1335640ShselaskyTo build libpcap, run "./configure" (a shell script). The configure 2335640Shselaskyscript will determine your system attributes and generate an 3335640Shselaskyappropriate Makefile from Makefile.in. Next run "make". If everything 4335640Shselaskygoes well you can su to root and run "make install". However, you need 5335640Shselaskynot install libpcap if you just want to build tcpdump; just make sure 6335640Shselaskythe tcpdump and libpcap directory trees have the same parent 7335640Shselaskydirectory. 8335640Shselasky 9335640ShselaskyIf configure says: 10335640Shselasky 11335640Shselasky configure: warning: cannot determine packet capture interface 12335640Shselasky configure: warning: (see INSTALL for more info) 13335640Shselasky 14335640Shselaskythen your system either does not support packet capture or your system 15335640Shselaskydoes support packet capture but libpcap does not support that 16335640Shselaskyparticular type. (If you have HP-UX, see below.) If your system uses a 17335640Shselaskypacket capture not supported by libpcap, please send us patches; don't 18335640Shselaskyforget to include an autoconf fragment suitable for use in 19335640Shselaskyconfigure.ac. 20335640Shselasky 21335640ShselaskyIt is possible to override the default packet capture type, although 22335640Shselaskythe circumstance where this works are limited. For example if you have 23335640Shselaskyinstalled bpf under SunOS 4 and wish to build a snit libpcap: 24335640Shselasky 25335640Shselasky ./configure --with-pcap=snit 26335640Shselasky 27335640ShselaskyAnother example is to force a supported packet capture type in the case 28335640Shselaskywhere the configure scripts fails to detect it. 29335640Shselasky 30335640ShselaskyYou will need an ANSI C compiler to build libpcap. The configure script 31335640Shselaskywill abort if your compiler is not ANSI compliant. If this happens, use 32335640Shselaskythe generally available GNU C compiler (GCC). 33335640Shselasky 34335640ShselaskyYou will need either Flex 2.5.31 or later, or a version of Lex 35335640Shselaskycompatible with it (if any exist), to build libpcap. The configure 36335640Shselaskyscript will abort if there isn't any such program. If you have an older 37335640Shselaskyversion of Flex, or don't have a compatible version of Lex, the current 38335640Shselaskyversion of flex is available at flex.sourceforge.net. 39335640Shselasky 40335640ShselaskyYou will need either Bison, Berkeley YACC, or a version of YACC 41335640Shselaskycompatible with them (if any exist), to build libpcap. The configure 42335640Shselaskyscript will abort if there isn't any such program. If you don't have 43335640Shselaskyany such program, the current version of Bison can be found at 44335640Shselaskyhttp://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45335640Shselaskycan be found at http://invisible-island.net/byacc/. 46335640Shselasky 47335640ShselaskySometimes the stock C compiler does not interact well with Flex and 48335640ShselaskyBison. The list of problems includes undefined references for alloca. 49335640ShselaskyYou can get around this by installing GCC. 50335640Shselasky 51335640ShselaskyIf you use Solaris, there is a bug with bufmod(7) that is fixed in 52335640ShselaskySolaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53335640Shselaskybroken bufmod(7) results in data be truncated from the FRONT of the 54335640Shselaskypacket instead of the end. The work around is to not set a snapshot 55335640Shselaskylength but this results in performance problems since the entire packet 56335640Shselaskyis copied to user space. If you must run an older version of Solaris, 57335640Shselaskythere is a patch available from Sun; ask for bugid 1149065. After 58335640Shselaskyinstalling the patch, use "setenv BUFMOD_FIXED" to enable use of 59335640Shselaskybufmod(7). However, we recommend you run a more current release of 60335640ShselaskySolaris. 61335640Shselasky 62335640ShselaskyIf you use the SPARCompiler, you must be careful to not use the 63335640Shselasky/usr/ucb/cc interface. If you do, you will get bogus warnings and 64335640Shselaskyperhaps errors. Either make sure your path has /opt/SUNWspro/bin 65335640Shselaskybefore /usr/ucb or else: 66335640Shselasky 67335640Shselasky setenv CC /opt/SUNWspro/bin/cc 68335640Shselasky 69335640Shselaskybefore running configure. (You might have to do a "make distclean" 70335640Shselaskyif you already ran configure once). 71335640Shselasky 72335640ShselaskyAlso note that "make depend" won't work; while all of the known 73335640Shselaskyuniverse uses -M, the SPARCompiler uses -xM to generate makefile 74335640Shselaskydependencies. 75335640Shselasky 76335640ShselaskyIf you are trying to do packet capture with a FORE ATM card, you may or 77335640Shselaskymay not be able to. They usually only release their driver in object 78335640Shselaskycode so unless their driver supports packet capture, there's not much 79335640Shselaskylibpcap can do. 80335640Shselasky 81335640ShselaskyIf you get an error like: 82335640Shselasky 83335640Shselasky tcpdump: recv_ack: bind error 0x??? 84335640Shselasky 85335640Shselaskywhen using DLPI, look for the DL_ERROR_ACK error return values, usually 86335640Shselaskyin /usr/include/sys/dlpi.h, and find the corresponding value. 87335640Shselasky 88335640ShselaskyUnder {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 89335640Shselaskyenabled before it can be used. For instructions on how to enable packet 90335640Shselaskyfilter support, see: 91335640Shselasky 92335640Shselasky ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 93335640Shselasky 94335640ShselaskyLook for the "How do I configure the Berkeley Packet Filter and capture 95335640Shselaskytcpdump traces?" item. 96335640Shselasky 97335640ShselaskyOnce you enable packet filter support, your OSF system will support bpf 98335640Shselaskynatively. 99335640Shselasky 100335640ShselaskyUnder Ultrix, packet capture must be enabled before it can be used. For 101335640Shselaskyinstructions on how to enable packet filter support, see: 102335640Shselasky 103335640Shselasky ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 104335640Shselasky 105335640ShselaskyIf you use HP-UX, you must have at least version 9 and either the 106335640Shselaskyversion of cc that supports ANSI C (cc -Aa) or else use the GNU C 107335640Shselaskycompiler. You must also buy the optional streams package. If you don't 108335640Shselaskyhave: 109335640Shselasky 110335640Shselasky /usr/include/sys/dlpi.h 111335640Shselasky /usr/include/sys/dlpi_ext.h 112335640Shselasky 113335640Shselaskythen you don't have the streams package. In addition, we believe you 114335640Shselaskyneed to install the "9.X LAN and DLPI drivers cumulative" patch 115335640Shselasky(PHNE_6855) to make the version 9 DLPI work with libpcap. 116335640Shselasky 117335640ShselaskyThe DLPI streams package is standard starting with HP-UX 10. 118335640Shselasky 119335640ShselaskyThe HP implementation of DLPI is a little bit eccentric. Unlike 120335640ShselaskySolaris, you must attach /dev/dlpi instead of the specific /dev/* 121335640Shselaskynetwork pseudo device entry in order to capture packets. The PPA is 122335640Shselaskybased on the ifnet "index" number. Under HP-UX 9, it is necessary to 123335640Shselaskyread /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 124335640ShselaskyDLPI can provide information for determining the PPA. It does not seem 125335640Shselaskyto be possible to trace the loopback interface. Unlike other DLPI 126335640Shselaskyimplementations, PHYS implies MULTI and SAP and you get an error if you 127335640Shselaskytry to enable more than one promiscuous mode at a time. 128335640Shselasky 129335640ShselaskyIt is impossible to capture outbound packets on HP-UX 9. To do so on 130335640ShselaskyHP-UX 10, you will, apparently, need a late "LAN products cumulative 131335640Shselaskypatch" (at one point, it was claimed that this would be PHNE_18173 for 132335640Shselaskys700/10.20; at another point, it was claimed that the required patches 133335640Shselaskywere PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 134335640Shselaskyso on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 135335640Shselaskypatches and the latest driver patch for the interface(s) in use on HP-UX 136335640Shselasky11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 137335640ShselaskyPHNE_20008, and PHNE_20735 did the trick). 138335640Shselasky 139335640ShselaskyFurthermore, on HP-UX 10, you will need to turn on a kernel switch by 140335640Shselaskydoing 141335640Shselasky 142335640Shselasky echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 143335640Shselasky 144335640ShselaskyYou would have to arrange that this happen on reboots; the right way to 145335640Shselaskydo that would probably be to put it into an executable script file 146335640Shselasky"/sbin/init.d/outbound_promisc" and making 147335640Shselasky"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 148335640Shselasky 149335640ShselaskyFinally, testing shows that there can't be more than one simultaneous 150335640ShselaskyDLPI user per network interface. 151335640Shselasky 152335640ShselaskyIf you use Linux, this version of libpcap is known to compile and run 153335640Shselaskyunder Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 154335640Shselaskyversions but is guaranteed not to work with 1.X kernels. Running more 155335640Shselaskythan one libpcap program at a time, on a system with a 2.0.X kernel, can 156335640Shselaskycause problems since promiscuous mode is implemented by twiddling the 157335640Shselaskyinterface flags from the libpcap application; the packet capture 158335640Shselaskymechanism in the 2.2 and later kernels doesn't have this problem. Also, 159335640Shselaskypacket timestamps aren't very good. This appears to be due to haphazard 160335640Shselaskyhandling of the timestamp in the kernel. 161335640Shselasky 162335640ShselaskyNote well: there is rumoured to be a version of tcpdump floating around 163335640Shselaskycalled 3.0.3 that includes libpcap and is supposed to support Linux. 164335640ShselaskyYou should be advised that neither the Network Research Group at LBNL 165335640Shselaskynor the Tcpdump Group ever generated a release with this version number. 166335640ShselaskyThe LBNL Network Research Group notes with interest that a standard 167335640Shselaskycracker trick to get people to install trojans is to distribute bogus 168335640Shselaskypackages that have a version number higher than the current release. 169335640ShselaskyThey also noted with annoyance that 90% of the Linux related bug reports 170335640Shselaskythey got are due to changes made to unofficial versions of their page. 171335640ShselaskyIf you are having trouble but aren't using a version that came from 172335640Shselaskytcpdump.org, please try that before submitting a bug report! 173335640Shselasky 174335640ShselaskyOn Linux, libpcap will not work if the kernel does not have the packet 175335640Shselaskysocket option enabled; see the README.linux file for information about 176335640Shselaskythis. 177335640Shselasky 178335640ShselaskyIf you use AIX, you may not be able to build libpcap from this release. 179335640ShselaskyWe do not have an AIX system in house so it's impossible for us to test 180335640ShselaskyAIX patches submitted to us. We are told that you must link against 181335640Shselasky/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 182335640Shselasky2.7.2, and that you may need to run strload before running a libpcap 183335640Shselaskyapplication. 184335640Shselasky 185335640ShselaskyRead the README.aix file for information on installing libpcap and 186335640Shselaskyconfiguring your system to be able to support libpcap. 187335640Shselasky 188335640ShselaskyIf you use NeXTSTEP, you will not be able to build libpcap from this 189335640Shselaskyrelease. 190335640Shselasky 191335640ShselaskyIf you use SINIX, you should be able to build libpcap from this 192335640Shselaskyrelease. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 193335640ShselaskyV1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 194335640Shselaskyemits incorrect code; if grammar.y fails to compile, change every 195335640Shselaskyoccurence of: 196335640Shselasky 197335640Shselasky #ifdef YYDEBUG 198335640Shselasky 199335640Shselaskyto: 200335640Shselasky #if YYDEBUG 201335640Shselasky 202335640ShselaskyAnother workaround is to use flex and bison. 203335640Shselasky 204335640ShselaskyIf you use SCO, you might have trouble building libpcap from this 205335640Shselaskyrelease. We do not have a machine running SCO and have not had reports 206335640Shselaskyof anyone successfully building on it; the current release of libpcap 207335640Shselaskydoes not compile on SCO OpenServer 5. Although SCO apparently supports 208335640ShselaskyDLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 209335640Shselaskyit appears that completely new code would need to be written to capture 210335640Shselaskynetwork traffic. SCO do not appear to provide tcpdump binaries for 211335640ShselaskyOpenServer 5 or OpenServer 6 as part of SCO Skunkware: 212335640Shselasky 213335640Shselasky http://www.sco.com/skunkware/ 214335640Shselasky 215335640ShselaskyIf you use UnixWare, you might be able to build libpcap from this 216335640Shselaskyrelease, or you might not. We do not have a machine running UnixWare, 217335640Shselaskyso we have not tested it; however, SCO provide packages for libpcap 218335640Shselasky0.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 219335640ShselaskySkunkware, and the source package for libpcap 0.6.2 is not changed from 220335640Shselaskythe libpcap 0.6.2 source release, so this release of libpcap might also 221335640Shselaskybuild without changes on UnixWare 7. 222335640Shselasky 223335640ShselaskyIf linking tcpdump fails with "Undefined: _alloca" when using bison on 224335640Shselaskya Sun4, your version of Bison is broken. In any case version 1.16 or 225335640Shselaskyhigher is recommended (1.14 is known to cause problems 1.16 is known to 226335640Shselaskywork). Either pick up a current version from: 227335640Shselasky 228335640Shselasky http://ftp.gnu.org/gnu/bison/ 229335640Shselasky 230335640Shselaskyor hack around it by inserting the lines: 231335640Shselasky 232335640Shselasky #ifdef __GNUC__ 233335640Shselasky #define alloca __builtin_alloca 234335640Shselasky #else 235335640Shselasky #ifdef sparc 236335640Shselasky #include <alloca.h> 237335640Shselasky #else 238335640Shselasky char *alloca (); 239335640Shselasky #endif 240335640Shselasky #endif 241335640Shselasky 242335640Shselaskyright after the (100 line!) GNU license comment in bison.simple, remove 243335640Shselaskygrammar.[co] and fire up make again. 244335640Shselasky 245335640ShselaskyIf you use SunOS 4, your kernel must support streams NIT. If you run a 246335640Shselaskylibpcap program and it dies with: 247335640Shselasky 248335640Shselasky /dev/nit: No such device 249335640Shselasky 250335640ShselaskyYou must add streams NIT support to your kernel configuration, run 251335640Shselaskyconfig and boot the new kernel. 252335640Shselasky 253335640ShselaskyFILES 254335640Shselasky----- 255335640ShselaskyCHANGES - description of differences between releases 256335640ShselaskyChmodBPF/* - macOS startup item to set ownership and permissions 257335640Shselasky on /dev/bpf* 258335640ShselaskyCMakeLists.txt - CMake file 259335640ShselaskyCONTRIBUTING - guidelines for contributing 260335640ShselaskyCREDITS - people that have helped libpcap along 261335640ShselaskyINSTALL.txt - this file 262335640ShselaskyLICENSE - the license under which tcpdump is distributed 263335640ShselaskyMakefile.in - compilation rules (input to the configure script) 264335640ShselaskyREADME - description of distribution 265335640ShselaskyREADME.aix - notes on using libpcap on AIX 266335640ShselaskyREADME.dag - notes on using libpcap to capture on Endace DAG devices 267335640ShselaskyREADME.hpux - notes on using libpcap on HP-UX 268335640ShselaskyREADME.linux - notes on using libpcap on Linux 269335640ShselaskyREADME.macos - notes on using libpcap on macOS 270335640ShselaskyREADME.septel - notes on using libpcap to capture on Intel/Septel devices 271335640ShselaskyREADME.sita - notes on using libpcap to capture on SITA devices 272335640ShselaskyREADME.tru64 - notes on using libpcap on Digital/Tru64 UNIX 273335640ShselaskyREADME.Win32 - notes on using libpcap on Win32 systems (with WinPcap) 274335640ShselaskyVERSION - version of this release 275335640Shselaskyacconfig.h - support for post-2.13 autoconf 276335640Shselaskyaclocal.m4 - autoconf macros 277335640Shselaskyarcnet.h - ARCNET definitions 278335640Shselaskyatmuni31.h - ATM Q.2931 definitions 279335640Shselaskybpf/net - copy of bpf_filter.c 280335640Shselaskybpf_dump.c - BPF program printing routines 281335640Shselaskybpf_filter.c - symlink to bpf/net/bpf_filter.c 282335640Shselaskybpf_image.c - BPF disassembly routine 283335640Shselaskyconfig.guess - autoconf support 284335640Shselaskyconfig.h.in - autoconf input 285335640Shselaskyconfig.sub - autoconf support 286335640Shselaskyconfigure - configure script (run this first) 287335640Shselaskyconfigure.ac - configure script source 288335640Shselaskydlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 289335640Shselaskydlpisubs.h - DLPI-related function declarations 290335640Shselaskyetherent.c - /etc/ethers support routines 291335640Shselaskyethertype.h - Ethernet protocol types and names definitions 292335640Shselaskyfad-getad.c - pcap_findalldevs() for systems with getifaddrs() 293335640Shselaskyfad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 294335640Shselaskyfad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 295335640Shselaskyfiltertest.c - test program for BPF compiler 296335640Shselaskyfindalldevstest.c - test program for pcap_findalldevs() 297335640Shselaskygencode.c - BPF code generation routines 298335640Shselaskygencode.h - BPF code generation definitions 299335640Shselaskygrammar.y - filter string grammar 300335640Shselaskyieee80211.h - 802.11 definitions 301335640Shselaskyinstall-sh - BSD style install script 302335640Shselaskylbl/os-*.h - OS-dependent defines and prototypes 303335640Shselaskyllc.h - 802.2 LLC SAP definitions 304335640Shselaskymissing/* - replacements for missing library functions 305335640Shselaskymkdep - construct Makefile dependency list 306335640Shselaskymsdos/* - drivers for MS-DOS capture support 307335640Shselaskynametoaddr.c - hostname to address routines 308335640Shselaskynlpid.h - OSI network layer protocol identifier definitions 309335640Shselaskynet - symlink to bpf/net 310335640Shselaskyoptimize.c - BPF optimization routines 311335640Shselaskypcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 312335640Shselaskypcap/bpf.h - BPF definitions 313335640Shselaskypcap/namedb.h - public libpcap name database definitions 314335640Shselaskypcap/pcap.h - public libpcap definitions 315335640Shselaskypcap/sll.h - public definition of DLT_LINUX_SLL header 316335640Shselaskypcap/usb.h - public definition of DLT_USB header 317335640Shselaskypcap-bpf.c - BSD Packet Filter support 318335640Shselaskypcap-bpf.h - header for backwards compatibility 319335640Shselaskypcap-bt-linux.c - Bluetooth capture support for Linux 320335640Shselaskypcap-bt-linux.h - Bluetooth capture support for Linux 321335640Shselaskypcap-dag.c - Endace DAG device capture support 322335640Shselaskypcap-dag.h - Endace DAG device capture support 323335640Shselaskypcap-dlpi.c - Data Link Provider Interface support 324335640Shselaskypcap-dos.c - MS-DOS capture support 325335640Shselaskypcap-dos.h - headers for MS-DOS capture support 326335640Shselaskypcap-enet.c - enet support 327335640Shselaskypcap-int.h - internal libpcap definitions 328335640Shselaskypcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 329335640Shselaskypcap-linux.c - Linux packet socket support 330335640Shselaskypcap-namedb.h - header for backwards compatibility 331335640Shselaskypcap-nit.c - SunOS Network Interface Tap support 332335640Shselaskypcap-nit.h - SunOS Network Interface Tap definitions 333335640Shselaskypcap-npf.c - WinPcap capture support 334335640Shselaskypcap-null.c - dummy monitor support (allows offline use of libpcap) 335335640Shselaskypcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 336335640Shselaskypcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 337335640Shselaskypcap-septel.c - Intel/Septel device capture support 338335640Shselaskypcap-septel.h - Intel/Septel device capture support 339335640Shselaskypcap-sita.c - SITA device capture support 340335640Shselaskypcap-sita.h - SITA device capture support 341335640Shselaskypcap-sita.html - SITA device capture documentation 342335640Shselaskypcap-stdinc.h - includes and #defines for compiling on Win32 systems 343335640Shselaskypcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 344335640Shselaskypcap-snoop.c - IRIX Snoop network monitoring support 345335640Shselaskypcap-usb-linux.c - USB capture support for Linux 346335640Shselaskypcap-usb-linux.h - USB capture support for Linux 347335640Shselaskypcap.3pcap - manual entry for the library 348335640Shselaskypcap.c - pcap utility routines 349335640Shselaskypcap.h - header for backwards compatibility 350335640Shselaskypcap_*.3pcap - manual entries for library functions 351335640Shselaskypcap-filter.4 - manual entry for filter syntax 352335640Shselaskypcap-linktype.4 - manual entry for link-layer header types 353335640Shselaskyppp.h - Point to Point Protocol definitions 354335640Shselaskysavefile.c - offline support 355335640Shselaskyscanner.l - filter string scanner 356335640Shselaskysunatmpos.h - definitions for SunATM capturing 357335640ShselaskyWin32 - headers and routines for building on Win32 systems 358