Center for Information Technology Integration   
Honeyd - Frequently Asked Questions
  
 

This is an old version of the FAQ. The most current FAQ can be found at http://www.honeyd.org/faq.php.

Honeyd - Frequently Asked Questions

Here are some frequently encountered problems when running Honeyd:

Why do I get errors when compiling Honeyd?

Sometimes autoconf generates the following errors. If your question is answered here, please do not send email. 
$ make
cd . && aclocal
cd . && automake --foreign Makefile
cd . && autoconf
autoconf: Undefined macros:
configure.in:145:AC_FUNC_FORK
configure.in:147:AC_FUNC_MALLOC
configure.in:177:AC_CONFIG_FILES([Makefile])
configure.in:3:AC_CONFIG_SRCDIR(honeyd.c)
make: *** [configure] Error 1

To fix this you need to install a newer version of autoconf. I do not know why automake causes everything to be regenerated.

Why does Honeyd not know any personalities?

When starting honeyd on the sample configuration file, you get the following error: 
config.sample:2: Unknown personality "AIX 4.0 - 4.2"
config.sample:4: Unknown personality "AIX 4.0 - 4.2"
honeyd: parsing configuration file failed
That means you did not specify a fingerprint file on the command line. Start honeyd like this: 
./honeyd -d -p nmap.prints -f config.sample -i fxp0

I think that I have installed the latest version of autoconf. Which version do I need?

You need at least the following version: 
 
$ autoconf --version
autoconf (GNU Autoconf) 2.52
Written by David J. MacKenzie.
Future releases of honeyd will hopefully work again with the older version of autoconf.

When compiling Honeyd under Solaris, I get duplicated symbols. What do I need to do?

Sometimes, libpcap seems to be linked with exported yacc symbols: 
gcc  -Wall -g  -o honeyd  honeyd.o command.o parse.o lex.o config.o
personality.o util.o ipfrag.o router.o tcp.o udp.o -L/usr/local/lib -levent
-L/usr/local/lib -lpcap -L/usr/local/lib -ldnet
parse.o: Definition of symbol `_yylhs' (multiply defined)
parse.o: Definition of symbol `_yylen' (multiply defined)
Recompiling pcap with bison instead of yacc seems to solve this problem.

Honeyd does not seem to answer to any packets. What is going wrong?

Honeyd does not intercept any network traffic. It is your responsibility to direct network traffic towards the Honeyd machine.

There are three different methods to direct traffic to Honeyd:

  • Add a route on your router that directs parts of your network to Honeyd.
  • Use proxy-arp so that your hosts answers arp requests for IP addresses that Honeyd should control.
  • Use arpd to get Honeyd to respond to all unused IP addresses on your network. This often causes DHCP to stop working.

How do I test Honeyd without a network?

Since Honeyd 0.4, it is possible to interact with Honeyd over the software loopback network interface.

Use config.localhost, and type the following commands to start Honeyd: 

$ route -n add -net 10.0.0.0/8 127.0.0.1
$ ./honeyd -d -p nmap.prints -f config.localhost -i lo0 10.0.0.0/8
Now, it is possible to use commands like 
$ traceroute -n 10.3.0.10
or nmap, etc.

Why does Honeyd terminate with "bad interface configuration: not IP?"

Honeyd analyzes the address type of its listening interface. If no IP address has been assigned to the interface, it will generate the error message: bad interface configuration: not IP.

Assign an IP address to the interface to solve this problem.

Is it possible to run Honeyd on an exisiting IP address?

Honeyd normally requires its own IP address space. If only one IP address is available on a dial-up modem or DSL line, it is still possible to use Honeyd for certain ports by enabling NAT.

Use your NAT (iptables, ipf, pf, etc.) to forward traffic to a Honeyd machine running behind the NAT on a private IP address space. The traffic is forwarded by port redirection, i.e. a port for the one existing IP address is redirected to the virtual IP address of a Honeyd host and a corresponding port on that virtual machine.

How do I interpret the fields in Honeyd's packet log?

The -l option in Honeyd creates a flow log for all connections and packet seen by Honeyd. Example, entries look like this: 
2004-01-07-14:36:58.7132 tcp(6) - 252.214.169.203 2064 192.168.27.180 21: 48 S [MacOS 8.0-8.6 OTTCP]
2004-01-07-15:26:40.0209 tcp(6) - 244.233.22.102 61891 172.162.8.180 21: 60 S [FreeBSD 5.0-5.1 ]
2004-01-07-16:48:30.1212 tcp(6) S 192.168.21.135 33395 172.162.8.91 80 [Linux 2.6 ]
2004-01-07-16:48:41.4929 tcp(6) S 10.173.240.67 22110 192.168.14.178 81 [Windows XP SP1]
  • The first field contains the time that the event happened in sub-second resolution.
  • The second field lists the protocol, for example tcp, udp, or icmp.
  • The third field may either be S which indicates the start of a new connection, E the end of a connection or - if a packet does not belong to any connection. For E, Honeyd logs the amount of data received and sent at the end of the line.
  • The next four fields represent the connection four tuple: <src ip, src port, dst ip, dst port>.
  • For TCP packets that are not part of a connection, Honeyd logs the packet size and TCP flags after the colon.
  • Comments like operating system identification via passive fingerprinting are appended to the end of the line.

Why do I receive warnings about 'Impossible SI range in Class fingerprint' when running Honeyd?

These warnings result from inconsistent entries in Nmap's fingerprint database. It is possible that the TCP Sequence number generator and the corresponding numerical ranges in the Fingerprint do not agree.

It is safe to ignore these warnings.

If your question is not answered here, please let me know.

 

 
Niels Provos
Last modified: Wed Mar 17 10:48:32 PST 2004 		  You can keep me happy while hacking by reducing my Wishlists: Books, Music