From 21e33731db56cda0aa01d62b498f60e6f0cff629 Mon Sep 17 00:00:00 2001 From: guy Date: Fri, 1 Dec 2000 07:47:07 +0000 Subject: [PATCH] Update the platform-specific information for various platforms. Add a "README.linux" file discussing the packet socket and socket filtering kernel options. --- FILES | 1 + INSTALL | 91 ++++++++++++++++++++++++++++++++++------------------ README.linux | 70 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 32 deletions(-) create mode 100644 README.linux diff --git a/FILES b/FILES index d558b29..b6f8ea8 100644 --- a/FILES +++ b/FILES @@ -6,6 +6,7 @@ LICENSE Makefile.in README README.aix +README.linux SUNOS4/nit_if.o.sparc SUNOS4/nit_if.o.sun3 SUNOS4/nit_if.o.sun4c.4.0.3c diff --git a/INSTALL b/INSTALL index 2dd37ec..b17ea8a 100644 --- a/INSTALL +++ b/INSTALL @@ -1,4 +1,4 @@ -@(#) $Header: /tcpdump/master/libpcap/Attic/INSTALL,v 1.44 2000-07-30 06:01:22 assar Exp $ (LBL) +@(#) $Header: /tcpdump/master/libpcap/Attic/INSTALL,v 1.45 2000-12-01 07:47:07 guy Exp $ (LBL) To build libpcap, run "./configure" (a shell script). The configure script will determine your system attributes and generate an @@ -110,11 +110,15 @@ If you get an error like: when using DLPI, look for the DL_ERROR_ACK error return values, usually in /usr/include/sys/dlpi.h, and find the corresponding value. -Under OSF, packet capture must be enabled before it can be used. For -instructions on how to enable packet filter support, see: +Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be +enabled before it can be used. For instructions on how to enable packet +filter support, see: ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX +Look for the "How do I configure the Berkeley Packet Filter and capture +tcpdump traces?" item. + Once you enable packet filter support, your OSF system will support bpf natively. @@ -135,53 +139,76 @@ then you don't have the streams package. In addition, we believe you need to install the "9.X LAN and DLPI drivers cumulative" patch (PHNE_6855) to make the version 9 DLPI work with libpcap. -It's been reported that the DLPI streams package is standard starting -with HP-UX 10. +The DLPI streams package is standard starting with HP-UX 10. The HP implementation of DLPI is a little bit eccentric. Unlike Solaris, you must attach /dev/dlpi instead of the specific /dev/* -network pseudo device entry in order to capture packets. The ppa is +network pseudo device entry in order to capture packets. The PPA is based on the ifnet "index" number. Under HP-UX 9, it is necessary to read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, -dlpi can provide information for determining the ppa. It does not seem +DLPI can provide information for determining the PPA. It does not seem to be possible to trace the loopback interface. Unlike other DLPI implementations, PHYS implies MULTI and SAP and you get an error if you -try to enable more than one promiscous more than one promiscuous mode -at a time. Finally, testing shows that there can't be more than one -simultaneous dlpi user per network interface and you cannot capture -outbound packets. +try to enable more than one promiscuous mode at a time. + +It is impossible to capture outbound packets on HP-UX 9. To do so on +HP-UX 10, you will, apparently, need a late "LAN products cumulative +patch" (at one point, it was claimed that this would be PHNE_18173 for +s700/10.20; at another point, it was claimed that the required patches +were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do +so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI +patches and the latest driver patch for the interface(s) in use on HP-UX +11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, +PHNE_20008, and PHNE_20735 did the trick). + +Furthermore, on HP-UX 10, you will need to turn on a kernel switch by +doing + + echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem + +You would have to arrange that this happen on reboots; the right way to +do that would probably be to put it into an executable script file +"/sbin/init.d/outbound_promisc" and making +"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. + +Finally, testing shows that there can't be more than one simultaneous +DLPI user per network interface. If you use Linux, this version of libpcap is known to compile and run -under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X -versions but is guaranteed not to work with 1.X kernels. Running more -than one libpcap program at a time can cause problems since promiscuous -mode is implemented by twiddlin the interface flags from the libpcap -application. Also, packet timestamps aren't very good. This appears to -be due to haphazard handling of the timestamp in the kernel. +under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X +versions but is guaranteed not to work with 1.X kernels. Running more +than one libpcap program at a time, on a system with a 2.0.X kernel, can +cause problems since promiscuous mode is implemented by twiddling the +interface flags from the libpcap application; the packet capture +mechanism in the 2.2 and later kernels doesn't have this problem. Also, +packet timestamps aren't very good. This appears to be due to haphazard +handling of the timestamp in the kernel. Note well: there is rumoured to be a version of tcpdump floating around called 3.0.3 that includes libpcap and is supposed to support Linux. -You should be advised that the Network Research Group at LBNL never -generated a release with this version number. The LBNL Network Research -Group notes with interest that a standard cracker trick to get people to -install trojans is to distribute bogus packages that have a version -number higher than the current release. They also noted with annoyance -that 90% of the Linux related bug reports they got are due to changes -made to unofficial versions of their page. If you are having trouble -but aren't using a version that came from tcpdump.org, please try that -before submitting a bug report! +You should be advised that neither the Network Research Group at LBNL +nor the Tcpdump Group ever generated a release with this version number. +The LBNL Network Research Group notes with interest that a standard +cracker trick to get people to install trojans is to distribute bogus +packages that have a version number higher than the current release. +They also noted with annoyance that 90% of the Linux related bug reports +they got are due to changes made to unofficial versions of their page. +If you are having trouble but aren't using a version that came from +tcpdump.org, please try that before submitting a bug report! + +On Linux, libpcap will not work if the kernel does not have the packet +socket option enabled; see the README.linux file for information about +this. If you use AIX, you may not be able to build libpcap from this release. -Although AIX 4 ships with tcpdump, it is an old version that predates libpcap. We do not have an AIX system in house so it's impossible for us to test AIX patches submitted to us. We are told that you must link against /lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 2.7.2 and that you may need to run strload before running a -libpcap application. Also, it may be necessary to run the configure -script as root in order for it to detect that bpf is available. Another -workaround is to use: +libpcap application. - ./configure --with-pcap=bpf +Read the README.aix file for information on installing libpcap and +configuring your system to be able to support libpcap. If you use NeXTSTEP, you will not be able to build libpcap from this release. We hope to support this operating system in some future @@ -203,7 +230,7 @@ Another workaround is to use flex and bison. If you use SCO, you might have trouble building libpcap from this release. We do not have a machine running SCO and have not had reports of anyone successfully building on it. Since SCO apparently supports -dlpi, it's possible the current version works. Meanwhile, sco provides +DLPI, it's possible the current version works. Meanwhile, SCO provides a tcpdump binary as part of their "Network/Security Tools" package: http://www.sco.com/technology/internet/goodies/#SECURITY diff --git a/README.linux b/README.linux new file mode 100644 index 0000000..ecd00e8 --- /dev/null +++ b/README.linux @@ -0,0 +1,70 @@ +In order for libpcap to be able to capture packets on a Linux system, +the "packet" protocol must be supported by your kernel. If it is not, +you may get error messages such as + + modprobe: can't locate module net-pf-17 + +in "/var/adm/messages", or may get messages such as + + socket: Address family not supported by protocol + +from applications using libpcap. + +You must configure the kernel with the CONFIG_PACKET option for this +protocol; the following note is from the Linux "Configure.help" file for +the 2.0[.x] kernel: + + Packet socket + CONFIG_PACKET + The Packet protocol is used by applications which communicate + directly with network devices without an intermediate network + protocol implemented in the kernel, e.g. tcpdump. If you want them + to work, choose Y. + + This driver is also available as a module called af_packet.o ( = + code which can be inserted in and removed from the running kernel + whenever you want). If you want to compile it as a module, say M + here and read Documentation/modules.txt; if you use modprobe or + kmod, you may also want to add "alias net-pf-17 af_packet" to + /etc/modules.conf. + +and the note for the 2.2[.x] kernel says: + + Packet socket + CONFIG_PACKET + The Packet protocol is used by applications which communicate + directly with network devices without an intermediate network + protocol implemented in the kernel, e.g. tcpdump. If you want them + to work, choose Y. This driver is also available as a module called + af_packet.o ( = code which can be inserted in and removed from the + running kernel whenever you want). If you want to compile it as a + module, say M here and read Documentation/modules.txt. You will + need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules + file for the module version to function automatically. If unsure, + say Y. + +In addition, there is an option that, in 2.2 and later kernels, will +allow packet capture filters specified to programs such as tcpdump to be +executed in the kernel, so that packets that don't pass the filter won't +be copied from the kernel to the program, rather than having all packets +copied to the program and libpcap doing the filtering in user mode. + +Copying packets from the kernel to the program consumes a significant +amount of CPU, so filtering in the kernel can reduce the overhead of +capturing packets if a filter has been specified that discards a +significant number of packets. (If no filter is specified, it makes no +difference whether the filtering isn't performed in the kernel or isn't +performed in user mode. :-)) + +The option for this is the CONFIG_FILTER option; the "Configure.help" +file says: + + Socket filtering + CONFIG_FILTER + The Linux Socket Filter is derived from the Berkeley Packet Filter. + If you say Y here, user-space programs can attach a filter to any + socket and thereby tell the kernel that it should allow or disallow + certain types of data to get through the socket. Linux Socket + Filtering works on all socket types except TCP for now. See the text + file linux/Documentation/networking/filter.txt for more information. + If unsure, say N.