1 To build libpcap, run "./configure" (a shell script). The configure 2 script will determine your system attributes and generate an 3 appropriate Makefile from Makefile.in. Next run "make". If everything 4 goes well you can su to root and run "make install". However, you need 5 not install libpcap if you just want to build tcpdump; just make sure 6 the tcpdump and libpcap directory trees have the same parent 7 directory. 8 9 If configure says: 10 11 configure: warning: cannot determine packet capture interface 12 configure: warning: (see INSTALL for more info) 13 14 then your system either does not support packet capture or your system 15 does support packet capture but libpcap does not support that 16 particular type. (If you have HP-UX, see below.) If your system uses a 17 packet capture not supported by libpcap, please send us patches; don't 18 forget to include an autoconf fragment suitable for use in 19 configure.ac. 20 21 It is possible to override the default packet capture type, although 22 the circumstance where this works are limited. For example if you have 23 installed bpf under SunOS 4 and wish to build a snit libpcap: 24 25 ./configure --with-pcap=snit 26 27 Another example is to force a supported packet capture type in the case 28 where the configure scripts fails to detect it. 29 30 You will need an ANSI C compiler to build libpcap. The configure script 31 will abort if your compiler is not ANSI compliant. If this happens, use 32 the generally available GNU C compiler (GCC). 33 34 You will need either Flex 2.5.31 or later, or a version of Lex 35 compatible with it (if any exist), to build libpcap. The configure 36 script will abort if there isn't any such program. If you have an older 37 version of Flex, or don't have a compatible version of Lex, the current 38 version of flex is available at flex.sourceforge.net. 39 40 You will need either Bison, Berkeley YACC, or a version of YACC 41 compatible with them (if any exist), to build libpcap. The configure 42 script will abort if there isn't any such program. If you don't have 43 any such program, the current version of Bison can be found at 44 http://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45 can be found at http://invisible-island.net/byacc/. 46 47 Sometimes the stock C compiler does not interact well with Flex and 48 Bison. The list of problems includes undefined references for alloca. 49 You can get around this by installing GCC. 50 51 If you use Solaris, there is a bug with bufmod(7) that is fixed in 52 Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53 broken bufmod(7) results in data be truncated from the FRONT of the 54 packet instead of the end. The work around is to not set a snapshot 55 length but this results in performance problems since the entire packet 56 is copied to user space. If you must run an older version of Solaris, 57 there is a patch available from Sun; ask for bugid 1149065. After 58 installing the patch, use "setenv BUFMOD_FIXED" to enable use of 59 bufmod(7). However, we recommend you run a more current release of 60 Solaris. 61 62 If you use the SPARCompiler, you must be careful to not use the 63 /usr/ucb/cc interface. If you do, you will get bogus warnings and 64 perhaps errors. Either make sure your path has /opt/SUNWspro/bin 65 before /usr/ucb or else: 66 67 setenv CC /opt/SUNWspro/bin/cc 68 69 before running configure. (You might have to do a "make distclean" 70 if you already ran configure once). 71 72 If you are trying to do packet capture with a FORE ATM card, you may or 73 may not be able to. They usually only release their driver in object 74 code so unless their driver supports packet capture, there's not much 75 libpcap can do. 76 77 If you get an error like: 78 79 tcpdump: recv_ack: bind error 0x??? 80 81 when using DLPI, look for the DL_ERROR_ACK error return values, usually 82 in /usr/include/sys/dlpi.h, and find the corresponding value. 83 84 Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 85 enabled before it can be used. For instructions on how to enable packet 86 filter support, see: 87 88 ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 89 90 Look for the "How do I configure the Berkeley Packet Filter and capture 91 tcpdump traces?" item. 92 93 Once you enable packet filter support, your OSF system will support bpf 94 natively. 95 96 Under Ultrix, packet capture must be enabled before it can be used. For 97 instructions on how to enable packet filter support, see: 98 99 ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 100 101 If you use HP-UX, you must have at least version 9 and either the 102 version of cc that supports ANSI C (cc -Aa) or else use the GNU C 103 compiler. You must also buy the optional streams package. If you don't 104 have: 105 106 /usr/include/sys/dlpi.h 107 /usr/include/sys/dlpi_ext.h 108 109 then you don't have the streams package. In addition, we believe you 110 need to install the "9.X LAN and DLPI drivers cumulative" patch 111 (PHNE_6855) to make the version 9 DLPI work with libpcap. 112 113 The DLPI streams package is standard starting with HP-UX 10. 114 115 The HP implementation of DLPI is a little bit eccentric. Unlike 116 Solaris, you must attach /dev/dlpi instead of the specific /dev/* 117 network pseudo device entry in order to capture packets. The PPA is 118 based on the ifnet "index" number. Under HP-UX 9, it is necessary to 119 read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 120 DLPI can provide information for determining the PPA. It does not seem 121 to be possible to trace the loopback interface. Unlike other DLPI 122 implementations, PHYS implies MULTI and SAP and you get an error if you 123 try to enable more than one promiscuous mode at a time. 124 125 It is impossible to capture outbound packets on HP-UX 9. To do so on 126 HP-UX 10, you will, apparently, need a late "LAN products cumulative 127 patch" (at one point, it was claimed that this would be PHNE_18173 for 128 s700/10.20; at another point, it was claimed that the required patches 129 were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 130 so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 131 patches and the latest driver patch for the interface(s) in use on HP-UX 132 11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 133 PHNE_20008, and PHNE_20735 did the trick). 134 135 Furthermore, on HP-UX 10, you will need to turn on a kernel switch by 136 doing 137 138 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 139 140 You would have to arrange that this happen on reboots; the right way to 141 do that would probably be to put it into an executable script file 142 "/sbin/init.d/outbound_promisc" and making 143 "/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 144 145 Finally, testing shows that there can't be more than one simultaneous 146 DLPI user per network interface. 147 148 If you use Linux, this version of libpcap is known to compile and run 149 under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 150 versions but is guaranteed not to work with 1.X kernels. Running more 151 than one libpcap program at a time, on a system with a 2.0.X kernel, can 152 cause problems since promiscuous mode is implemented by twiddling the 153 interface flags from the libpcap application; the packet capture 154 mechanism in the 2.2 and later kernels doesn't have this problem. Also, 155 packet timestamps aren't very good. This appears to be due to haphazard 156 handling of the timestamp in the kernel. 157 158 Note well: there is rumoured to be a version of tcpdump floating around 159 called 3.0.3 that includes libpcap and is supposed to support Linux. 160 You should be advised that neither the Network Research Group at LBNL 161 nor the Tcpdump Group ever generated a release with this version number. 162 The LBNL Network Research Group notes with interest that a standard 163 cracker trick to get people to install trojans is to distribute bogus 164 packages that have a version number higher than the current release. 165 They also noted with annoyance that 90% of the Linux related bug reports 166 they got are due to changes made to unofficial versions of their page. 167 If you are having trouble but aren't using a version that came from 168 tcpdump.org, please try that before submitting a bug report! 169 170 On Linux, libpcap will not work if the kernel does not have the packet 171 socket option enabled; see the README.linux file for information about 172 this. 173 174 If you use AIX, you may not be able to build libpcap from this release. 175 We do not have an AIX system in house so it's impossible for us to test 176 AIX patches submitted to us. We are told that you must link against 177 /lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 178 2.7.2, and that you may need to run strload before running a libpcap 179 application. 180 181 Read the README.aix file for information on installing libpcap and 182 configuring your system to be able to support libpcap. 183 184 If you use NeXTSTEP, you will not be able to build libpcap from this 185 release. 186 187 If you use SINIX, you should be able to build libpcap from this 188 release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 189 V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 190 emits incorrect code; if grammar.y fails to compile, change every 191 occurence of: 192 193 #ifdef YYDEBUG 194 195 to: 196 #if YYDEBUG 197 198 Another workaround is to use flex and bison. 199 200 If you use SCO, you might have trouble building libpcap from this 201 release. We do not have a machine running SCO and have not had reports 202 of anyone successfully building on it; the current release of libpcap 203 does not compile on SCO OpenServer 5. Although SCO apparently supports 204 DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 205 it appears that completely new code would need to be written to capture 206 network traffic. SCO do not appear to provide tcpdump binaries for 207 OpenServer 5 or OpenServer 6 as part of SCO Skunkware: 208 209 http://www.sco.com/skunkware/ 210 211 If you use UnixWare, you might be able to build libpcap from this 212 release, or you might not. We do not have a machine running UnixWare, 213 so we have not tested it; however, SCO provide packages for libpcap 214 0.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 215 Skunkware, and the source package for libpcap 0.6.2 is not changed from 216 the libpcap 0.6.2 source release, so this release of libpcap might also 217 build without changes on UnixWare 7. 218 219 If linking tcpdump fails with "Undefined: _alloca" when using bison on 220 a Sun4, your version of Bison is broken. In any case version 1.16 or 221 higher is recommended (1.14 is known to cause problems 1.16 is known to 222 work). Either pick up a current version from: 223 224 http://ftp.gnu.org/gnu/bison/ 225 226 or hack around it by inserting the lines: 227 228 #ifdef __GNUC__ 229 #define alloca __builtin_alloca 230 #else 231 #ifdef sparc 232 #include <alloca.h> 233 #else 234 char *alloca (); 235 #endif 236 #endif 237 238 right after the (100 line!) GNU license comment in bison.simple, remove 239 grammar.[co] and fire up make again. 240 241 If you use SunOS 4, your kernel must support streams NIT. If you run a 242 libpcap program and it dies with: 243 244 /dev/nit: No such device 245 246 You must add streams NIT support to your kernel configuration, run 247 config and boot the new kernel. 248 249 FILES 250 ----- 251 CHANGES - description of differences between releases 252 ChmodBPF/* - macOS startup item to set ownership and permissions 253 on /dev/bpf* 254 CMakeLists.txt - CMake file 255 CONTRIBUTING - guidelines for contributing 256 CREDITS - people that have helped libpcap along 257 INSTALL.md - this file 258 LICENSE - the license under which tcpdump is distributed 259 Makefile.in - compilation rules (input to the configure script) 260 README.md - description of distribution 261 doc/README.aix - notes on using libpcap on AIX 262 doc/README.dag - notes on using libpcap to capture on Endace DAG devices 263 doc/README.hpux - notes on using libpcap on HP-UX 264 doc/README.linux.md - notes on using libpcap on Linux 265 doc/README.macos - notes on using libpcap on macOS 266 doc/README.septel - notes on using libpcap to capture on Intel/Septel devices 267 doc/README.sita - notes on using libpcap to capture on SITA devices 268 doc/README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 269 doc/README.Win32 - notes on using libpcap on Win32 systems (with WinPcap) 270 VERSION - version of this release 271 acconfig.h - support for post-2.13 autoconf 272 aclocal.m4 - autoconf macros 273 arcnet.h - ARCNET definitions 274 atmuni31.h - ATM Q.2931 definitions 275 bpf/net - copy of bpf_filter.c 276 bpf_dump.c - BPF program printing routines 277 bpf_filter.c - symlink to bpf/net/bpf_filter.c 278 bpf_image.c - BPF disassembly routine 279 config.guess - autoconf support 280 config.h.in - autoconf input 281 config.sub - autoconf support 282 configure - configure script (run this first) 283 configure.ac - configure script source 284 dlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 285 dlpisubs.h - DLPI-related function declarations 286 etherent.c - /etc/ethers support routines 287 ethertype.h - Ethernet protocol types and names definitions 288 fad-getad.c - pcap_findalldevs() for systems with getifaddrs() 289 fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 290 fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 291 filtertest.c - test program for BPF compiler 292 findalldevstest.c - test program for pcap_findalldevs() 293 gencode.c - BPF code generation routines 294 gencode.h - BPF code generation definitions 295 grammar.y - filter string grammar 296 ieee80211.h - 802.11 definitions 297 install-sh - BSD style install script 298 lbl/os-*.h - OS-dependent defines and prototypes 299 llc.h - 802.2 LLC SAP definitions 300 missing/* - replacements for missing library functions 301 mkdep - construct Makefile dependency list 302 msdos/* - drivers for MS-DOS capture support 303 nametoaddr.c - hostname to address routines 304 nlpid.h - OSI network layer protocol identifier definitions 305 net - symlink to bpf/net 306 optimize.c - BPF optimization routines 307 pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 308 pcap/bpf.h - BPF definitions 309 pcap/namedb.h - public libpcap name database definitions 310 pcap/pcap.h - public libpcap definitions 311 pcap/sll.h - public definition of DLT_LINUX_SLL header 312 pcap/usb.h - public definition of DLT_USB header 313 pcap-bpf.c - BSD Packet Filter support 314 pcap-bpf.h - header for backwards compatibility 315 pcap-bt-linux.c - Bluetooth capture support for Linux 316 pcap-bt-linux.h - Bluetooth capture support for Linux 317 pcap-dag.c - Endace DAG device capture support 318 pcap-dag.h - Endace DAG device capture support 319 pcap-dlpi.c - Data Link Provider Interface support 320 pcap-dos.c - MS-DOS capture support 321 pcap-dos.h - headers for MS-DOS capture support 322 pcap-enet.c - enet support 323 pcap-int.h - internal libpcap definitions 324 pcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 325 pcap-linux.c - Linux packet socket support 326 pcap-namedb.h - header for backwards compatibility 327 pcap-nit.c - SunOS Network Interface Tap support 328 pcap-nit.h - SunOS Network Interface Tap definitions 329 pcap-npf.c - WinPcap capture support 330 pcap-null.c - dummy monitor support (allows offline use of libpcap) 331 pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 332 pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 333 pcap-septel.c - Intel/Septel device capture support 334 pcap-septel.h - Intel/Septel device capture support 335 pcap-sita.c - SITA device capture support 336 pcap-sita.h - SITA device capture support 337 pcap-sita.html - SITA device capture documentation 338 pcap-stdinc.h - includes and #defines for compiling on Win32 systems 339 pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 340 pcap-snoop.c - IRIX Snoop network monitoring support 341 pcap-usb-linux.c - USB capture support for Linux 342 pcap-usb-linux.h - USB capture support for Linux 343 pcap.3pcap - manual entry for the library 344 pcap.c - pcap utility routines 345 pcap.h - header for backwards compatibility 346 pcap_*.3pcap - manual entries for library functions 347 pcap-filter.4 - manual entry for filter syntax 348 pcap-linktype.4 - manual entry for link-layer header types 349 ppp.h - Point to Point Protocol definitions 350 savefile.c - offline support 351 scanner.l - filter string scanner 352 sunatmpos.h - definitions for SunATM capturing 353 Win32 - headers and routines for building on Win32 systems 354