[ This is all quite OpenBSD-specific, but maybe it'll save someone a few ] [ hours one day. Crossposted to misc@openbsd.org for extra karma ]
Hmmm, Lots of digging later shows that: a) ifconfig doesn't know about BPF devices, whatever the changelog says. e.g. # ifconfig bpf20 create ifconfig: SIOCIFCREATE: Invalid argument b) you don't need to increase the number of BPF devices in the kernel... but you MUST manually create the device-files in /dev. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Ergo: You need a bpf device in /dev for every interface on the system. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It appears that the OpenBSD kernel can dynamically create the bpf devices internally, but the BPF interface still needs the device-files in order to work, and the kernel doesn't do that for you. (or maybe trying to use BPF device-files causes the OpenBSD kernel to dynamically create the BPF pseudo-device) By default, "MAKEDEV all" only creates 10 BPF device-files, but when you've more than 10 interfaces, bpf(), and consequently nmap, breaks. Oddly enough, nmap works after doing a "ifconfig interface DELETE", not DESTROY - why removing IP addresses from interfaces means nmap requires less BPF devices isn't very clear (to me), as you can obviously still use BPF with an interface that has no assigned IP4/6 address. Weird. Dom Dom De Vitto CISSP MBCS BSc Desk: 01962 82 3363 / 716 3363 Security Consultant Mobile: 07855 805 271 Operational Security <mailto:[EMAIL PROTECTED]> -----Original Message----- From: Michael Coulter [mailto:[EMAIL PROTECTED] Sent: 09 January 2006 02:10 To: Dom Devitto Cc: [EMAIL PROTECTED] Subject: Re: Execution problem : getinterfaces: Failed to open ethernet in terface (fxp9) On Sat, Jan 07, 2006 at 11:49:48PM -0000, Dom Devitto wrote: > really means - for 'clean' OpenBSD 3.8 at least: > > "You need more BPF devices, rebuild your kernel, and remake /dev, possibly > changing MAKEDEV" since 3.6 the kernel should not need to be rebuilt. from http://www.openbsd.org/plus36.html - Make bpf(4) devices clonable. The contents of this email and any attachments are sent for the personal attention of the addressee(s) only and may be confidential. If you are not the intended addressee, any use, disclosure or copying of this email and any attachments is unauthorised - please notify the sender by return and delete the message. Any representations or commitments expressed in this email are subject to contract. ntl Group Limited
