Discussion:
Sniffing a network interface with libpcap in a Solaris Zone
Joseph Freemaker
2012-08-07 14:53:19 UTC
Permalink
Using libpcap 1.3.0.

libpcap had a patch applied in October of 2011 for the Solaris Zone.

However when libpcap is used with a C program (that is very similar to tcpdump - makes the same calls) that is run in a Solaris Zone (Solaris 10) the
following message is received:

A network mask
lookup for ce0 could not be completed
due to a
'SIOCGIFADDR: ce0: No such device or address' error condition.

Is anyone familiar with what the procedure is to use libpcap for a Solaris Zone? The Solaris snoop utility can open the network interface and sniff the packet flow.

Thanks in advance.Joe-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Guy Harris
2012-08-07 18:33:57 UTC
Permalink
Post by Joseph Freemaker
Using libpcap 1.3.0.
libpcap had a patch applied in October of 2011 for the Solaris Zone.
However when libpcap is used with a C program (that is very similar to tcpdump - makes the same calls) that is run in a Solaris Zone (Solaris 10) the
A network mask
lookup for ce0 could not be completed
due to a
'SIOCGIFADDR: ce0: No such device or address' error condition.
Is anyone familiar with what the procedure is to use libpcap for a Solaris Zone?
The same as anywhere else - if you need to call pcap_lookupnet(), and it returns -1, print a message, make the message clearly a *warning* rather than an *error*, and just use 0 as the network address and:

if PCAP_NETMASK_UNKNOWN is #defined, use it as the netmask;

otherwise, use 0 as the netmask.

If you do that, then you will receive a message such as

WARNING: A network mask lookup for ce0 could not be completed due to a 'SIOCGIFADDR: ce0: No such device or address' error condition.

(that condition is *NOT* unique to sniffing in a Solaris zone:

$ tcpdump -i en0
tcpdump: WARNING: en0: no IPv4 address assigned

and that isn't even being done on Solaris, much less in a Solaris zone), and, as long as nothing else goes wrong, the capture will continue. The warning lets the user know that any capture filter expression that requires the network address or netmask, such as "ip broadcast", will not work on that interface (and, if you set the netmask to PCAP_NETMASK_UNKNOWN, filter expressions of that sort will fail to compile, so a capture attempt using that filter will fail, as it should).

Note, however, that:

1) The patch in question applies only to BPF, not DLPI, so it only applies, as far as I know, on Solaris 11, and will only work if you've configured and built libpcap on Solaris 11 (if you configure and build it on Solaris 10, which lacks BPF, it won't use BPF).

2) What it did was provide a *syntax* by which a libpcap-based program running in a global zone can capture on network interfaces in non-global zones - you do that by prefixing the interface name with the zone name, with a slash separating the zone name and the interface name. It did *NOT* affect any other situations, e.g. capturing, on a program running in a zone, on an interface that belongs to that zone.

3) It did not affect the code used to fetch the network address and mask, so that might not work if you've specified something such as "foo/xx0" as the interface when running the program in a global zone and telling it to capture on the interface "xx0" in the non-global zone "foo".

So is ce0 an interface in the zone in which you're running the program?

If not, you presumably have to run the program in a global zone and specify {zonename}/ce0 as the interface on which to capture.

If so, then what does "ifconfig -a" print when run in the zone in question? Does it list ce0?

(See also

http://ask.wireshark.org/questions/13371/can-wireshark-sniff-a-network-interface-in-a-solaris-zone

for some additional information on Solaris zones and traffic capture; it applies to any program capturing traffic, not just Wireshark.)
Loading...