ulogd-pcap file format not understood by ethereal

To: debian-firewall@lists.debian.org
Subject: ulogd-pcap file format not understood by ethereal
From: Achim Löbbert <aloebbert@gmx.de>
Date: Fri, 7 May 2004 21:34:54 +0200 (CEST)
Message-id: <[🔎] c7gocu$gpc$1@cesar.loebbert.de>

Hello,

the file /var/log/ulog/pcap.log created by ulogd is not understood by
ethereal and tcpdump any more. Even 'file /var/log/ulog/pcap.*' says:

/var/log/ulog/pcap.log:   data
/var/log/ulog/pcap.log.1: tcpdump capture file (little-endian) \
                          - version 2.4 (raw IP, capture length 65536)

The strange thing is that it used to be correctly understood by
ethereal, as can be seen by the logrotated pcap.log.1 above.

The only thing which I changed is to compile the ipfilter modules
statically into the 2.6.5 kernel. However:

> zcat /proc/config.gz | egrep -i "ulog"
CONFIG_IP_NF_TARGET_ULOG=y

/var/log/ulog/pcap.log exists and keeps growing and rules are hit:

# iptables -L -v -n | grep -i ulog
24  672 ULOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 queue_threshold 1
40 2694 ULOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 queue_threshold 1
...

I am using up-to-date sid and kernel-source-2.6.5 which I configured
and compiled myself. The only change I did to /etc/ulogd.conf is to
enable the pcap plugin:

> ar p \
/pub/mirrors/ftp.debian.org/debian/pool/main/u/ulogd/ulogd_1.02-1_i386.deb \
data.tar.gz | tar xOzf - ./etc/ulogd.conf | diff /etc/ulogd.conf -
89c89
< plugin /usr/lib/ulogd/ulogd_PCAP.so
---
> #plugin /usr/lib/ulogd/ulogd_PCAP.so

I stopped ulogd, truncated /var/log/ulog/pcap.log to zero, restarted
ulogd but once it gets filled the data is not understood.

Any hints would be appreciated.

Achim

Reply to:

Prev by Date: Re: open ports with firehol
Next by Date: Re: where the people are using iptables
Previous by thread: Alert from virusscanner
Next by thread: Re: ulogd-pcap file format not understood by ethereal
Index(es):
- Date
- Thread