1 To build libpcap, run "./configure" (a shell script). The configure 2 script will determine your system attributes and generate an 3 appropriate Makefile from Makefile.in. Next run "make". If everything 4 goes well you can su to root and run "make install". However, you need 5 not install libpcap if you just want to build tcpdump; just make sure 6 the tcpdump and libpcap directory trees have the same parent 7 directory. 8 9 If configure says: 10 11 configure: warning: cannot determine packet capture interface 12 configure: warning: (see INSTALL for more info) 13 14 then your system either does not support packet capture or your system 15 does support packet capture but libpcap does not support that 16 particular type. (If you have HP-UX, see below.) If your system uses a 17 packet capture not supported by libpcap, please send us patches; don't 18 forget to include an autoconf fragment suitable for use in 19 configure.ac. 20 21 It is possible to override the default packet capture type, although 22 the circumstance where this works are limited. For example if you have 23 installed bpf under SunOS 4 and wish to build a snit libpcap: 24 25 ./configure --with-pcap=snit 26 27 Another example is to force a supported packet capture type in the case 28 where the configure scripts fails to detect it. 29 30 You will need an ANSI C compiler to build libpcap. The configure script 31 will abort if your compiler is not ANSI compliant. If this happens, use 32 the generally available GNU C compiler (GCC). 33 34 You will need either Flex 2.5.31 or later, or a version of Lex 35 compatible with it (if any exist), to build libpcap. The configure 36 script will abort if there isn't any such program. If you have an older 37 version of Flex, or don't have a compatible version of Lex, the current 38 version of flex is available at flex.sourceforge.net. 39 40 You will need either Bison, Berkeley YACC, or a version of YACC 41 compatible with them (if any exist), to build libpcap. The configure 42 script will abort if there isn't any such program. If you don't have 43 any such program, the current version of Bison can be found at 44 http://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45 can be found at http://invisible-island.net/byacc/. 46 47 Sometimes the stock C compiler does not interact well with Flex and 48 Bison. The list of problems includes undefined references for alloca. 49 You can get around this by installing GCC. 50 51 If you use Solaris, there is a bug with bufmod(7) that is fixed in 52 Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53 broken bufmod(7) results in data be truncated from the FRONT of the 54 packet instead of the end. The work around is to not set a snapshot 55 length but this results in performance problems since the entire packet 56 is copied to user space. If you must run an older version of Solaris, 57 there is a patch available from Sun; ask for bugid 1149065. After 58 installing the patch, use "setenv BUFMOD_FIXED" to enable use of 59 bufmod(7). However, we recommend you run a more current release of 60 Solaris. 61 62 If you use the SPARCompiler, you must be careful to not use the 63 /usr/ucb/cc interface. If you do, you will get bogus warnings and 64 perhaps errors. Either make sure your path has /opt/SUNWspro/bin 65 before /usr/ucb or else: 66 67 setenv CC /opt/SUNWspro/bin/cc 68 69 before running configure. (You might have to do a "make distclean" 70 if you already ran configure once). 71 72 Also note that "make depend" won't work; while all of the known 73 universe uses -M, the SPARCompiler uses -xM to generate makefile 74 dependencies. 75 76 If you are trying to do packet capture with a FORE ATM card, you may or 77 may not be able to. They usually only release their driver in object 78 code so unless their driver supports packet capture, there's not much 79 libpcap can do. 80 81 If you get an error like: 82 83 tcpdump: recv_ack: bind error 0x??? 84 85 when using DLPI, look for the DL_ERROR_ACK error return values, usually 86 in /usr/include/sys/dlpi.h, and find the corresponding value. 87 88 Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 89 enabled before it can be used. For instructions on how to enable packet 90 filter support, see: 91 92 ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 93 94 Look for the "How do I configure the Berkeley Packet Filter and capture 95 tcpdump traces?" item. 96 97 Once you enable packet filter support, your OSF system will support bpf 98 natively. 99 100 Under Ultrix, packet capture must be enabled before it can be used. For 101 instructions on how to enable packet filter support, see: 102 103 ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 104 105 If you use HP-UX, you must have at least version 9 and either the 106 version of cc that supports ANSI C (cc -Aa) or else use the GNU C 107 compiler. You must also buy the optional streams package. If you don't 108 have: 109 110 /usr/include/sys/dlpi.h 111 /usr/include/sys/dlpi_ext.h 112 113 then you don't have the streams package. In addition, we believe you 114 need to install the "9.X LAN and DLPI drivers cumulative" patch 115 (PHNE_6855) to make the version 9 DLPI work with libpcap. 116 117 The DLPI streams package is standard starting with HP-UX 10. 118 119 The HP implementation of DLPI is a little bit eccentric. Unlike 120 Solaris, you must attach /dev/dlpi instead of the specific /dev/* 121 network pseudo device entry in order to capture packets. The PPA is 122 based on the ifnet "index" number. Under HP-UX 9, it is necessary to 123 read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 124 DLPI can provide information for determining the PPA. It does not seem 125 to be possible to trace the loopback interface. Unlike other DLPI 126 implementations, PHYS implies MULTI and SAP and you get an error if you 127 try to enable more than one promiscuous mode at a time. 128 129 It is impossible to capture outbound packets on HP-UX 9. To do so on 130 HP-UX 10, you will, apparently, need a late "LAN products cumulative 131 patch" (at one point, it was claimed that this would be PHNE_18173 for 132 s700/10.20; at another point, it was claimed that the required patches 133 were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 134 so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 135 patches and the latest driver patch for the interface(s) in use on HP-UX 136 11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 137 PHNE_20008, and PHNE_20735 did the trick). 138 139 Furthermore, on HP-UX 10, you will need to turn on a kernel switch by 140 doing 141 142 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 143 144 You would have to arrange that this happen on reboots; the right way to 145 do that would probably be to put it into an executable script file 146 "/sbin/init.d/outbound_promisc" and making 147 "/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 148 149 Finally, testing shows that there can't be more than one simultaneous 150 DLPI user per network interface. 151 152 If you use Linux, this version of libpcap is known to compile and run 153 under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 154 versions but is guaranteed not to work with 1.X kernels. Running more 155 than one libpcap program at a time, on a system with a 2.0.X kernel, can 156 cause problems since promiscuous mode is implemented by twiddling the 157 interface flags from the libpcap application; the packet capture 158 mechanism in the 2.2 and later kernels doesn't have this problem. Also, 159 packet timestamps aren't very good. This appears to be due to haphazard 160 handling of the timestamp in the kernel. 161 162 Note well: there is rumoured to be a version of tcpdump floating around 163 called 3.0.3 that includes libpcap and is supposed to support Linux. 164 You should be advised that neither the Network Research Group at LBNL 165 nor the Tcpdump Group ever generated a release with this version number. 166 The LBNL Network Research Group notes with interest that a standard 167 cracker trick to get people to install trojans is to distribute bogus 168 packages that have a version number higher than the current release. 169 They also noted with annoyance that 90% of the Linux related bug reports 170 they got are due to changes made to unofficial versions of their page. 171 If you are having trouble but aren't using a version that came from 172 tcpdump.org, please try that before submitting a bug report! 173 174 On Linux, libpcap will not work if the kernel does not have the packet 175 socket option enabled; see the README.linux file for information about 176 this. 177 178 If you use AIX, you may not be able to build libpcap from this release. 179 We do not have an AIX system in house so it's impossible for us to test 180 AIX patches submitted to us. We are told that you must link against 181 /lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 182 2.7.2, and that you may need to run strload before running a libpcap 183 application. 184 185 Read the README.aix file for information on installing libpcap and 186 configuring your system to be able to support libpcap. 187 188 If you use NeXTSTEP, you will not be able to build libpcap from this 189 release. 190 191 If you use SINIX, you should be able to build libpcap from this 192 release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 193 V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 194 emits incorrect code; if grammar.y fails to compile, change every 195 occurence of: 196 197 #ifdef YYDEBUG 198 199 to: 200 #if YYDEBUG 201 202 Another workaround is to use flex and bison. 203 204 If you use SCO, you might have trouble building libpcap from this 205 release. We do not have a machine running SCO and have not had reports 206 of anyone successfully building on it; the current release of libpcap 207 does not compile on SCO OpenServer 5. Although SCO apparently supports 208 DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 209 it appears that completely new code would need to be written to capture 210 network traffic. SCO do not appear to provide tcpdump binaries for 211 OpenServer 5 or OpenServer 6 as part of SCO Skunkware: 212 213 http://www.sco.com/skunkware/ 214 215 If you use UnixWare, you might be able to build libpcap from this 216 release, or you might not. We do not have a machine running UnixWare, 217 so we have not tested it; however, SCO provide packages for libpcap 218 0.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 219 Skunkware, and the source package for libpcap 0.6.2 is not changed from 220 the libpcap 0.6.2 source release, so this release of libpcap might also 221 build without changes on UnixWare 7. 222 223 If linking tcpdump fails with "Undefined: _alloca" when using bison on 224 a Sun4, your version of Bison is broken. In any case version 1.16 or 225 higher is recommended (1.14 is known to cause problems 1.16 is known to 226 work). Either pick up a current version from: 227 228 http://ftp.gnu.org/gnu/bison/ 229 230 or hack around it by inserting the lines: 231 232 #ifdef __GNUC__ 233 #define alloca __builtin_alloca 234 #else 235 #ifdef sparc 236 #include <alloca.h> 237 #else 238 char *alloca (); 239 #endif 240 #endif 241 242 right after the (100 line!) GNU license comment in bison.simple, remove 243 grammar.[co] and fire up make again. 244 245 If you use SunOS 4, your kernel must support streams NIT. If you run a 246 libpcap program and it dies with: 247 248 /dev/nit: No such device 249 250 You must add streams NIT support to your kernel configuration, run 251 config and boot the new kernel. 252 253 If you are running a version of SunOS earlier than 4.1, you will need 254 to replace the Sun supplied /sys/sun{3,4,4c}/OBJ/nit_if.o with the 255 appropriate version from this distribution's SUNOS4 subdirectory and 256 build a new kernel: 257 258 nit_if.o.sun3-sunos4 (any flavor of sun3) 259 nit_if.o.sun4c-sunos4.0.3c (SS1, SS1+, IPC, SLC, etc.) 260 nit_if.o.sun4-sunos4 (Sun4's not covered by 261 nit_if.o.sun4c-sunos4.0.3c) 262 263 These nit replacements fix a bug that makes nit essentially unusable in 264 pre-SunOS 4.1. In addition, our sun4c-sunos4.0.3c nit gives you 265 timestamps to the resolution of the SS-1 clock (1 us) rather than the 266 lousy 20ms timestamps Sun gives you (tcpdump will print out the full 267 timestamp resolution if it finds it's running on a SS-1). 268 269 FILES 270 ----- 271 CHANGES - description of differences between releases 272 ChmodBPF/* - Mac OS X startup item to set ownership and permissions 273 on /dev/bpf* 274 CMakeLists.txt - CMake file 275 CREDITS - people that have helped libpcap along 276 INSTALL.txt - this file 277 LICENSE - the license under which tcpdump is distributed 278 Makefile.in - compilation rules (input to the configure script) 279 README - description of distribution 280 README.aix - notes on using libpcap on AIX 281 README.dag - notes on using libpcap to capture on Endace DAG devices 282 README.hpux - notes on using libpcap on HP-UX 283 README.linux - notes on using libpcap on Linux 284 README.macosx - notes on using libpcap on Mac OS X 285 README.septel - notes on using libpcap to capture on Intel/Septel devices 286 README.sita - notes on using libpcap to capture on SITA devices 287 README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 288 README.Win32 - notes on using libpcap on Win32 systems (with WinPcap) 289 SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules 290 VERSION - version of this release 291 acconfig.h - support for post-2.13 autoconf 292 aclocal.m4 - autoconf macros 293 arcnet.h - ARCNET definitions 294 atmuni31.h - ATM Q.2931 definitions 295 bpf/net - copy of bpf_filter.c 296 bpf_dump.c - BPF program printing routines 297 bpf_filter.c - symlink to bpf/net/bpf_filter.c 298 bpf_image.c - BPF disassembly routine 299 config.guess - autoconf support 300 config.h.in - autoconf input 301 config.sub - autoconf support 302 configure - configure script (run this first) 303 configure.ac - configure script source 304 dlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 305 dlpisubs.h - DLPI-related function declarations 306 etherent.c - /etc/ethers support routines 307 ethertype.h - Ethernet protocol types and names definitions 308 fad-getad.c - pcap_findalldevs() for systems with getifaddrs() 309 fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 310 fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 311 filtertest.c - test program for BPF compiler 312 findalldevstest.c - test program for pcap_findalldevs() 313 gencode.c - BPF code generation routines 314 gencode.h - BPF code generation definitions 315 grammar.y - filter string grammar 316 ieee80211.h - 802.11 definitions 317 inet.c - network routines 318 install-sh - BSD style install script 319 lbl/os-*.h - OS-dependent defines and prototypes 320 llc.h - 802.2 LLC SAP definitions 321 missing/* - replacements for missing library functions 322 mkdep - construct Makefile dependency list 323 msdos/* - drivers for MS-DOS capture support 324 nametoaddr.c - hostname to address routines 325 nlpid.h - OSI network layer protocol identifier definitions 326 net - symlink to bpf/net 327 optimize.c - BPF optimization routines 328 pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 329 pcap/bpf.h - BPF definitions 330 pcap/namedb.h - public libpcap name database definitions 331 pcap/pcap.h - public libpcap definitions 332 pcap/sll.h - public definition of DLT_LINUX_SLL header 333 pcap/usb.h - public definition of DLT_USB header 334 pcap-bpf.c - BSD Packet Filter support 335 pcap-bpf.h - header for backwards compatibility 336 pcap-bt-linux.c - Bluetooth capture support for Linux 337 pcap-bt-linux.h - Bluetooth capture support for Linux 338 pcap-dag.c - Endace DAG device capture support 339 pcap-dag.h - Endace DAG device capture support 340 pcap-dlpi.c - Data Link Provider Interface support 341 pcap-dos.c - MS-DOS capture support 342 pcap-dos.h - headers for MS-DOS capture support 343 pcap-enet.c - enet support 344 pcap-int.h - internal libpcap definitions 345 pcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 346 pcap-linux.c - Linux packet socket support 347 pcap-namedb.h - header for backwards compatibility 348 pcap-nit.c - SunOS Network Interface Tap support 349 pcap-nit.h - SunOS Network Interface Tap definitions 350 pcap-null.c - dummy monitor support (allows offline use of libpcap) 351 pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 352 pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 353 pcap-septel.c - Intel/Septel device capture support 354 pcap-septel.h - Intel/Septel device capture support 355 pcap-sita.c - SITA device capture support 356 pcap-sita.h - SITA device capture support 357 pcap-sita.html - SITA device capture documentation 358 pcap-stdinc.h - includes and #defines for compiling on Win32 systems 359 pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 360 pcap-snoop.c - IRIX Snoop network monitoring support 361 pcap-usb-linux.c - USB capture support for Linux 362 pcap-usb-linux.h - USB capture support for Linux 363 pcap-win32.c - WinPcap capture support 364 pcap.3pcap - manual entry for the library 365 pcap.c - pcap utility routines 366 pcap.h - header for backwards compatibility 367 pcap_*.3pcap - manual entries for library functions 368 pcap-filter.4 - manual entry for filter syntax 369 pcap-linktype.4 - manual entry for link-layer header types 370 ppp.h - Point to Point Protocol definitions 371 savefile.c - offline support 372 scanner.l - filter string scanner 373 sunatmpos.h - definitions for SunATM capturing 374 Win32 - headers and routines for building on Win32 systems 375
