On Fri, 2005-03-04 at 11:48 -0500, henry@shoelacecity.com wrote:
The funny part is that this version of libnet seem to expect port numbers in host byte order whereas I pass it to libnet in network byte order. I'm almost confident that this used to work when I originally did the libnet support, judging the libnet changelog again, this was a change between 1.0 <-> 1.1
Is your syslog-ng sending messages to the correct port? Can you check that with tcpdump for example? Or maybe you are using a big-endian machine?
Balasz, spoofed UDP packets are being sent properly, as far as I can tell - the data is getting to the target properly.
This is suspicious, unless you are using a non-x86 machine there should be some problems with the port number as it was the case for my local installation when trying to reproduce the problem.
tcpdump shows some minor strangeness - the source address is that of the spoofed syslog host, which is to be expected, and the target host is correct, as is the target port (514/UDP). What is strange is that all the spopofed packets are all useing UDP/514 as the source.
syslog-ng spoofs the source IP and source port as well, so it uses the same port number as the originating syslog sender.
An example of a tcpdump ron on the UDP spoofer syslogmachine(syslogng1.testdomain.org):
10:10:39.4092332 IP cisco2121.testdomain.org.syslog > syslogng2.testdomain.org.syslog: UDP, length 150
I don't thing the endianness is coming into play here. Also, I verified that libnet was not installed prior to the 1.2.2 installtion, I am certain that syslog-ng was compiled against 1.2.2.
There is no version 1.2.2, the latest version is 1.1.2.1 (or 1.1.3 which is BETA) -- Bazsi