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration -> Netfilter connection tracking support It has been a while though, so it may be another option in the netfilter config - just try it :) Lubos tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors. Thanks guys. I enabled all of the netfilter stuff as modules, then ran tcpdump. Turns out that tcpdump loaded only the 'nfnetlink' module, which makes good sense given my original 'NETLINK' error message. This change appears to be somewhere in userland, though, not in the kernel per se. I copied the kernel .config file from my working amd64 machine to the 'broken' ~amd64 machine and recompiled the kernel. No improvement. I had to enable the nfnetlink module to make packet sniffing work again. I suppose one of the networking packages changed in a recent ~arch update. |
Packet sniffing broken recently?
On Thu, 29 Dec 2011 07:29:51 -0800, walt wrote:
> This change appears to be somewhere in userland, though, not in the kernel > per se. I copied the kernel .config file from my working amd64 machine to > the 'broken' ~amd64 machine and recompiled the kernel. > > No improvement. I had to enable the nfnetlink module to make packet > sniffing work again. I suppose one of the networking packages changed in > a recent ~arch update. Yup, this was libpcap moving to 1.2 recently. You can get the old behaviour back by downgrading to 1.1.x, though for me 1.2 also worked after building all the netfilter modules (default settings) and enabling linbl for libpcap. -h |
| All times are GMT. The time now is 02:04 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.