Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo User (http://www.linux-archive.org/gentoo-user/)
-   -   Packet sniffing broken recently? (http://www.linux-archive.org/gentoo-user/614738-packet-sniffing-broken-recently.html)

walt 12-29-2011 12:01 AM

Packet sniffing broken recently?
 
Sometime in the last month or so (when I wasn't looking) my
~x86 and ~amd64 machines quit working when I try to run
wireshark or tcpdump, etc, but I don't know exactly when
or why. (My amd64 machine still sniffs packets normally.)

I get this same error from any packet sniffing app:

Can't open netlink socket 93:Protocol not supported

Strace shows that this is the failing system call:

socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not supported)

That makes me think of some missing kernel config that may
have been added or modified in recent kernels, so I tried
gentoo-sources-3.0.6 (same as my working amd64 machine) with
no joy. Same error message.

Have I missed some important gentoo bulletin about networking
recently? Anyone have working packet sniffing on ~arch?

Lubos Kolouch 12-29-2011 06:10 AM

Packet sniffing broken recently?
 
walt, Wed, 28 Dec 2011 17:01:59 -0800:

> Sometime in the last month or so (when I wasn't looking) my ~x86 and
> ~amd64 machines quit working when I try to run wireshark or tcpdump,
> etc, but I don't know exactly when or why. (My amd64 machine still
> sniffs packets normally.)
>
> I get this same error from any packet sniffing app:
>
> Can't open netlink socket 93:Protocol not supported
>
> Strace shows that this is the failing system call:
>
> socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
> supported)
>
> That makes me think of some missing kernel config that may have been
> added or modified in recent kernels, so I tried gentoo-sources-3.0.6
> (same as my working amd64 machine) with no joy. Same error message.
>
> Have I missed some important gentoo bulletin about networking recently?
> Anyone have working packet sniffing on ~arch?

Hi,

If I remember correctly, I needed to set
Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter Configuration -> Netfilter
connection tracking support

It has been a while though, so it may be another option in the
netfilter config - just try it :)

Lubos

Mick 12-29-2011 09:09 AM

Packet sniffing broken recently?
 
On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote:
> walt, Wed, 28 Dec 2011 17:01:59 -0800:
> > Sometime in the last month or so (when I wasn't looking) my ~x86 and
> > ~amd64 machines quit working when I try to run wireshark or tcpdump,
> > etc, but I don't know exactly when or why. (My amd64 machine still
> > sniffs packets normally.)
> >
> > I get this same error from any packet sniffing app:
> >
> > Can't open netlink socket 93:Protocol not supported
> >
> > Strace shows that this is the failing system call:
> >
> > socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
> > supported)
> >
> > That makes me think of some missing kernel config that may have been
> > added or modified in recent kernels, so I tried gentoo-sources-3.0.6
> > (same as my working amd64 machine) with no joy. Same error message.
> >
> > Have I missed some important gentoo bulletin about networking recently?
> > Anyone have working packet sniffing on ~arch?
>
> Hi,
>
> If I remember correctly, I needed to set
> Networking support -> Networking options -> Network packet filtering
> framework (Netfilter) -> Core Netfilter Configuration -> Netfilter
> connection tracking support
>
> It has been a while though, so it may be another option in the
> netfilter config - just try it :)
>
> Lubos

tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors.

$ cat /usr/src/linux/.config | grep CONNTRACK
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
CONFIG_NF_CONNTRACK_TIMESTAMP=y
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_BROADCAST=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_SNMP=y
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SIP=y
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=y

HTH.
--
Regards,
Mick

walt 12-29-2011 02:29 PM

Packet sniffing broken recently?
 
On 12/29/2011 02:09 AM, Mick wrote:

On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote:

walt, Wed, 28 Dec 2011 17:01:59 -0800:

Sometime in the last month or so (when I wasn't looking) my ~x86 and
~amd64 machines quit working when I try to run wireshark or tcpdump,
etc, but I don't know exactly when or why. (My amd64 machine still
sniffs packets normally.)

I get this same error from any packet sniffing app:

Can't open netlink socket 93:Protocol not supported

Strace shows that this is the failing system call:

socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
supported)

That makes me think of some missing kernel config that may have been
added or modified in recent kernels, so I tried gentoo-sources-3.0.6
(same as my working amd64 machine) with no joy. Same error message.

Have I missed some important gentoo bulletin about networking recently?
Anyone have working packet sniffing on ~arch?


Hi,

If I remember correctly, I needed to set
Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter Configuration -> Netfilter
connection tracking support

It has been a while though, so it may be another option in the
netfilter config - just try it :)

Lubos


tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors.


Thanks guys. I enabled all of the netfilter stuff as modules, then ran
tcpdump. Turns out that tcpdump loaded only the 'nfnetlink' module, which
makes good sense given my original 'NETLINK' error message.

This change appears to be somewhere in userland, though, not in the kernel
per se. I copied the kernel .config file from my working amd64 machine
to the 'broken' ~amd64 machine and recompiled the kernel.

No improvement. I had to enable the nfnetlink module to make packet sniffing
work again. I suppose one of the networking packages changed in a recent ~arch
update.

"Holger Hoffstaette" 12-29-2011 03:09 PM

Packet sniffing broken recently?
 
On Thu, 29 Dec 2011 07:29:51 -0800, walt wrote:

> This change appears to be somewhere in userland, though, not in the kernel
> per se. I copied the kernel .config file from my working amd64 machine to
> the 'broken' ~amd64 machine and recompiled the kernel.
>
> No improvement. I had to enable the nfnetlink module to make packet
> sniffing work again. I suppose one of the networking packages changed in
> a recent ~arch update.

Yup, this was libpcap moving to 1.2 recently. You can get the old
behaviour back by downgrading to 1.1.x, though for me 1.2 also worked
after building all the netfilter modules (default settings) and enabling
linbl for libpcap.

-h


All times are GMT. The time now is 11:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.