1353141SphilipTo build libpcap, run "./configure" (a shell script). The configure 2353141Sphilipscript will determine your system attributes and generate an 3353141Sphilipappropriate Makefile from Makefile.in. Next run "make". If everything 4353141Sphilipgoes well you can su to root and run "make install". However, you need 5353141Sphilipnot install libpcap if you just want to build tcpdump; just make sure 6353141Sphilipthe tcpdump and libpcap directory trees have the same parent 7353141Sphilipdirectory. 8353141Sphilip 9353141SphilipIf configure says: 10353141Sphilip 11353141Sphilip configure: warning: cannot determine packet capture interface 12353141Sphilip configure: warning: (see INSTALL for more info) 13353141Sphilip 14353141Sphilipthen your system either does not support packet capture or your system 15353141Sphilipdoes support packet capture but libpcap does not support that 16353141Sphilipparticular type. (If you have HP-UX, see below.) If your system uses a 17353141Sphilippacket capture not supported by libpcap, please send us patches; don't 18353141Sphilipforget to include an autoconf fragment suitable for use in 19353141Sphilipconfigure.ac. 20353141Sphilip 21353141SphilipIt is possible to override the default packet capture type, although 22353141Sphilipthe circumstance where this works are limited. For example if you have 23353141Sphilipinstalled bpf under SunOS 4 and wish to build a snit libpcap: 24353141Sphilip 25353141Sphilip ./configure --with-pcap=snit 26353141Sphilip 27353141SphilipAnother example is to force a supported packet capture type in the case 28353141Sphilipwhere the configure scripts fails to detect it. 29353141Sphilip 30353141SphilipYou will need an ANSI C compiler to build libpcap. The configure script 31353141Sphilipwill abort if your compiler is not ANSI compliant. If this happens, use 32353141Sphilipthe generally available GNU C compiler (GCC). 33353141Sphilip 34353141SphilipYou will need either Flex 2.5.31 or later, or a version of Lex 35353141Sphilipcompatible with it (if any exist), to build libpcap. The configure 36353141Sphilipscript will abort if there isn't any such program. If you have an older 37353141Sphilipversion of Flex, or don't have a compatible version of Lex, the current 38353141Sphilipversion of flex is available at flex.sourceforge.net. 39353141Sphilip 40353141SphilipYou will need either Bison, Berkeley YACC, or a version of YACC 41353141Sphilipcompatible with them (if any exist), to build libpcap. The configure 42353141Sphilipscript will abort if there isn't any such program. If you don't have 43353141Sphilipany such program, the current version of Bison can be found at 44353141Sphiliphttp://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45353141Sphilipcan be found at http://invisible-island.net/byacc/. 46353141Sphilip 47353141SphilipSometimes the stock C compiler does not interact well with Flex and 48353141SphilipBison. The list of problems includes undefined references for alloca. 49353141SphilipYou can get around this by installing GCC. 50353141Sphilip 51353141SphilipIf you use Solaris, there is a bug with bufmod(7) that is fixed in 52353141SphilipSolaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53353141Sphilipbroken bufmod(7) results in data be truncated from the FRONT of the 54353141Sphilippacket instead of the end. The work around is to not set a snapshot 55353141Sphiliplength but this results in performance problems since the entire packet 56353141Sphilipis copied to user space. If you must run an older version of Solaris, 57353141Sphilipthere is a patch available from Sun; ask for bugid 1149065. After 58353141Sphilipinstalling the patch, use "setenv BUFMOD_FIXED" to enable use of 59353141Sphilipbufmod(7). However, we recommend you run a more current release of 60353141SphilipSolaris. 61353141Sphilip 62353141SphilipIf you use the SPARCompiler, you must be careful to not use the 63353141Sphilip/usr/ucb/cc interface. If you do, you will get bogus warnings and 64353141Sphilipperhaps errors. Either make sure your path has /opt/SUNWspro/bin 65353141Sphilipbefore /usr/ucb or else: 66353141Sphilip 67353141Sphilip setenv CC /opt/SUNWspro/bin/cc 68353141Sphilip 69353141Sphilipbefore running configure. (You might have to do a "make distclean" 70353141Sphilipif you already ran configure once). 71353141Sphilip 72353141SphilipIf you are trying to do packet capture with a FORE ATM card, you may or 73353141Sphilipmay not be able to. They usually only release their driver in object 74353141Sphilipcode so unless their driver supports packet capture, there's not much 75353141Sphiliplibpcap can do. 76353141Sphilip 77353141SphilipIf you get an error like: 78353141Sphilip 79353141Sphilip tcpdump: recv_ack: bind error 0x??? 80353141Sphilip 81353141Sphilipwhen using DLPI, look for the DL_ERROR_ACK error return values, usually 82353141Sphilipin /usr/include/sys/dlpi.h, and find the corresponding value. 83353141Sphilip 84353141SphilipUnder {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 85353141Sphilipenabled before it can be used. For instructions on how to enable packet 86353141Sphilipfilter support, see: 87353141Sphilip 88353141Sphilip ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 89353141Sphilip 90353141SphilipLook for the "How do I configure the Berkeley Packet Filter and capture 91353141Sphiliptcpdump traces?" item. 92353141Sphilip 93353141SphilipOnce you enable packet filter support, your OSF system will support bpf 94353141Sphilipnatively. 95353141Sphilip 96353141SphilipUnder Ultrix, packet capture must be enabled before it can be used. For 97353141Sphilipinstructions on how to enable packet filter support, see: 98353141Sphilip 99353141Sphilip ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 100353141Sphilip 101353141SphilipIf you use HP-UX, you must have at least version 9 and either the 102353141Sphilipversion of cc that supports ANSI C (cc -Aa) or else use the GNU C 103353141Sphilipcompiler. You must also buy the optional streams package. If you don't 104353141Sphiliphave: 105353141Sphilip 106353141Sphilip /usr/include/sys/dlpi.h 107353141Sphilip /usr/include/sys/dlpi_ext.h 108353141Sphilip 109353141Sphilipthen you don't have the streams package. In addition, we believe you 110353141Sphilipneed to install the "9.X LAN and DLPI drivers cumulative" patch 111353141Sphilip(PHNE_6855) to make the version 9 DLPI work with libpcap. 112353141Sphilip 113353141SphilipThe DLPI streams package is standard starting with HP-UX 10. 114353141Sphilip 115353141SphilipThe HP implementation of DLPI is a little bit eccentric. Unlike 116353141SphilipSolaris, you must attach /dev/dlpi instead of the specific /dev/* 117353141Sphilipnetwork pseudo device entry in order to capture packets. The PPA is 118353141Sphilipbased on the ifnet "index" number. Under HP-UX 9, it is necessary to 119353141Sphilipread /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 120353141SphilipDLPI can provide information for determining the PPA. It does not seem 121353141Sphilipto be possible to trace the loopback interface. Unlike other DLPI 122353141Sphilipimplementations, PHYS implies MULTI and SAP and you get an error if you 123353141Sphiliptry to enable more than one promiscuous mode at a time. 124353141Sphilip 125353141SphilipIt is impossible to capture outbound packets on HP-UX 9. To do so on 126353141SphilipHP-UX 10, you will, apparently, need a late "LAN products cumulative 127353141Sphilippatch" (at one point, it was claimed that this would be PHNE_18173 for 128353141Sphilips700/10.20; at another point, it was claimed that the required patches 129353141Sphilipwere PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 130353141Sphilipso on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 131353141Sphilippatches and the latest driver patch for the interface(s) in use on HP-UX 132353141Sphilip11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 133353141SphilipPHNE_20008, and PHNE_20735 did the trick). 134353141Sphilip 135353141SphilipFurthermore, on HP-UX 10, you will need to turn on a kernel switch by 136353141Sphilipdoing 137353141Sphilip 138353141Sphilip echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 139353141Sphilip 140353141SphilipYou would have to arrange that this happen on reboots; the right way to 141353141Sphilipdo that would probably be to put it into an executable script file 142353141Sphilip"/sbin/init.d/outbound_promisc" and making 143353141Sphilip"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 144353141Sphilip 145353141SphilipFinally, testing shows that there can't be more than one simultaneous 146353141SphilipDLPI user per network interface. 147353141Sphilip 148353141SphilipIf you use Linux, this version of libpcap is known to compile and run 149353141Sphilipunder Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 150353141Sphilipversions but is guaranteed not to work with 1.X kernels. Running more 151353141Sphilipthan one libpcap program at a time, on a system with a 2.0.X kernel, can 152353141Sphilipcause problems since promiscuous mode is implemented by twiddling the 153353141Sphilipinterface flags from the libpcap application; the packet capture 154353141Sphilipmechanism in the 2.2 and later kernels doesn't have this problem. Also, 155353141Sphilippacket timestamps aren't very good. This appears to be due to haphazard 156353141Sphiliphandling of the timestamp in the kernel. 157353141Sphilip 158353141SphilipNote well: there is rumoured to be a version of tcpdump floating around 159353141Sphilipcalled 3.0.3 that includes libpcap and is supposed to support Linux. 160353141SphilipYou should be advised that neither the Network Research Group at LBNL 161353141Sphilipnor the Tcpdump Group ever generated a release with this version number. 162353141SphilipThe LBNL Network Research Group notes with interest that a standard 163353141Sphilipcracker trick to get people to install trojans is to distribute bogus 164353141Sphilippackages that have a version number higher than the current release. 165353141SphilipThey also noted with annoyance that 90% of the Linux related bug reports 166353141Sphilipthey got are due to changes made to unofficial versions of their page. 167353141SphilipIf you are having trouble but aren't using a version that came from 168353141Sphiliptcpdump.org, please try that before submitting a bug report! 169353141Sphilip 170353141SphilipOn Linux, libpcap will not work if the kernel does not have the packet 171353141Sphilipsocket option enabled; see the README.linux file for information about 172353141Sphilipthis. 173353141Sphilip 174353141SphilipIf you use AIX, you may not be able to build libpcap from this release. 175353141SphilipWe do not have an AIX system in house so it's impossible for us to test 176353141SphilipAIX patches submitted to us. We are told that you must link against 177353141Sphilip/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 178353141Sphilip2.7.2, and that you may need to run strload before running a libpcap 179353141Sphilipapplication. 180353141Sphilip 181353141SphilipRead the README.aix file for information on installing libpcap and 182353141Sphilipconfiguring your system to be able to support libpcap. 183353141Sphilip 184353141SphilipIf you use NeXTSTEP, you will not be able to build libpcap from this 185353141Sphiliprelease. 186353141Sphilip 187353141SphilipIf you use SINIX, you should be able to build libpcap from this 188353141Sphiliprelease. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 189353141SphilipV1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 190353141Sphilipemits incorrect code; if grammar.y fails to compile, change every 191353141Sphilipoccurence of: 192353141Sphilip 193353141Sphilip #ifdef YYDEBUG 194353141Sphilip 195353141Sphilipto: 196353141Sphilip #if YYDEBUG 197353141Sphilip 198353141SphilipAnother workaround is to use flex and bison. 199353141Sphilip 200353141SphilipIf you use SCO, you might have trouble building libpcap from this 201353141Sphiliprelease. We do not have a machine running SCO and have not had reports 202353141Sphilipof anyone successfully building on it; the current release of libpcap 203353141Sphilipdoes not compile on SCO OpenServer 5. Although SCO apparently supports 204353141SphilipDLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 205353141Sphilipit appears that completely new code would need to be written to capture 206353141Sphilipnetwork traffic. SCO do not appear to provide tcpdump binaries for 207353141SphilipOpenServer 5 or OpenServer 6 as part of SCO Skunkware: 208353141Sphilip 209353141Sphilip http://www.sco.com/skunkware/ 210353141Sphilip 211353141SphilipIf you use UnixWare, you might be able to build libpcap from this 212353141Sphiliprelease, or you might not. We do not have a machine running UnixWare, 213353141Sphilipso we have not tested it; however, SCO provide packages for libpcap 214353141Sphilip0.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 215353141SphilipSkunkware, and the source package for libpcap 0.6.2 is not changed from 216353141Sphilipthe libpcap 0.6.2 source release, so this release of libpcap might also 217353141Sphilipbuild without changes on UnixWare 7. 218353141Sphilip 219353141SphilipIf linking tcpdump fails with "Undefined: _alloca" when using bison on 220353141Sphilipa Sun4, your version of Bison is broken. In any case version 1.16 or 221353141Sphiliphigher is recommended (1.14 is known to cause problems 1.16 is known to 222353141Sphilipwork). Either pick up a current version from: 223353141Sphilip 224353141Sphilip http://ftp.gnu.org/gnu/bison/ 225353141Sphilip 226353141Sphilipor hack around it by inserting the lines: 227353141Sphilip 228353141Sphilip #ifdef __GNUC__ 229353141Sphilip #define alloca __builtin_alloca 230353141Sphilip #else 231353141Sphilip #ifdef sparc 232353141Sphilip #include <alloca.h> 233353141Sphilip #else 234353141Sphilip char *alloca (); 235353141Sphilip #endif 236353141Sphilip #endif 237353141Sphilip 238353141Sphilipright after the (100 line!) GNU license comment in bison.simple, remove 239353141Sphilipgrammar.[co] and fire up make again. 240353141Sphilip 241353141SphilipIf you use SunOS 4, your kernel must support streams NIT. If you run a 242353141Sphiliplibpcap program and it dies with: 243353141Sphilip 244353141Sphilip /dev/nit: No such device 245353141Sphilip 246353141SphilipYou must add streams NIT support to your kernel configuration, run 247353141Sphilipconfig and boot the new kernel. 248353141Sphilip 249353141SphilipFILES 250353141Sphilip----- 251353141SphilipCHANGES - description of differences between releases 252353141SphilipChmodBPF/* - macOS startup item to set ownership and permissions 253353141Sphilip on /dev/bpf* 254353141SphilipCMakeLists.txt - CMake file 255353141SphilipCONTRIBUTING - guidelines for contributing 256353141SphilipCREDITS - people that have helped libpcap along 257353141SphilipINSTALL.md - this file 258353141SphilipLICENSE - the license under which tcpdump is distributed 259353141SphilipMakefile.in - compilation rules (input to the configure script) 260353141SphilipREADME.md - description of distribution 261353141Sphilipdoc/README.aix - notes on using libpcap on AIX 262353141Sphilipdoc/README.dag - notes on using libpcap to capture on Endace DAG devices 263353141Sphilipdoc/README.hpux - notes on using libpcap on HP-UX 264353141Sphilipdoc/README.linux.md - notes on using libpcap on Linux 265353141Sphilipdoc/README.macos - notes on using libpcap on macOS 266353141Sphilipdoc/README.septel - notes on using libpcap to capture on Intel/Septel devices 267353141Sphilipdoc/README.sita - notes on using libpcap to capture on SITA devices 268353141Sphilipdoc/README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 269353141Sphilipdoc/README.Win32 - notes on using libpcap on Win32 systems (with Npcap) 270353141SphilipVERSION - version of this release 271353141Sphilipacconfig.h - support for post-2.13 autoconf 272353141Sphilipaclocal.m4 - autoconf macros 273353141Sphiliparcnet.h - ARCNET definitions 274353141Sphilipatmuni31.h - ATM Q.2931 definitions 275353141Sphilipbpf_dump.c - BPF program printing routines 276353141Sphilipbpf_filter.c - BPF filtering routines 277353141Sphilipbpf_image.c - BPF disassembly routine 278353141Sphilipconfig.guess - autoconf support 279353141Sphilipconfig.h.in - autoconf input 280353141Sphilipconfig.sub - autoconf support 281353141Sphilipconfigure - configure script (run this first) 282353141Sphilipconfigure.ac - configure script source 283353141Sphilipdlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 284353141Sphilipdlpisubs.h - DLPI-related function declarations 285353141Sphilipetherent.c - /etc/ethers support routines 286353141Sphilipethertype.h - Ethernet protocol types and names definitions 287353141Sphilipfad-getad.c - pcap_findalldevs() for systems with getifaddrs() 288353141Sphilipfad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 289353141Sphilipfad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 290353141Sphilipfiltertest.c - test program for BPF compiler 291353141Sphilipfindalldevstest.c - test program for pcap_findalldevs() 292353141Sphilipgencode.c - BPF code generation routines 293353141Sphilipgencode.h - BPF code generation definitions 294353141Sphilipgrammar.y - filter string grammar 295353141Sphilipieee80211.h - 802.11 definitions 296353141Sphilipinstall-sh - BSD style install script 297353141Sphiliplbl/os-*.h - OS-dependent defines and prototypes 298353141Sphilipllc.h - 802.2 LLC SAP definitions 299353141Sphilipmissing/* - replacements for missing library functions 300353141Sphilipmkdep - construct Makefile dependency list 301353141Sphilipmsdos/* - drivers for MS-DOS capture support 302353141Sphilipnametoaddr.c - hostname to address routines 303353141Sphilipnlpid.h - OSI network layer protocol identifier definitions 304353141Sphilipnet - symlink to bpf/net 305353141Sphilipoptimize.c - BPF optimization routines 306353141Sphilippcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 307353141Sphilippcap/bpf.h - BPF definitions 308353141Sphilippcap/namedb.h - public libpcap name database definitions 309353141Sphilippcap/pcap.h - public libpcap definitions 310353141Sphilippcap/sll.h - public definition of DLT_LINUX_SLL header 311353141Sphilippcap/usb.h - public definition of DLT_USB header 312353141Sphilippcap-bpf.c - BSD Packet Filter support 313353141Sphilippcap-bpf.h - header for backwards compatibility 314353141Sphilippcap-bt-linux.c - Bluetooth capture support for Linux 315353141Sphilippcap-bt-linux.h - Bluetooth capture support for Linux 316353141Sphilippcap-dag.c - Endace DAG device capture support 317353141Sphilippcap-dag.h - Endace DAG device capture support 318353141Sphilippcap-dlpi.c - Data Link Provider Interface support 319353141Sphilippcap-dos.c - MS-DOS capture support 320353141Sphilippcap-dos.h - headers for MS-DOS capture support 321353141Sphilippcap-enet.c - enet support 322353141Sphilippcap-int.h - internal libpcap definitions 323353141Sphilippcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 324353141Sphilippcap-linux.c - Linux packet socket support 325353141Sphilippcap-namedb.h - header for backwards compatibility 326353141Sphilippcap-nit.c - SunOS Network Interface Tap support 327353141Sphilippcap-nit.h - SunOS Network Interface Tap definitions 328353141Sphilippcap-npf.c - WinPcap capture support 329353141Sphilippcap-null.c - dummy monitor support (allows offline use of libpcap) 330353141Sphilippcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 331353141Sphilippcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 332353141Sphilippcap-septel.c - Intel/Septel device capture support 333353141Sphilippcap-septel.h - Intel/Septel device capture support 334353141Sphilippcap-sita.c - SITA device capture support 335353141Sphilippcap-sita.h - SITA device capture support 336353141Sphilippcap-sita.html - SITA device capture documentation 337353141Sphilippcap-stdinc.h - includes and #defines for compiling on Win32 systems 338353141Sphilippcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 339353141Sphilippcap-snoop.c - IRIX Snoop network monitoring support 340353141Sphilippcap-usb-linux.c - USB capture support for Linux 341353141Sphilippcap-usb-linux.h - USB capture support for Linux 342353141Sphilippcap.3pcap - manual entry for the library 343353141Sphilippcap.c - pcap utility routines 344353141Sphilippcap.h - header for backwards compatibility 345353141Sphilippcap_*.3pcap - manual entries for library functions 346353141Sphilippcap-filter.4 - manual entry for filter syntax 347353141Sphilippcap-linktype.4 - manual entry for link-layer header types 348353141Sphilipppp.h - Point to Point Protocol definitions 349353141Sphilipsavefile.c - offline support 350353141Sphilipscanner.l - filter string scanner 351353141Sphilipsunatmpos.h - definitions for SunATM capturing 352353141SphilipWin32 - headers and routines for building on Win32 systems 353