[gentoo-user] Packet sniffing broken recently?

[gentoo-user] Packet sniffing broken recently?

[walt]

Sometime in the last month or so (when I wasn't looking) my
~x86 and ~amd64 machines quit working when I try to run
wireshark or tcpdump, etc, but I don't know exactly when
or why.  (My amd64 machine still sniffs packets normally.)

I get this same error from any packet sniffing app:

Can't open netlink socket 93:Protocol not supported

Strace shows that this is the failing system call:

socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not supported)

That makes me think of some missing kernel config that may
have been added or modified in recent kernels, so I tried
gentoo-sources-3.0.6 (same as my working amd64 machine) with
no joy.  Same error message.

Have I missed some important gentoo bulletin about networking
recently?  Anyone have working packet sniffing on ~arch?

[gentoo-user] Re: Packet sniffing broken recently?

[Lubos Kolouch]

walt, Wed, 28 Dec 2011 17:01:59 -0800:

> Sometime in the last month or so (when I wasn't looking) my ~x86 and
> ~amd64 machines quit working when I try to run wireshark or tcpdump,
> etc, but I don't know exactly when or why.  (My amd64 machine still
> sniffs packets normally.)
> 
> I get this same error from any packet sniffing app:
> 
> Can't open netlink socket 93:Protocol not supported
> 
> Strace shows that this is the failing system call:
> 
> socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
> supported)
> 
> That makes me think of some missing kernel config that may have been
> added or modified in recent kernels, so I tried gentoo-sources-3.0.6
> (same as my working amd64 machine) with no joy.  Same error message.
> 
> Have I missed some important gentoo bulletin about networking recently? 
> Anyone have working packet sniffing on ~arch?

Hi,

If I remember correctly, I needed to set 
Networking support -> Networking options -> Network packet filtering 
framework (Netfilter) -> Core Netfilter Configuration -> Netfilter
connection tracking support 

It has been a while though, so it may be another option in the
netfilter config - just try it :)

Lubos

Re: [gentoo-user] Re: Packet sniffing broken recently?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2139 bytes --]

On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote:
> walt, Wed, 28 Dec 2011 17:01:59 -0800:
> > Sometime in the last month or so (when I wasn't looking) my ~x86 and
> > ~amd64 machines quit working when I try to run wireshark or tcpdump,
> > etc, but I don't know exactly when or why.  (My amd64 machine still
> > sniffs packets normally.)
> > 
> > I get this same error from any packet sniffing app:
> > 
> > Can't open netlink socket 93:Protocol not supported
> > 
> > Strace shows that this is the failing system call:
> > 
> > socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
> > supported)
> > 
> > That makes me think of some missing kernel config that may have been
> > added or modified in recent kernels, so I tried gentoo-sources-3.0.6
> > (same as my working amd64 machine) with no joy.  Same error message.
> > 
> > Have I missed some important gentoo bulletin about networking recently?
> > Anyone have working packet sniffing on ~arch?
> 
> Hi,
> 
> If I remember correctly, I needed to set
> Networking support -> Networking options -> Network packet filtering
> framework (Netfilter) -> Core Netfilter Configuration -> Netfilter
> connection tracking support
> 
> It has been a while though, so it may be another option in the
> netfilter config - just try it :)
> 
> Lubos

tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors.

$ cat /usr/src/linux/.config | grep CONNTRACK
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
CONFIG_NF_CONNTRACK_TIMESTAMP=y
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_BROADCAST=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_SNMP=y
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SIP=y
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=y

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Packet sniffing broken recently?

[walt]

On 12/29/2011 02:09 AM, Mick wrote:
> On Thursday 29 Dec 2011 07:10:19 Lubos Kolouch wrote:
>> walt, Wed, 28 Dec 2011 17:01:59 -0800:
>>> Sometime in the last month or so (when I wasn't looking) my ~x86 and
>>> ~amd64 machines quit working when I try to run wireshark or tcpdump,
>>> etc, but I don't know exactly when or why.  (My amd64 machine still
>>> sniffs packets normally.)
>>>
>>> I get this same error from any packet sniffing app:
>>>
>>> Can't open netlink socket 93:Protocol not supported
>>>
>>> Strace shows that this is the failing system call:
>>>
>>> socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not
>>> supported)
>>>
>>> That makes me think of some missing kernel config that may have been
>>> added or modified in recent kernels, so I tried gentoo-sources-3.0.6
>>> (same as my working amd64 machine) with no joy.  Same error message.
>>>
>>> Have I missed some important gentoo bulletin about networking recently?
>>> Anyone have working packet sniffing on ~arch?
>>
>> Hi,
>>
>> If I remember correctly, I needed to set
>> Networking support ->  Networking options ->  Network packet filtering
>> framework (Netfilter) ->  Core Netfilter Configuration ->  Netfilter
>> connection tracking support
>>
>> It has been a while though, so it may be another option in the
>> netfilter config - just try it :)
>>
>> Lubos
>
> tcpdump-3.9.8-r1 and kernel-3.0.6-gentoo works fine here with no errors.

Thanks guys.  I enabled all of the netfilter stuff as modules, then ran
tcpdump.  Turns out that tcpdump loaded only the 'nfnetlink' module, which
makes good sense given my original 'NETLINK' error message.

This change appears to be somewhere in userland, though, not in the kernel
per se.  I copied the kernel .config file from my working amd64 machine
to the 'broken' ~amd64 machine and recompiled the kernel.

No improvement.  I had to enable the nfnetlink module to make packet sniffing
work again.  I suppose one of the networking packages changed in a recent ~arch
update.

[gentoo-user] Re: Packet sniffing broken recently?

[Holger Hoffstaette]

On Thu, 29 Dec 2011 07:29:51 -0800, walt wrote:

> This change appears to be somewhere in userland, though, not in the kernel
> per se.  I copied the kernel .config file from my working amd64 machine to
> the 'broken' ~amd64 machine and recompiled the kernel.
> 
> No improvement.  I had to enable the nfnetlink module to make packet
> sniffing work again.  I suppose one of the networking packages changed in
> a recent ~arch update.

Yup, this was libpcap moving to 1.2 recently. You can get the old
behaviour back by downgrading to 1.1.x, though for me 1.2 also worked
after building all the netfilter modules (default settings) and enabling
linbl for libpcap.

-h