Update the platform-specific information for various platforms.
Add a "README.linux" file discussing the packet socket and socket filtering kernel options.
This commit is contained in:
parent
dc543edc9a
commit
21e33731db
1
FILES
1
FILES
|
@ -6,6 +6,7 @@ LICENSE
|
|||
Makefile.in
|
||||
README
|
||||
README.aix
|
||||
README.linux
|
||||
SUNOS4/nit_if.o.sparc
|
||||
SUNOS4/nit_if.o.sun3
|
||||
SUNOS4/nit_if.o.sun4c.4.0.3c
|
||||
|
|
91
INSTALL
91
INSTALL
|
@ -1,4 +1,4 @@
|
|||
@(#) $Header: /tcpdump/master/libpcap/Attic/INSTALL,v 1.44 2000-07-30 06:01:22 assar Exp $ (LBL)
|
||||
@(#) $Header: /tcpdump/master/libpcap/Attic/INSTALL,v 1.45 2000-12-01 07:47:07 guy Exp $ (LBL)
|
||||
|
||||
To build libpcap, run "./configure" (a shell script). The configure
|
||||
script will determine your system attributes and generate an
|
||||
|
@ -110,11 +110,15 @@ If you get an error like:
|
|||
when using DLPI, look for the DL_ERROR_ACK error return values, usually
|
||||
in /usr/include/sys/dlpi.h, and find the corresponding value.
|
||||
|
||||
Under OSF, packet capture must be enabled before it can be used. For
|
||||
instructions on how to enable packet filter support, see:
|
||||
Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be
|
||||
enabled before it can be used. For instructions on how to enable packet
|
||||
filter support, see:
|
||||
|
||||
ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX
|
||||
|
||||
Look for the "How do I configure the Berkeley Packet Filter and capture
|
||||
tcpdump traces?" item.
|
||||
|
||||
Once you enable packet filter support, your OSF system will support bpf
|
||||
natively.
|
||||
|
||||
|
@ -135,53 +139,76 @@ then you don't have the streams package. In addition, we believe you
|
|||
need to install the "9.X LAN and DLPI drivers cumulative" patch
|
||||
(PHNE_6855) to make the version 9 DLPI work with libpcap.
|
||||
|
||||
It's been reported that the DLPI streams package is standard starting
|
||||
with HP-UX 10.
|
||||
The DLPI streams package is standard starting with HP-UX 10.
|
||||
|
||||
The HP implementation of DLPI is a little bit eccentric. Unlike
|
||||
Solaris, you must attach /dev/dlpi instead of the specific /dev/*
|
||||
network pseudo device entry in order to capture packets. The ppa is
|
||||
network pseudo device entry in order to capture packets. The PPA is
|
||||
based on the ifnet "index" number. Under HP-UX 9, it is necessary to
|
||||
read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10,
|
||||
dlpi can provide information for determining the ppa. It does not seem
|
||||
DLPI can provide information for determining the PPA. It does not seem
|
||||
to be possible to trace the loopback interface. Unlike other DLPI
|
||||
implementations, PHYS implies MULTI and SAP and you get an error if you
|
||||
try to enable more than one promiscous more than one promiscuous mode
|
||||
at a time. Finally, testing shows that there can't be more than one
|
||||
simultaneous dlpi user per network interface and you cannot capture
|
||||
outbound packets.
|
||||
try to enable more than one promiscuous mode at a time.
|
||||
|
||||
It is impossible to capture outbound packets on HP-UX 9. To do so on
|
||||
HP-UX 10, you will, apparently, need a late "LAN products cumulative
|
||||
patch" (at one point, it was claimed that this would be PHNE_18173 for
|
||||
s700/10.20; at another point, it was claimed that the required patches
|
||||
were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do
|
||||
so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI
|
||||
patches and the latest driver patch for the interface(s) in use on HP-UX
|
||||
11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826,
|
||||
PHNE_20008, and PHNE_20735 did the trick).
|
||||
|
||||
Furthermore, on HP-UX 10, you will need to turn on a kernel switch by
|
||||
doing
|
||||
|
||||
echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem
|
||||
|
||||
You would have to arrange that this happen on reboots; the right way to
|
||||
do that would probably be to put it into an executable script file
|
||||
"/sbin/init.d/outbound_promisc" and making
|
||||
"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script.
|
||||
|
||||
Finally, testing shows that there can't be more than one simultaneous
|
||||
DLPI user per network interface.
|
||||
|
||||
If you use Linux, this version of libpcap is known to compile and run
|
||||
under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X
|
||||
versions but is guaranteed not to work with 1.X kernels. Running more
|
||||
than one libpcap program at a time can cause problems since promiscuous
|
||||
mode is implemented by twiddlin the interface flags from the libpcap
|
||||
application. Also, packet timestamps aren't very good. This appears to
|
||||
be due to haphazard handling of the timestamp in the kernel.
|
||||
under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X
|
||||
versions but is guaranteed not to work with 1.X kernels. Running more
|
||||
than one libpcap program at a time, on a system with a 2.0.X kernel, can
|
||||
cause problems since promiscuous mode is implemented by twiddling the
|
||||
interface flags from the libpcap application; the packet capture
|
||||
mechanism in the 2.2 and later kernels doesn't have this problem. Also,
|
||||
packet timestamps aren't very good. This appears to be due to haphazard
|
||||
handling of the timestamp in the kernel.
|
||||
|
||||
Note well: there is rumoured to be a version of tcpdump floating around
|
||||
called 3.0.3 that includes libpcap and is supposed to support Linux.
|
||||
You should be advised that the Network Research Group at LBNL never
|
||||
generated a release with this version number. The LBNL Network Research
|
||||
Group notes with interest that a standard cracker trick to get people to
|
||||
install trojans is to distribute bogus packages that have a version
|
||||
number higher than the current release. They also noted with annoyance
|
||||
that 90% of the Linux related bug reports they got are due to changes
|
||||
made to unofficial versions of their page. If you are having trouble
|
||||
but aren't using a version that came from tcpdump.org, please try that
|
||||
before submitting a bug report!
|
||||
You should be advised that neither the Network Research Group at LBNL
|
||||
nor the Tcpdump Group ever generated a release with this version number.
|
||||
The LBNL Network Research Group notes with interest that a standard
|
||||
cracker trick to get people to install trojans is to distribute bogus
|
||||
packages that have a version number higher than the current release.
|
||||
They also noted with annoyance that 90% of the Linux related bug reports
|
||||
they got are due to changes made to unofficial versions of their page.
|
||||
If you are having trouble but aren't using a version that came from
|
||||
tcpdump.org, please try that before submitting a bug report!
|
||||
|
||||
On Linux, libpcap will not work if the kernel does not have the packet
|
||||
socket option enabled; see the README.linux file for information about
|
||||
this.
|
||||
|
||||
If you use AIX, you may not be able to build libpcap from this release.
|
||||
Although AIX 4 ships with tcpdump, it is an old version that predates
|
||||
libpcap. We do not have an AIX system in house so it's impossible for
|
||||
us to test AIX patches submitted to us. We are told that you must link
|
||||
against /lib/pse.exp, that you must use AIX cc or a GNU C compiler
|
||||
newer than 2.7.2 and that you may need to run strload before running a
|
||||
libpcap application. Also, it may be necessary to run the configure
|
||||
script as root in order for it to detect that bpf is available. Another
|
||||
workaround is to use:
|
||||
libpcap application.
|
||||
|
||||
./configure --with-pcap=bpf
|
||||
Read the README.aix file for information on installing libpcap and
|
||||
configuring your system to be able to support libpcap.
|
||||
|
||||
If you use NeXTSTEP, you will not be able to build libpcap from this
|
||||
release. We hope to support this operating system in some future
|
||||
|
@ -203,7 +230,7 @@ Another workaround is to use flex and bison.
|
|||
If you use SCO, you might have trouble building libpcap from this
|
||||
release. We do not have a machine running SCO and have not had reports
|
||||
of anyone successfully building on it. Since SCO apparently supports
|
||||
dlpi, it's possible the current version works. Meanwhile, sco provides
|
||||
DLPI, it's possible the current version works. Meanwhile, SCO provides
|
||||
a tcpdump binary as part of their "Network/Security Tools" package:
|
||||
|
||||
http://www.sco.com/technology/internet/goodies/#SECURITY
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
In order for libpcap to be able to capture packets on a Linux system,
|
||||
the "packet" protocol must be supported by your kernel. If it is not,
|
||||
you may get error messages such as
|
||||
|
||||
modprobe: can't locate module net-pf-17
|
||||
|
||||
in "/var/adm/messages", or may get messages such as
|
||||
|
||||
socket: Address family not supported by protocol
|
||||
|
||||
from applications using libpcap.
|
||||
|
||||
You must configure the kernel with the CONFIG_PACKET option for this
|
||||
protocol; the following note is from the Linux "Configure.help" file for
|
||||
the 2.0[.x] kernel:
|
||||
|
||||
Packet socket
|
||||
CONFIG_PACKET
|
||||
The Packet protocol is used by applications which communicate
|
||||
directly with network devices without an intermediate network
|
||||
protocol implemented in the kernel, e.g. tcpdump. If you want them
|
||||
to work, choose Y.
|
||||
|
||||
This driver is also available as a module called af_packet.o ( =
|
||||
code which can be inserted in and removed from the running kernel
|
||||
whenever you want). If you want to compile it as a module, say M
|
||||
here and read Documentation/modules.txt; if you use modprobe or
|
||||
kmod, you may also want to add "alias net-pf-17 af_packet" to
|
||||
/etc/modules.conf.
|
||||
|
||||
and the note for the 2.2[.x] kernel says:
|
||||
|
||||
Packet socket
|
||||
CONFIG_PACKET
|
||||
The Packet protocol is used by applications which communicate
|
||||
directly with network devices without an intermediate network
|
||||
protocol implemented in the kernel, e.g. tcpdump. If you want them
|
||||
to work, choose Y. This driver is also available as a module called
|
||||
af_packet.o ( = code which can be inserted in and removed from the
|
||||
running kernel whenever you want). If you want to compile it as a
|
||||
module, say M here and read Documentation/modules.txt. You will
|
||||
need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
|
||||
file for the module version to function automatically. If unsure,
|
||||
say Y.
|
||||
|
||||
In addition, there is an option that, in 2.2 and later kernels, will
|
||||
allow packet capture filters specified to programs such as tcpdump to be
|
||||
executed in the kernel, so that packets that don't pass the filter won't
|
||||
be copied from the kernel to the program, rather than having all packets
|
||||
copied to the program and libpcap doing the filtering in user mode.
|
||||
|
||||
Copying packets from the kernel to the program consumes a significant
|
||||
amount of CPU, so filtering in the kernel can reduce the overhead of
|
||||
capturing packets if a filter has been specified that discards a
|
||||
significant number of packets. (If no filter is specified, it makes no
|
||||
difference whether the filtering isn't performed in the kernel or isn't
|
||||
performed in user mode. :-))
|
||||
|
||||
The option for this is the CONFIG_FILTER option; the "Configure.help"
|
||||
file says:
|
||||
|
||||
Socket filtering
|
||||
CONFIG_FILTER
|
||||
The Linux Socket Filter is derived from the Berkeley Packet Filter.
|
||||
If you say Y here, user-space programs can attach a filter to any
|
||||
socket and thereby tell the kernel that it should allow or disallow
|
||||
certain types of data to get through the socket. Linux Socket
|
||||
Filtering works on all socket types except TCP for now. See the text
|
||||
file linux/Documentation/networking/filter.txt for more information.
|
||||
If unsure, say N.
|
Reference in New Issue