0

I'm unable to write 1514 bytes (including the L2 information) via write to /dev/bpf. I can write smaller packets (meaning I think the basic setup is correct), but I see "Message too long" with the full-length packets. This is on Solaris 11.2.

It's as though the write is treating this as the write of an IP packet.

Per the specs, there 1500 bytes for the IP portion, 14 for the L2 headers (18 if tagging), and 4 bytes for the checksum.

I've set the feature that I thought would prevent the OS from adding its own layer 2 information (yes, I also find it odd that a 1 disables it; pseudo code below):

int hdr_complete = 1;
ioctl(bpf, BIOCSHDRCMPLT, &hdr_complete);

The packets are never larger than 1514 bytes (they're captured via a port span and start with the source and destination MAC addresses; I'm effectively replaying them).

I'm sure I'm missing something basic here, but I'm hitting a dead end. Any pointers would be much appreciated!

Partial Answer: This link was very helpful.

Update 3/20/2017 Code works on Mac OS X, but on Solaris results in repeated "Interrupted system call" (EINTR). I'm starting to read scary things about having to implement signal handling, which I'd rather not do...

Sample code on GitHub based on various code I've found via Google. On most systems you have to run this with root privileges unless you've granted "net_rawaccess" to the user.

Still trying to figure out the EINTR issue. Output from truss:

27158/1:         0.0122  0.0000 write(3, 0x08081DD0, 1514)                      Err#4 EINTR
27158/1:          \0 >E1C09B92 4159E01C694\b\0 E\005DC82E1 @\0 @06F8 xC0A81C\fC0A8
27158/1:          1C eC8EF14 Q nB0BC 4 V @FBDE8010FFFF8313\0\00101\b\n ^F3 W @ C E
27158/1:           d SDD G14EDEB ~ t sCFADC6 qE3C3B7 ,D9D51D VB0DFB0\b96C4B8EC1C90
27158/1:          12F9D7 &E6C2A4 Z 6 t\bFCE5EBBF9C1798 r 4EF "139F +A9 cE3957F tA7
27158/1:           x KCD _0E qB9 DE5C1 @CAACFF gC398D9F787FB\n & &B389\n H\t ~EF81
27158/1:          C9BCE0D7 .9A1B13 [ [DE\b [ ECBF31EC3 z19CDA0 @81 ) JC9 2C8B9B491
27158/1:           u94 iA3 .84B78AE09592 ;DA ] .F8  A811EE H Q o q9B 8A4 cF1 XF5 g
27158/1:          EC ^\n1BE2C1A5C2 V 7FD 094 + (B5D3 :A31B8B128D ' J 18A <897FA3 u

EDIT 7 April 2017 The EINTR problem was the result of a bug in the sample code that I placed on GitHub. The code was not associating the bpf device with the actual interface and Solaris was throwing the EINTR as a result.

Now I'm back to the "message too long" problem that I still haven't resolved.

MattW
  • 783
  • 7
  • 11
  • 2
    Please include a complete program that exhibits your issue. Refer to the guidelines listed here [mcve] – sigjuice Mar 15 '17 at 06:23
  • How do you handle the `"Interrupted system call" (EINTR)` ? – wildplasser Apr 01 '17 at 18:49
  • I haven't yet figured that out. I'm finding references to the `SA_RESTART` flag on most OSes being disabled by default in Solaris, but I have no idea if that's even related to this... – MattW Apr 03 '17 at 16:32
  • The EINTR turned out to be the result of a flaw in the sample code. It was effectively trying to write to the BPF device that was not correctly associated with the actual interface. The code on GitHub is now fixed, but now I'm back to the "Message too long" problem... – MattW Apr 07 '17 at 21:47

0 Answers0