lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <B97B134FACB2024DB45F524AB0A7B7F2058B03E5@XMB-BGL-419.cisco.com>
Date:	Thu, 19 Jan 2012 11:23:39 +0530
From:	"Prashant Batra (prbatra)" <prbatra@...co.com>
To:	"Bill Fink" <billfink@...dspring.com>,
	"Eric Dumazet" <eric.dumazet@...il.com>
Cc:	<netdev@...r.kernel.org>
Subject: RE: route problem



-----Original Message-----
From: Bill Fink [mailto:billfink@...dspring.com] 
Sent: Thursday, January 19, 2012 6:59 AM
To: Eric Dumazet
Cc: Prashant Batra (prbatra); netdev@...r.kernel.org
Subject: Re: route problem

On Wed, 18 Jan 2012, Eric Dumazet wrote:

> Le mercredi 18 janvier 2012 à 15:38 +0530, Prashant Batra (prbatra) a
> écrit :
> > 2.6.18 kernel.
> > 
> 
> Please dont top post on netdev mailing list
> 
> > -----Original Message-----
> > From: Eric Dumazet [mailto:eric.dumazet@...il.com] 
> > Sent: Wednesday, January 18, 2012 2:58 PM
> > To: Prashant Batra (prbatra)
> > Cc: netdev@...r.kernel.org
> > Subject: Re: route problem
> > 
> > Le mercredi 18 janvier 2012 à 14:47 +0530, Prashant Batra (prbatra) a
> > écrit :
> > > Hi,
> > > 
> > > I have added a route for an external ip via a gateway which is available
> > > on the same machine.
> > > I want to capture the packets going to this external IP using PF_PACKET
> > > socket.
> > > 
> > > #route 
> > > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > > Iface
> > > 192.168.101.0   *               255.255.255.0   U     0      0        0
> > > eth1
> > > 172.16.60.0     192.168.101.10  255.255.255.0   UG    0      0        0
> > > eth1
> > > 
> > > So, when a packet is sent to 172.16.60.*, kernel should send arp request
> > > for this gw IP 192.168.101.10. As gw IP is locally reachable, 
> > > It should send its mac address in arp-response and kernel should send
> > > the packet via that interface.
> > > 
> > > But what I am seeing is that instead of asking the gateway IP, kernel
> > > sends a arp request for destingation ip(172.16.60.*)
> > > 
> > > #tcpdump -I eth1
> > > 04:12:45.334966 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:46.334839 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:48.334584 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:49.334457 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:50.335329 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:52.335075 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:53.334947 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 04:12:54.334821 arp who-has 172.16.60.2 tell 192.168.101.20
> > > 
> 
> This comes from another machine, since your eth1 addr is 192.168.101.10

Actually, if I'm interpreting the "ip route list cache" output
correctly, it appears it has local IP addresses of both 192.168.101.10
and 192.168.101.20.
[Prashant] Yes both IPs are present on the same machine but on different interfaces.
> local 192.168.101.10 from 192.168.101.101 dev lo  src 192.168.101.10 
>     cache <local,src-direct>  iif eth1

> local 192.168.101.20 from 192.168.101.101 dev lo  src 192.168.101.20 
>     cache <local,src-direct>  iif eth1

And since his gateway is 192.168.101.10, an apparently local
IP address, that would probably explain the direct ARPS for
172.16.60.*.

[Prashant] So is this the correct behavior? What my original intention was to capture the packets from the 
interface acting as gateway. So with this behavior I will not be able to capture the packets as 172.16.60.* are not 
present on the local machine, and it will not get any ARP response.
Consider the gateway on a different machine, in which case ARP request will go for gateway IP, and local machine will 
get the ARP response and send the packets to gateway.

Regards,
Prashant
						-Bill
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ