1To build libpcap, run "./configure" (a shell script). The configure 2script will determine your system attributes and generate an 3appropriate Makefile from Makefile.in. Next run "make". If everything 4goes well you can su to root and run "make install". However, you need 5not install libpcap if you just want to build tcpdump; just make sure 6the tcpdump and libpcap directory trees have the same parent 7directory. 8 9If configure says: 10 11 configure: warning: cannot determine packet capture interface 12 configure: warning: (see INSTALL for more info) 13 14then your system either does not support packet capture or your system 15does support packet capture but libpcap does not support that 16particular type. (If you have HP-UX, see below.) If your system uses a 17packet capture not supported by libpcap, please send us patches; don't 18forget to include an autoconf fragment suitable for use in 19configure.ac. 20 21It is possible to override the default packet capture type, although 22the circumstance where this works are limited. For example if you have 23installed bpf under SunOS 4 and wish to build a snit libpcap: 24 25 ./configure --with-pcap=snit 26 27Another example is to force a supported packet capture type in the case 28where the configure scripts fails to detect it. 29 30You will need an ANSI C compiler to build libpcap. The configure script 31will abort if your compiler is not ANSI compliant. If this happens, use 32the generally available GNU C compiler (GCC). 33 34You will need either Flex 2.5.31 or later, or a version of Lex 35compatible with it (if any exist), to build libpcap. The configure 36script will abort if there isn't any such program. If you have an older 37version of Flex, or don't have a compatible version of Lex, the current 38version of flex is available at flex.sourceforge.net. 39 40You will need either Bison, Berkeley YACC, or a version of YACC 41compatible with them (if any exist), to build libpcap. The configure 42script will abort if there isn't any such program. If you don't have 43any such program, the current version of Bison can be found at 44http://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45can be found at http://invisible-island.net/byacc/. 46 47Sometimes the stock C compiler does not interact well with Flex and 48Bison. The list of problems includes undefined references for alloca. 49You can get around this by installing GCC. 50 51If you use Solaris, there is a bug with bufmod(7) that is fixed in 52Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53broken bufmod(7) results in data be truncated from the FRONT of the 54packet instead of the end. The work around is to not set a snapshot 55length but this results in performance problems since the entire packet 56is copied to user space. If you must run an older version of Solaris, 57there is a patch available from Sun; ask for bugid 1149065. After 58installing the patch, use "setenv BUFMOD_FIXED" to enable use of 59bufmod(7). However, we recommend you run a more current release of 60Solaris. 61 62If you use the SPARCompiler, you must be careful to not use the 63/usr/ucb/cc interface. If you do, you will get bogus warnings and 64perhaps errors. Either make sure your path has /opt/SUNWspro/bin 65before /usr/ucb or else: 66 67 setenv CC /opt/SUNWspro/bin/cc 68 69before running configure. (You might have to do a "make distclean" 70if you already ran configure once). 71 72Also note that "make depend" won't work; while all of the known 73universe uses -M, the SPARCompiler uses -xM to generate makefile 74dependencies. 75 76If you are trying to do packet capture with a FORE ATM card, you may or 77may not be able to. They usually only release their driver in object 78code so unless their driver supports packet capture, there's not much 79libpcap can do. 80 81If you get an error like: 82 83 tcpdump: recv_ack: bind error 0x??? 84 85when using DLPI, look for the DL_ERROR_ACK error return values, usually 86in /usr/include/sys/dlpi.h, and find the corresponding value. 87 88Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 89enabled before it can be used. For instructions on how to enable packet 90filter support, see: 91 92 ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 93 94Look for the "How do I configure the Berkeley Packet Filter and capture 95tcpdump traces?" item. 96 97Once you enable packet filter support, your OSF system will support bpf 98natively. 99 100Under Ultrix, packet capture must be enabled before it can be used. For 101instructions on how to enable packet filter support, see: 102 103 ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 104 105If you use HP-UX, you must have at least version 9 and either the 106version of cc that supports ANSI C (cc -Aa) or else use the GNU C 107compiler. You must also buy the optional streams package. If you don't 108have: 109 110 /usr/include/sys/dlpi.h 111 /usr/include/sys/dlpi_ext.h 112 113then you don't have the streams package. In addition, we believe you 114need to install the "9.X LAN and DLPI drivers cumulative" patch 115(PHNE_6855) to make the version 9 DLPI work with libpcap. 116 117The DLPI streams package is standard starting with HP-UX 10. 118 119The HP implementation of DLPI is a little bit eccentric. Unlike 120Solaris, you must attach /dev/dlpi instead of the specific /dev/* 121network pseudo device entry in order to capture packets. The PPA is 122based on the ifnet "index" number. Under HP-UX 9, it is necessary to 123read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 124DLPI can provide information for determining the PPA. It does not seem 125to be possible to trace the loopback interface. Unlike other DLPI 126implementations, PHYS implies MULTI and SAP and you get an error if you 127try to enable more than one promiscuous mode at a time. 128 129It is impossible to capture outbound packets on HP-UX 9. To do so on 130HP-UX 10, you will, apparently, need a late "LAN products cumulative 131patch" (at one point, it was claimed that this would be PHNE_18173 for 132s700/10.20; at another point, it was claimed that the required patches 133were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 134so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 135patches and the latest driver patch for the interface(s) in use on HP-UX 13611 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 137PHNE_20008, and PHNE_20735 did the trick). 138 139Furthermore, on HP-UX 10, you will need to turn on a kernel switch by 140doing 141 142 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 143 144You would have to arrange that this happen on reboots; the right way to 145do that would probably be to put it into an executable script file 146"/sbin/init.d/outbound_promisc" and making 147"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 148 149Finally, testing shows that there can't be more than one simultaneous 150DLPI user per network interface. 151 152If you use Linux, this version of libpcap is known to compile and run 153under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 154versions but is guaranteed not to work with 1.X kernels. Running more 155than one libpcap program at a time, on a system with a 2.0.X kernel, can 156cause problems since promiscuous mode is implemented by twiddling the 157interface flags from the libpcap application; the packet capture 158mechanism in the 2.2 and later kernels doesn't have this problem. Also, 159packet timestamps aren't very good. This appears to be due to haphazard 160handling of the timestamp in the kernel. 161 162Note well: there is rumoured to be a version of tcpdump floating around 163called 3.0.3 that includes libpcap and is supposed to support Linux. 164You should be advised that neither the Network Research Group at LBNL 165nor the Tcpdump Group ever generated a release with this version number. 166The LBNL Network Research Group notes with interest that a standard 167cracker trick to get people to install trojans is to distribute bogus 168packages that have a version number higher than the current release. 169They also noted with annoyance that 90% of the Linux related bug reports 170they got are due to changes made to unofficial versions of their page. 171If you are having trouble but aren't using a version that came from 172tcpdump.org, please try that before submitting a bug report! 173 174On Linux, libpcap will not work if the kernel does not have the packet 175socket option enabled; see the README.linux file for information about 176this. 177 178If you use AIX, you may not be able to build libpcap from this release. 179We do not have an AIX system in house so it's impossible for us to test 180AIX patches submitted to us. We are told that you must link against 181/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 1822.7.2, and that you may need to run strload before running a libpcap 183application. 184 185Read the README.aix file for information on installing libpcap and 186configuring your system to be able to support libpcap. 187 188If you use NeXTSTEP, you will not be able to build libpcap from this 189release. 190 191If you use SINIX, you should be able to build libpcap from this 192release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 193V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 194emits incorrect code; if grammar.y fails to compile, change every 195occurence of: 196 197 #ifdef YYDEBUG 198 199to: 200 #if YYDEBUG 201 202Another workaround is to use flex and bison. 203 204If you use SCO, you might have trouble building libpcap from this 205release. We do not have a machine running SCO and have not had reports 206of anyone successfully building on it; the current release of libpcap 207does not compile on SCO OpenServer 5. Although SCO apparently supports 208DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 209it appears that completely new code would need to be written to capture 210network traffic. SCO do not appear to provide tcpdump binaries for 211OpenServer 5 or OpenServer 6 as part of SCO Skunkware: 212 213 http://www.sco.com/skunkware/ 214 215If you use UnixWare, you might be able to build libpcap from this 216release, or you might not. We do not have a machine running UnixWare, 217so we have not tested it; however, SCO provide packages for libpcap 2180.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 219Skunkware, and the source package for libpcap 0.6.2 is not changed from 220the libpcap 0.6.2 source release, so this release of libpcap might also 221build without changes on UnixWare 7. 222 223If linking tcpdump fails with "Undefined: _alloca" when using bison on 224a Sun4, your version of Bison is broken. In any case version 1.16 or 225higher is recommended (1.14 is known to cause problems 1.16 is known to 226work). Either pick up a current version from: 227 228 http://ftp.gnu.org/gnu/bison/ 229 230or hack around it by inserting the lines: 231 232 #ifdef __GNUC__ 233 #define alloca __builtin_alloca 234 #else 235 #ifdef sparc 236 #include <alloca.h> 237 #else 238 char *alloca (); 239 #endif 240 #endif 241 242right after the (100 line!) GNU license comment in bison.simple, remove 243grammar.[co] and fire up make again. 244 245If you use SunOS 4, your kernel must support streams NIT. If you run a 246libpcap program and it dies with: 247 248 /dev/nit: No such device 249 250You must add streams NIT support to your kernel configuration, run 251config and boot the new kernel. 252 253FILES 254----- 255CHANGES - description of differences between releases 256ChmodBPF/* - macOS startup item to set ownership and permissions 257 on /dev/bpf* 258CMakeLists.txt - CMake file 259CONTRIBUTING - guidelines for contributing 260CREDITS - people that have helped libpcap along 261INSTALL.txt - this file 262LICENSE - the license under which tcpdump is distributed 263Makefile.in - compilation rules (input to the configure script) 264README - description of distribution 265README.aix - notes on using libpcap on AIX 266README.dag - notes on using libpcap to capture on Endace DAG devices 267README.hpux - notes on using libpcap on HP-UX 268README.linux - notes on using libpcap on Linux 269README.macos - notes on using libpcap on macOS 270README.septel - notes on using libpcap to capture on Intel/Septel devices 271README.sita - notes on using libpcap to capture on SITA devices 272README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 273README.Win32 - notes on using libpcap on Win32 systems (with WinPcap) 274VERSION - version of this release 275acconfig.h - support for post-2.13 autoconf 276aclocal.m4 - autoconf macros 277arcnet.h - ARCNET definitions 278atmuni31.h - ATM Q.2931 definitions 279bpf/net - copy of bpf_filter.c 280bpf_dump.c - BPF program printing routines 281bpf_filter.c - symlink to bpf/net/bpf_filter.c 282bpf_image.c - BPF disassembly routine 283config.guess - autoconf support 284config.h.in - autoconf input 285config.sub - autoconf support 286configure - configure script (run this first) 287configure.ac - configure script source 288dlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 289dlpisubs.h - DLPI-related function declarations 290etherent.c - /etc/ethers support routines 291ethertype.h - Ethernet protocol types and names definitions 292fad-getad.c - pcap_findalldevs() for systems with getifaddrs() 293fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 294fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 295filtertest.c - test program for BPF compiler 296findalldevstest.c - test program for pcap_findalldevs() 297gencode.c - BPF code generation routines 298gencode.h - BPF code generation definitions 299grammar.y - filter string grammar 300ieee80211.h - 802.11 definitions 301install-sh - BSD style install script 302lbl/os-*.h - OS-dependent defines and prototypes 303llc.h - 802.2 LLC SAP definitions 304missing/* - replacements for missing library functions 305mkdep - construct Makefile dependency list 306msdos/* - drivers for MS-DOS capture support 307nametoaddr.c - hostname to address routines 308nlpid.h - OSI network layer protocol identifier definitions 309net - symlink to bpf/net 310optimize.c - BPF optimization routines 311pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 312pcap/bpf.h - BPF definitions 313pcap/namedb.h - public libpcap name database definitions 314pcap/pcap.h - public libpcap definitions 315pcap/sll.h - public definition of DLT_LINUX_SLL header 316pcap/usb.h - public definition of DLT_USB header 317pcap-bpf.c - BSD Packet Filter support 318pcap-bpf.h - header for backwards compatibility 319pcap-bt-linux.c - Bluetooth capture support for Linux 320pcap-bt-linux.h - Bluetooth capture support for Linux 321pcap-dag.c - Endace DAG device capture support 322pcap-dag.h - Endace DAG device capture support 323pcap-dlpi.c - Data Link Provider Interface support 324pcap-dos.c - MS-DOS capture support 325pcap-dos.h - headers for MS-DOS capture support 326pcap-enet.c - enet support 327pcap-int.h - internal libpcap definitions 328pcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 329pcap-linux.c - Linux packet socket support 330pcap-namedb.h - header for backwards compatibility 331pcap-nit.c - SunOS Network Interface Tap support 332pcap-nit.h - SunOS Network Interface Tap definitions 333pcap-npf.c - WinPcap capture support 334pcap-null.c - dummy monitor support (allows offline use of libpcap) 335pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 336pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 337pcap-septel.c - Intel/Septel device capture support 338pcap-septel.h - Intel/Septel device capture support 339pcap-sita.c - SITA device capture support 340pcap-sita.h - SITA device capture support 341pcap-sita.html - SITA device capture documentation 342pcap-stdinc.h - includes and #defines for compiling on Win32 systems 343pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 344pcap-snoop.c - IRIX Snoop network monitoring support 345pcap-usb-linux.c - USB capture support for Linux 346pcap-usb-linux.h - USB capture support for Linux 347pcap.3pcap - manual entry for the library 348pcap.c - pcap utility routines 349pcap.h - header for backwards compatibility 350pcap_*.3pcap - manual entries for library functions 351pcap-filter.4 - manual entry for filter syntax 352pcap-linktype.4 - manual entry for link-layer header types 353ppp.h - Point to Point Protocol definitions 354savefile.c - offline support 355scanner.l - filter string scanner 356sunatmpos.h - definitions for SunATM capturing 357Win32 - headers and routines for building on Win32 systems 358