I'm using the pcap plugin of app-admin/ulogd-1.02-r1 on an AMD Athlon(tm) 64 Processor 3000+ AuthenticAMD running sys-kernel/gentoo-dev-sources-2.6.10-gentoo-r6 (machine 1). The produced pcap files are unreadable with tcpdump. Here is the error message: # tcpdump -n -r /var/log/ulogd.pcap reading from file /var/log/ulogd.pcap, link-type RAW (Raw IP) tcpdump: pcap_loop: bogus savefile header # I'm also using app-admin/ulogd-1.02-r1 on an i686 VIA Samuel 2 CentaurHauls running sys-kernel/gentoo-dev-sources-2.6.9-gentoo-r13 (machine 2). tcpdump is net-analyzer/tcpdump-3.8.3-r1 and libpcap is net-libs/libpcap-0.8.3-r1 on machine 1 and 2. In order to check what is wrong, I captured a single udp packet on both machines. The command I used to send the packet is: nc -u 127.0.0.1 1234 followed by a single return as payload. The netfilter rule used to match the packet is: iptables -I INPUT 1 -i lo -p udp --dport 1234 -j ULOG Here are the results: Machine 1: Syslog line: Mar 1 16:54:49 zorglub IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=29 TOS=00 PREC=0x00 TTL=64 ID=62357 CE DF PROTO=UDP SPT=32810 DPT=1234 LEN=9 Pcap file dump: 0000000 c3d4 a1b2 0002 0004 f1f0 ffff 0000 0000 0000020 0000 0001 0065 0000 9049 4224 0000 0000 0000040 62be 0006 0000 0000 001d 0000 001d 0000 0000060 0045 1d00 95f3 0040 1140 3849 007f 0100 0000100 007f 0100 2a80 d204 0900 dd72 000a 0000115 *** PCAP FILE HEADER *** (see struct pcap_file_header in pcap.h from libpcap) c3d4 a1b2 -> magic number 0002 -> major version 0004 -> minor version f1f0 ffff -> gmt to local correction 0000 0000 -> accuracy of timestamps 0000 0001 -> max length saved portion of each pkt 0065 0000 -> data link type *** END OF PCAP FILE HEADER *** *** PCAP PACKET HEADER *** (see struct pcap_pkthdr in pcap.h from libpcap) 9049 4224 0000 0000 62be 0006 0000 0000 -> timestamp 001d 0000 -> caplen 001d 0000 -> len *** END OF PCAP PACKET HEADER *** *** PACKET *** (see http://www.sans.org/resources/tcpip.pdf) 0045 -> TOS/IP version/IHL 1d00 -> LEN=29 95f3 -> ID=62357 0040 -> Flags/Fragment Offset 1140 -> PROTO=17(UDP)/TTL=64 3849 -> Header cksum 007f 0100 -> src ip: 127.0.0.1 007f 0100 -> dst ip: 127.0.0.1 2a80 -> src port: 32810 d204 -> dst port: 1234 0900 -> Length dd72 -> UDP cksum 000a -> payload *** END OF PACKET *** Machine 2: Syslog line: Mar 1 16:56:40 crockdur IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=29 TOS=00 PREC=0x00 TTL=64 ID=22758 DF PROTO=UDP SPT=33303 DPT=1234 LEN=9 Pcap file dump: 0000000 c3d4 a1b2 0002 0004 f1f0 ffff 0000 0000 0000020 0000 0001 0065 0000 90b8 4224 3e74 000e 0000040 001d 0000 001d 0000 0045 1d00 e658 0040 0000060 1140 e7e3 007f 0100 007f 0100 1782 d204 0000100 0900 f070 000a 0000105 *** PCAP FILE HEADER *** (see struct pcap_file_header in pcap.h from libpcap) c3d4 a1b2 -> magic number 0002 -> major version 0004 -> minor version f1f0 ffff -> gmt to local correction 0000 0000 -> accuracy of timestamps 0000 0001 -> max length saved portion of each pkt 0065 0000 -> data link type *** END OF PCAP FILE HEADER *** *** PCAP PACKET HEADER *** (see struct pcap_pkthdr in pcap.h from libpcap) 90b8 4224 3e74 000e -> timestamp 001d 0000 -> caplen 001d 0000 -> len *** END OF PCAP PACKET HEADER *** *** PACKET *** (see http://www.sans.org/resources/tcpip.pdf) 0045 -> TOS/IP version/IHL 1d00 -> LEN=29 e658 -> ID=22758 0040 -> Flags/Fragment Offset 1140 -> PROTO=17(UDP)/TTL=64 e7e3 -> Header cksum 007f 0100 -> src ip: 127.0.0.1 007f 0100 -> dst ip: 127.0.0.1 1782 -> src port: 33303 d204 -> dst port: 1234 0900 -> Length f070 -> UDP cksum 000a -> payload *** END OF PACKET *** The problem seems to come from the timestamp in the pcap packet header. It should match the members of a timeval struct from <sys/time.h> (man gettimeofday): struct timeval { time_t tv_sec; /* seconds */ suseconds_t tv_usec; /* microseconds */ }; The size of the timeval struct is different on machine 1 and machine 2: Machine 1: sizeof(struct timeval) == 16 Machine 2: sizeof(struct timeval) == 8 The problem is that tcpdump uses 8 bytes timeval struct on both architectures, but ulogd does not. Is it a gentoo specific problem or should it be reported to ulogd developers ? Reproducible: Always Steps to Reproduce:
Created attachment 63824 [details, diff] patch for systems whose sizeof(struct timeval) != 8 Attached is a patch for ulogd to use libpcap's struct pcap_pkthdr format as defined in "pcap-int.h". This fixes the "bogus savefile header" bug on systems whose sizeof(struct timeval) != 8. The patch is against ulogd-1.23 but also patches ulogd-1.02. A ulogd-1.23 ebuild will follow. As this isn't gentoo-specific, I am sending this patch upstream to the ulogd developers. A better log_PCAP implementation would use libpcap instead of writing directly to a file.
Created attachment 63825 [details] ebuild for new ulogd-1.23 with patch for amd64 bug ebuild changes since ulogd-1.02-r1: * added virtual/libpcap dependency * apply patch for "bogus savefile header" bug on systems whose sizeof(struct timeval) != 8 The virtual/libpcap dependency may not be necessary, but the log_PCAP logging target is not created without it, and I am unaware of any libpcap USE flag.
Re-assign.
This bug has been sitting around for age, can someone on the amd64 team confirm the patch works?
The patch was applied upstream and released in ulogd-1.24. An updated ebuild would solve this, as the latest ebuild is for ulogd-1.23.
Bumped ebuild (which will be attached shortly) *compiles* fine for me on amd64. I don't have a ulogd installation in which to test that it is generating appropriate files, as this is a test chroot on an otherwise active box. While revbumping, I removed the gcc41 patch (as it didn't apply) and changed the HOMEPAGE, since the old one led to a 404. Dustin Gentoo Base System version 1.12.5 Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64) ================================================================= System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+ Last Sync: Mon, 11 Dec 2006 21:50:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://209.59.138.21/gentoo-portage" USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 105977 [details] ulogd-1.24.ebuild revbump with slight modifications
1.24 is in cvs