forked from osmocom/wireshark
2ed6a9bb5d
a Linux kernel, network analysis programs such as tcpdump or Ethereal/Tethereal won't be able to capture packets. svn path=/trunk/; revision=1652
74 lines
3.5 KiB
Text
74 lines
3.5 KiB
Text
$Id: README.linux,v 1.6 2000/02/19 21:44:13 guy Exp $
|
|
|
|
In order to capture packets (with Ethereal/Tethereal, tcpdump, or any
|
|
other packet capture program) on a Linux system, the "packet" protocol
|
|
must be supported by your kernel. If it is not, you may get error
|
|
messages such as
|
|
|
|
modprobe: can't locate module net-pf-17
|
|
|
|
in "/var/adm/messages". The following note is from the Linux
|
|
"Configure.help" file:
|
|
|
|
Packet socket
|
|
CONFIG_PACKET
|
|
The Packet protocol is used by applications which communicate
|
|
directly with network devices without an intermediate network
|
|
protocol implemented in the kernel, e.g. tcpdump. If you want them
|
|
to work, choose Y.
|
|
|
|
This driver is also available as a module called af_packet.o ( =
|
|
code which can be inserted in and removed from the running kernel
|
|
whenever you want). If you want to compile it as a module, say M
|
|
here and read Documentation/modules.txt; if you use modprobe or
|
|
kmod, you may also want to add "alias net-pf-17 af_packet" to
|
|
/etc/modules.conf.
|
|
|
|
In addition, the standard libpcap compiled for Linux has a timeout
|
|
problem; it doesn't support the timeout argument to "pcap_open_live()".
|
|
|
|
The current version of Ethereal attempts to work around this, so its GUI
|
|
shouldn't freeze when capturing on a not-so-busy network. If its GUI
|
|
does freeze when that happens, please send a note about this, indicating
|
|
which version of which distribution of Linux you're using, and which
|
|
version of libpcap you're using, to ethereal-dev@zing.org.
|
|
|
|
The current version of Ethereal should work with versions of libpcap
|
|
that have been patched to fix the timeout problem, as well as working
|
|
with unpatched versions.
|
|
|
|
An additional problem, on Linux, with current versions of libpcap, is
|
|
that capture filters do not work when snooping loopback devices; if
|
|
you're capturing on a Linux loopback device, do not use a capture
|
|
filter, as it will probably reject most if not all packets, including
|
|
the packets it's intended to accept - instead, capture all packets and
|
|
use a display filter to select the packets you want to see.
|
|
|
|
In addition, current versions of libpcap on at least some Linux
|
|
distributions will not turn promiscuous mode off on a network device
|
|
until the program using promiscuous mode exits, so if you start a
|
|
capture with Ethereal on some Linux distributions, the network interface
|
|
will be put in promiscuous mode and will remain in promiscuous mode
|
|
until Ethereal exits. There might be additional libpcap bugs that cause
|
|
it not to be turned off even when Ethereal exits; if your network is
|
|
busy, this could cause the Linux networking stack to do a lot more work
|
|
discarding packets not intended for the machine, so you may want to
|
|
check, after running Ethereal, whether any network interfaces are in
|
|
promiscuous mode (the output of "ifconfig -a" will say something such as
|
|
|
|
eth0 Link encap:Ethernet HWaddr 00:00:66:66:66:66
|
|
inet addr:66.66.66.66 Bcast:66.66.66.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
|
|
RX packets:6493 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:0 txqueuelen:100
|
|
Interrupt:18 Base address:0xfc80
|
|
|
|
with "PROMISC" indicating that the interface is in promiscuous mode),
|
|
and, if any interfaces are in promiscuous mode and no capture is being
|
|
done on that interface, turn promiscuous mode off by hand with
|
|
|
|
ifconfig <ifname> -promisc
|
|
|
|
where "<ifname>" is the name of the interface.
|