README.Win32.md
1Building libpcap on Windows with Visual Studio
2==============================================
3
4Unlike the UN*Xes on which libpcap can capture network traffic, Windows
5has no network traffic capture mechanism that libpcap can use.
6Therefore, libpcap requires a driver, and a library to access the
7driver, provided by the Npcap or WinPcap projects.
8
9Those projects include versions of libpcap built to use that driver and
10library; these instructions are for people who want to build libpcap
11source releases, or libpcap from the Git repository, as a replacement
12for the version provided with Npcap or WinPcap.
13
14Npcap and WinPcap SDK
15---------------------
16
17In order to build libpcap, you will need to download Npcap and its
18software development kit (SDK) or WinPcap and its software development
19kit.
20
21Npcap is currently being developed and maintained, and offers many
22additional capabilities that WinPcap does not.
23
24WinPcap is no longer being developed or maintained; it should be used
25only if there is some other requirement to use it rather than Npcap,
26such as a requirement to support versions of Windows earlier than
27Windows Vista, which is the earliest version supported by Npcap.
28
29Npcap and its SDK can be downloaded from its home page:
30
31 https://npcap.org
32
33The SDK is a ZIP archive; create a folder on your C: drive, e.g.
34C:\npcap-sdk, and put the contents of the ZIP archive into that folder.
35
36The WinPcap installer can be downloaded from
37
38 https://www.winpcap.org/install/default.htm
39
40and the WinPcap Developer's Kit can be downloaded from
41
42 https://www.winpcap.org/devel.htm
43
44Required build tools
45--------------------
46
47The Developer's Kit is a ZIP archive; it contains a folder named
48WpdPack, which you should place on your C: drive, e.g. C:\WpdPack.
49
50Building libpcap on Windows requires Visual Studio 2015 or later. The
51Community Edition of Visual Studio can be downloaded at no cost from
52
53 https://visualstudio.microsoft.com
54
55Additional tools are also required. Chocolatey is a package manager for
56Windows with which those tools, and other tools, can be installed; it
57can be downloaded from
58
59 https://chocolatey.org
60
61It is a command-line tool; a GUI tool, Chocolatey GUI, is provided as a
62Chocolatey package, which can be installed from the command line:
63
64 choco install chocolateygui
65
66For convenience, the "choco install" command can be run with the "-y"
67flag, forcing it to automatically answer all questions asked of the user
68with "yes":
69
70 choco install -y chocolateygui
71
72The required tools are:
73
74### CMake ###
75
76libpcap does not provide supported project files for Visual Studio
77(there are currently unsupported project files provided, but we do not
78guarantee that they will work or that we will continue to provide them).
79It does provide files for CMake, which is a cross-platform tool that
80runs on UN*Xes and on Windows and that can generate project files for
81UN*X Make, the Ninja build system, and Visual Studio, among other build
82systems.
83
84Visual Studio 2015 does not provide CMake; an installer can be
85downloaded from
86
87 https://cmake.org/download/
88
89When you run the installer, you should choose to add CMake to the system
90PATH for all users and to create the desktop icon.
91
92CMake can also be installed as the Chocolatey package "cmake":
93
94 choco install -y cmake
95
96Visual Studio 2017 and later provide CMake, so you will not need to
97install CMake if you have installed Visual Studio 2017 or later. They
98include built-in support for CMake-based projects:
99
100 https://devblogs.microsoft.com/cppblog/cmake-support-in-visual-studio/
101
102For Visual Studio 2017, make sure "Visual C++ tools for CMake" is
103installed; for Visual Studio 2019, make sure "C++ CMake tools for
104Windows" is intalled.
105
106### winflexbison ###
107
108libpcap uses the Flex lexical-analyzer generator and the Bison or
109Berkeley YACC parser generators to generate the parser for filter
110expressions. Windows versions of Flex and Bison can be downloaded from
111
112 https://sourceforge.net/projects/winflexbison/
113
114The downloaded file is a ZIP archive; create a folder on your C: drive,
115e.g. C:\Program Files\winflexbison, and put the contents of the ZIP
116archive into that folder. Then add that folder to the system PATH
117environment variable.
118
119Git
120---
121
122An optional tool, required only if you will be building from a Git
123repository rather than from a release source tarball, is Git. Git is
124provided as an optional installation component, "Git for Windows", with
125Visual Studio 2017 and later.
126
127Building from the Visual Studio GUI
128-----------------------------------
129
130### Visual Studio 2017 ###
131
132Open the folder containing the libpcap source with Open > Folder.
133Visual Studio will run CMake; however, you will need to indicate where
134the Npcap or WinPcap SDK is installed.
135
136To do this, go to Project > "Change CMake Settings" > pcap and:
137
138Choose which configuration type to build, if you don't want the default
139Debug build.
140
141In the CMakeSettings.json tab, change cmakeCommandArgs to include
142
143 -DPacket_ROOT={path-to-sdk}
144
145where {path-to-sdk} is the path of the directory containing the Npcap or
146WinPcap SDK. Note that backslashes in the path must be specified as two
147backslashes.
148
149Save the configuration changes with File > "Save CMakeSettings.json" or
150with control-S.
151
152Visual Studio will then re-run CMake. If that completes without errors,
153you can build with CMake > "Build All".
154
155### Visual Studio 2019 ###
156
157Open the folder containing the libpcap source with Open > Folder.
158Visual Studio will run CMake; however, you will need to indicate where
159the Npcap or WinPcap SDK is installed.
160
161To do this, go to Project > "CMake Settings for pcap" and:
162
163Choose which configuration type to build, if you don't want the default
164Debug build.
165
166Scroll down to "Cmake variables and cache", scroll through the list
167looking for the entry for Packet_ROOT, and either type in the path of
168the directory containing the Npcap or WinPcap SDK or use the "Browse..."
169button to browse for that directory.
170
171Save the configuration changes with File > "Save CMakeSettings.json" or
172with control-S.
173
174Visual Studio will then re-run CMake. If that completes without errors,
175you can build with Build > "Build All".
176
177Building from the command line
178------------------------------
179
180Start the appropriate Native Tools command line prompt.
181
182Change to the directory into which you want to build libpcap, possibly
183after creating it first. One choice is to create it as a subdirectory
184of the libpcap source directory.
185
186Run the command
187
188 cmake "-DPacket_ROOT={path-to-sdk}" {path-to-libpcap-source}
189
190where {path-to-sdk} is the path of the directory containing the Npcap or
191WinPcap SDK and {path-to-libpcap-source} is the pathname of the
192top-level source directory for libpcap.
193
194Run the command
195
196 msbuild/m pcap.sln
197
198to compile libpcap.
199
README.aix
1Using BPF:
2
3(1) AIX 4.x's version of BPF is undocumented and somewhat unstandard; the
4 current BPF support code includes changes that should work around
5 that; it appears to compile and work on at least one AIX 4.3.3
6 machine.
7
8 Note that the BPF driver and the "/dev/bpf" devices might not exist
9 on your machine; AIX's tcpdump loads the driver and creates the
10 devices if they don't already exist. Our libpcap should do the
11 same, and the configure script should detect that it's on an AIX
12 system and choose BPF even if the devices aren't there.
13
14 Also note that tcpdump _binary_ compiled on AIX 4 may have a problem
15 doing the initial loading of the BPF driver if copied to AIX 5 and
16 run there (GH #52). tcpdump binary natively compiled on AIX 5 should
17 not have this issue.
18
19(2) If libpcap doesn't compile on your machine when configured to use
20 BPF, or if the workarounds fail to make it work correctly, you
21 should send to tcpdump-workers@lists.tcpdump.org a detailed bug
22 report (if the compile fails, send us the compile error messages;
23 if it compiles but fails to work correctly, send us as detailed as
24 possible a description of the symptoms, including indications of the
25 network link-layer type being wrong or time stamps being wrong).
26
27 If you fix the problems yourself, please submit a patch by forking
28 the branch at
29
30 https://github.com/the-tcpdump-group/libpcap/tree/master
31
32 and issuing a pull request, so we can incorporate the fixes into the
33 next release.
34
35 If you don't fix the problems yourself, you can, as a workaround,
36 make libpcap use DLPI instead of BPF.
37
38 This can be done by specifying the flag:
39
40 --with-pcap=dlpi
41
42 to the "configure" script for libpcap.
43
44If you use DLPI:
45
46(1) It is a good idea to have the latest version of the DLPI driver on
47 your system, since certain versions may be buggy and cause your AIX
48 system to crash. DLPI is included in the fileset bos.rte.tty. I
49 found that the DLPI driver that came with AIX 4.3.2 was buggy, and
50 had to upgrade to bos.rte.tty 4.3.2.4:
51
52 lslpp -l bos.rte.tty
53
54 bos.rte.tty 4.3.2.4 COMMITTED Base TTY Support and Commands
55
56 Updates for AIX filesets can be obtained from:
57 ftp://service.software.ibm.com/aix/fixes/
58
59 These updates can be installed with the smit program.
60
61(2) After compiling libpcap, you need to make sure that the DLPI driver
62 is loaded. Type:
63
64 strload -q -d dlpi
65
66 If the result is:
67
68 dlpi: yes
69
70 then the DLPI driver is loaded correctly.
71
72 If it is:
73
74 dlpi: no
75
76 Then you need to type:
77
78 strload -f /etc/dlpi.conf
79
80 Check again with strload -q -d dlpi that the dlpi driver is loaded.
81
82 Alternatively, you can uncomment the lines for DLPI in
83 /etc/pse.conf and reboot the machine; this way DLPI will always
84 be loaded when you boot your system.
85
86(3) There appears to be a problem in the DLPI code in some versions of
87 AIX, causing a warning about DL_PROMISC_MULTI failing; this might
88 be responsible for DLPI not being able to capture outgoing packets.
89
README.capture-module
1 How to write a libpcap module
2
3WARNING: this document describes an unstable interface; future releases
4of libpcap may, and some probably will, change the interface in an
5incompatible fashion. If you submit your module to the libpcap
6developers for inclusion in libpcap, not only does that make it more
7likely that it will be available in the libpcap provided by operating
8system vendors (such as Linux distributions), but it also means that we
9will attempt to update it to handle future changes to this interface.
10If we add new capabilities, we may have to ask you how to provide those
11additional capabilities if you're using an underlying mechanism for
12which we have neither the source code nor the documentation.
13
14NOTE: this document assumes familiarity with the entire libpcap API.
15
16TODO: more routines, more stuff that the activate routine has to do
17(such as setting the list of DLT_s), convert to Markdown?
18
19On Linux, *BSD, macOS, Solaris, AIX, HP-UX, IRIX, and Tru64 UNIX,
20Libpcap supports capturing on network interfaces as supported by the
21operating system networking stack, using the native packet capture
22mechanism provided by the OS. On Windows, it supports it with the help
23of the driver and library supplied by WinPcap and Npcap.
24
25In addition, it also supports capturing on other types of devices, such
26as:
27
28 specialized capture cards, such as Endace DAG cards;
29
30 network adapters that provide special high-performance code
31 paths, such as CSPI Myricom adapters;
32
33 buses such as USB;
34
35 software communication channels such as D-Bus and Linux netlink;
36
37 etc..
38
39Support for those devices is provided by modules compiled into libpcap.
40
41If you want to add such a module, you would first have to check the list
42of link-layer header types supported by libpcap, to see if one of those
43would be sufficient for your device. The current version of the list
44can be found at
45
46 https://www.tcpdump.org/linktypes.html
47
48If none of those would work for your device, please read
49doc/DLT_ALLOCATE_HOWTO.md and the introductory paragraphs on the Web
50page mentioned above, and then send a request for the new link-layer
51header type to tcpdump-workers@lists.tcpdump.org.
52
53Once you have a link-layer header type value or values that you can use,
54you can add new module.
55
56The module should be a C source file, with a name of the form
57pcap-{MOD}.c, where {MOD} is a name appropriate for your device; for
58example, the support for DAG cards is in pcap-dag.c, and the support for
59capturing USB traffic on Linux is pcap-usb-linux.c.
60
61Your module is assumed to support one or more named devices. The names
62should be relatively short names, containing only lower-case
63alphanumeric characters, consisting of a prefix that ends with an
64alphabetic character and, if there can be more than one device instance,
65possibly followed by a numerical device ID, such as "mydevice" or
66"mydevice0"/"mydevice1"/.... If you have more than one type of device
67that you can support, you can have more than one prefix, each of which
68can be followed by a numerical device ID.
69
70The two exported functions that your module must provide are routines to
71provide a list of device instances and a program to initialize a
72created-but-not-activated pcap_t for an instance of one of your devices.
73
74The "list of device instances" routine takes, as arguments:
75
76 a pointer to a pcap_if_list_t;
77
78 a pointer to an error message buffer.
79
80The error message buffer may be assumed to be PCAP_ERRBUF_SIZE bytes
81large, but must not be assumed to be larger. By convention, the routine
82typically has a name containing "findalldevs".
83
84The routine should attempt to determine what device instances are
85available and add them to the list pointed to by the first argument;
86this may be impossible for some modules, but, for those modules, it may
87be difficult to capture on the devices using Wirehshark (although it
88should be possible to capture on them using tcpdump, TShark, or other
89programs that take a device name on the command line), so we recommend
90that your routine provide the list of devices if possible. If it
91cannot, it should just immediately return 0.
92
93The routine should add devices to the list by calling the add_dev()
94routine in libpcap, declared in the pcap-int.h header. It takes, as
95arguments:
96
97 the pointer to the pcap_if_list_t passed as an argument to the
98 routine;
99
100 the device name, as described above;
101
102 a 32-bit word of flags, as provided by pcap_findalldevs();
103
104 a text description of the device, or NULL if there is no
105 description;
106
107 the error message buffer pointer provided to the routine.
108
109add_dev() will, if it succeeds, return a pointer to a pcap_if_t that was
110added to the list of devices. If it fails, it will return NULL; in this
111case, the error message buffer has been filled in with an error string,
112and your routine must return -1 to indicate the error.
113
114If your routine succeeds, it must return 0. If it fails, it must fill
115in the error message buffer with an error string and return -1.
116
117The "initialize the pcap_t" routine takes, as arguments:
118
119 a pointer to a device name;
120
121 a pointer to an error message buffer;
122
123 a pointer to an int.
124
125It returns a pointer to a pcap_t.
126
127Your module will probably need, for each pcap_t for an opened device, a
128private data structure to maintain its own information about the opened
129device. These should be allocated per opened instance, not per device;
130if, for example, mydevice0 can be captured on by more than one program
131at the same time, there will be more than one pcap_t opened for
132mydevice0, and so there will be separate private data structures for
133each pcap_t. If you need to maintain per-device, rather than per-opened
134instance information, you will have to maintain that yourself.
135
136The routine should first check the device to see whether it looks like a
137device that this module would handle; for example, it should begin with
138one of the device name prefixes for your module and, if your devices
139have instance numbers, be followed by a number. If it is not one of
140those devices, you must set the integer pointed to by the third
141argument to 0, to indicate that this is *not* one of the devices for
142your module, and return NULL.
143
144If it *is* one of those devices, it should call pcap_create_common,
145passing to it the error message buffer as the first argument and the
146size of the per-opened instance data structure as the second argument.
147If it fails, it will return NULL; you must return NULL in this case.
148
149If it succeeds, the pcap_t pointed to by the return value has been
150partially initialized, but you will need to complete the process. It
151has a "priv" member, which is a void * that points to the private data
152structure attached to it; that structure has been initialized to zeroes.
153
154What you need to set are some function pointers to your routines to
155handle certain operations:
156
157 activate_op
158 the routine called when pcap_activate() is done on the
159 pcap_t
160
161 can_set_rfmon_op
162 the routine called when pcap_can_set_rfmon() is done on
163 the pcap_t - if your device doesn't support 802.11
164 monitor mode, you can leave this as initialized by
165 pcap_create_common(), as that routine will return "no,
166 monitor mode isn't supported".
167
168Once you've set the activate_op and, if necessary, the can_set_rfmon_op,
169you must return the pcap_t * that was returned to you.
170
171Your activate routine takes, as an argument, a pointer to the pcap_t
172being activated, and returns an int.
173
174The perameters set for the device in the pcap_create() call, and after
175that call(), are mostly in the opt member of the pcap_t:
176
177 device
178 the name of the device
179
180 timeout
181 the buffering timeout, in milliseconds
182
183 buffer_size
184 the buffer size to use
185
186 promisc
187 1 if promiscuous mode is to be used, 0 otherwise
188
189 rfmon
190 1 if monitor mode is to be used, 0 otherwise
191
192 immediate
193 1 if the device should be in immediate mode, 0 otherwise
194
195 nonblock
196 1 if the device should be in non-blocking mode, 0
197 otherwise
198
199 tstamp_type
200 the type of time stamp to supply
201
202 tstamp_precision
203 the time stamp precision to supply
204
205The snapshot member of the pcap_t structure will contain the snapshot
206length to be used.
207
208Your routine should attempt to set up the device for capturing. If it
209fails, it must return an error indication which is one of the PCAP_ERROR
210values. For PCAP_ERROR, it must also set the errbuf member of the
211pcap_t to an error string. For PCAP_ERROR_NO_SUCH_DEVICE and
212PCAP_ERROR_PERM_DENIED, it may set it to an error string providing
213additional information that may be useful for debugging, or may just
214leave it as a null string.
215
216If it succeeds, it must set certain function pointers in the pcap_t
217structure:
218
219 read_op
220 called whenever packets are to be read
221
222 inject_op
223 called whenever packets are to be injected
224
225 setfilter_op
226 called whenever pcap_setfilter() is called
227
228 setdirection_op
229 called whenever pcap_setdirection() is called
230
231 set_datalink_op
232 called whnever pcap_set_datalink() is called
233
234 getnonblock_op
235 called whenever pcap_getnonblock() is called
236
237 setnonblock_op
238 called whenever pcap_setnonblock() is called
239
240 stats_op
241 called whenever pcap_stats() is called
242
243 cleanup_op
244 called if the activate routine fails or pcap_close() is
245 called
246
247and must also set the linktype member to the DLT_ value for the device.
248
249On UN*Xes, if the device supports waiting for packets to arrive with
250select()/poll()/epoll()/kqueues etc., it should set the selectable_fd
251member of the structure to the descriptor you would use with those
252calls. If it does not, then, if that's because the device polls for
253packets rather than receiving interrupts or other signals when packets
254arrive, it should have a struct timeval in the private data structure,
255set the value of that struct timeval to the poll timeout, and set the
256required_select_timeout member of the pcap_t to point to the struct
257timeval.
258
259The read_op routine is called when pcap_dispatch(), pcap_loop(),
260pcap_next(), or pcap_next_ex() is called. It is passed the same
261arguments as pcap_dispatch() is called.
262
263The routine should first check if the break_loop member of the pcap_t is
264non-zero and, if so, set that member to zero and return
265PCAP_ERROR_BREAK.
266
267Then, if the pcap_t is in blocking mode (as opposed to non-blocking
268mode), and there are no packets immediately available to be passed to
269the callback, it should block waiting for packets to arrive, using the
270buffering timeout, first, and read packets from the device if necessary.
271
272Then it should loop through the available packets, calling the callback
273routine for each packet:
274
275 If the PACKET_COUNT_IS_UNLIMITED() macro evaluates to true when
276 passed the packet count argument, the loop should continue until
277 there are no more packets immediately available or the
278 break_loop member of the pcap_t is non-zero. If the break_loop
279 member is fount to be non-zero, it should set that member to
280 zero and return PCAP_ERROR_BREAK.
281
282 If it doesn't evaluat to true, then the loop should also
283 terminate if the specified number of packets have been delivered
284 to the callback.
285
286Note that there is *NO* requirement that the packet header or data
287provided to the callback remain available, or valid, after the callback
288routine returns; if the callback needs to save the data for other code
289to use, it must make a copy of that data. This means that the module is
290free to, for example, overwrite the buffer into which it read the
291packet, or release back to the kernel a packet in a memory-mapped
292buffer shared between the kernel and userland, after the callback
293returns.
294
295If an error occurs when reading packets from the device, it must set the
296errbuf member of the pcap_t to an error string and return PCAP_ERROR.
297
298If no error occurs, it must return the number of packets that were
299supplied to the callback routine.
300
301The inject routine is passed a pointer to the pcap_t, a buffer
302containing the contents of the packet to inject, and the number of bytes
303in the packet. If the device doesn't support packet injection, the
304routine must set the errbuf member of the pcap_t to a message indicating
305that packet injection isn't supported and return PCAP_ERROR. Otherwise,
306it should attempt to inject the packet; if the attempt fails, it must
307set the errbuf member of the pcap_t to an error message and return
308PCAP_ERROR. Otherwise, it should return the number of bytes injected.
309
310The setfilter routine is passed a pointer to the pcap_t and a pointer
311to a struct bpf_program containing a BPF program to be used as a filter.
312If the mechanism used by your module can perform filtering with a BPF
313program, it would attempt to set that filter to the specified program.
314
315If that failed because the program was too large, or used BPF features
316not supported by that mechanism, the module should fall back on
317filtering in userland by saving a copy of the filter with a call to
318install_bpf_program(), setting a flag in the private data instructure
319indicating that filtering is being done by the module and, in the read
320routine's main loop, checking the flag and, if it's set, calling
321pcap_filter(), passing it the fcode.bf_insns member of the pcap_t, the
322raw packet data, the on-the-wire length of the packet, and the captured
323length of the packet, and only passing the packet to the callback
324routine, and counting it, if pcap_filter() returns a non-zero value.
325(If the flag is not set, all packets should be passed to the callback
326routine and counted, as the filtering is being done by the mechanism
327used by the module.) If install_bpf_program() returns a negative value,
328the routine should return PCAP_ERROR.
329
330If the attempt to set the filter failed for any other reason, the
331routine must set the errbuf member of the pcap_t to an error message and
332return PCAP_ERROR.
333
334If the attempt to set the filter succeeded, or it failed because the
335mechanism used by the module rejected it and the call to
336install_bpf_program() succeeded, the routine should return 0.
337
338If the mechanism the module uses doesn't support filtering, the pointer
339to the setfilter routine can just be set to point to
340install_bpf_program; the module does not need a routine of its own to
341handle that.
342
343The setdirection routine is passed a pointer to the pcap_t and a
344pcap_direction_t indicating which packet directions should be accepted.
345If the module can't arrange to handle only incoming packets or only
346outgoing packets, it can set the pointer to the setdirection routine to
347NULL, and calls to pcap_setdirection() will fail with an error message
348indicating that setting the direction isn't supported.
349
350XXX describe set_datalink, including what the activate routine has to do
351XXX
352
353XXX describe the rest of the routines XXX
354
README.dag
1
2The following instructions apply if you have a Linux or FreeBSD platform and
3want libpcap to support the DAG range of passive network monitoring cards from
4Endace (https://www.endace.com, see below for further contact details).
5
61) Install and build the DAG software distribution by following the
7instructions supplied with that package. Current Endace customers can download
8the DAG software distribution from https://www.endace.com
9
102) Configure libcap. To allow the 'configure' script to locate the DAG
11software distribution use the '--with-dag' option:
12
13 ./configure --with-dag=DIR
14
15Where DIR is the root of the DAG software distribution, for example
16/var/src/dag. If the DAG software is correctly detected 'configure' will
17report:
18
19 checking whether we have DAG API... yes
20
21If 'configure' reports that there is no DAG API, the directory may have been
22incorrectly specified or the DAG software was not built before configuring
23libpcap.
24
25See also the libpcap INSTALL.txt file for further libpcap configuration
26options.
27
28Building libpcap at this stage will include support for both the native packet
29capture stream (linux or bpf) and for capturing from DAG cards. To build
30libpcap with only DAG support specify the capture type as 'dag' when
31configuring libpcap:
32
33 ./configure --with-dag=DIR --with-pcap=dag
34
35Applications built with libpcap configured in this way will only detect DAG
36cards and will not capture from the native OS packet stream.
37
38----------------------------------------------------------------------
39
40Libpcap when built for DAG cards against dag-2.5.1 or later releases:
41
42Timeouts are supported. pcap_dispatch() will return after to_ms milliseconds
43regardless of how many packets are received. If to_ms is zero pcap_dispatch()
44will block waiting for data indefinitely.
45
46pcap_dispatch() will block on and process a minimum of 64kB of data (before
47filtering) for efficiency. This can introduce high latencies on quiet
48interfaces unless a timeout value is set. The timeout expiring will override
49the 64kB minimum causing pcap_dispatch() to process any available data and
50return.
51
52pcap_setnonblock is supported. When nonblock is set, pcap_dispatch() will
53check once for available data, process any data available up to count, then
54return immediately.
55
56pcap_findalldevs() is supported, e.g. dag0, dag1...
57
58Some DAG cards can provide more than one 'stream' of received data.
59This can be data from different physical ports, or separated by filtering
60or load balancing mechanisms. Receive streams have even numbers, e.g.
61dag0:0, dag0:2 etc. Specifying transmit streams for capture is not supported.
62
63pcap_setfilter() is supported, BPF programs run in userspace.
64
65pcap_setdirection() is not supported. Only received traffic is captured.
66DAG cards normally do not have IP or link layer addresses assigned as
67they are used to passively monitor links.
68
69pcap_breakloop() is supported.
70
71pcap_datalink() and pcap_list_datalinks() are supported. The DAG card does
72not attempt to set the correct datalink type automatically where more than
73one type is possible.
74
75pcap_stats() is supported. ps_drop is the number of packets dropped due to
76RX stream buffer overflow, this count is before filters are applied (it will
77include packets that would have been dropped by the filter). The RX stream
78buffer size is user configurable outside libpcap, typically 16-512MB.
79
80pcap_get_selectable_fd() is not supported, as DAG cards do not support
81poll/select methods.
82
83pcap_inject() and pcap_sendpacket() are not supported.
84
85Some DAG cards now support capturing to multiple virtual interfaces, called
86streams. Capture streams have even numbers. These are available via libpcap
87as separate interfaces, e.g. dag0:0, dag0:2, dag0:4 etc. dag0:0 is the same
88as dag0. These are visible via pcap_findalldevs().
89
90libpcap now does NOT set the card's hardware snaplen (slen). This must now be
91set using the appropriate DAG configuration program, e.g. dagthree, dagfour,
92dagsix, dagconfig. This is because the snaplen is currently shared between
93all of the streams. In future this may change if per-stream slen is
94implemented.
95
96DAG cards by default capture entire packets including the L2
97CRC/FCS. If the card is not configured to discard the CRC/FCS, this
98can confuse applications that use libpcap if they're not prepared for
99packets to have an FCS.
100
101Libpcap now reads the environment variable ERF_FCS_BITS to determine
102how many bits of CRC/FCS to strip from the end of the captured
103frame. This defaults to 32 for use with Ethernet. If the card is
104configured to strip the CRC/FCS, then set ERF_FCS_BITS=0. If used with
105a HDLC/PoS/PPP/Frame Relay link with 16 bit CRC/FCS, then set
106ERF_FCS_BITS=16.
107
108If you wish to create a pcap file that DOES contain the Ethernet FCS,
109specify the environment variable ERF_DONT_STRIP_FCS. This will cause
110the existing FCS to be captured into the pcap file. Note some
111applications may incorrectly report capture errors or oversize packets
112when reading these files.
113
114----------------------------------------------------------------------
115
116Please submit bug reports via <support@endace.com>.
117
118Please also visit our Web site at:
119
120 https://www.endace.com/
121
122For more information about Endace DAG cards contact <sales@endace.com>.
123
README.hpux
1For HP-UX 11i (11.11) and later, there are no known issues with
2promiscuous mode under HP-UX. If you are using a earlier version of
3HP-UX and cannot upgrade, please continue reading.
4
5HP-UX patches to fix packet capture problems
6
7Note that packet-capture programs such as tcpdump may, on HP-UX, not be
8able to see packets sent from the machine on which they're running.
9Some articles on groups.google.com discussing this are:
10
11 https://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
12
13which says:
14
15 Newsgroups: comp.sys.hp.hpux
16 Subject: Re: Did someone made tcpdump working on 10.20 ?
17 Date: 12/08/1999
18 From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
19
20 In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
21 wrote:
22 >Hello,
23 >
24 >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
25 >it, but I can only see incoming data, never outgoing.
26 >Someone (raj) explained me that a patch was missing, and that this patch
27 >must me "patched" (poked) in order to see outbound data in promiscuous mode.
28 >Many things to do .... So the question is : did someone has already this
29 >"ready to use" PHNE_**** patch ?
30
31 Two things:
32 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173
33 for s700/10.20).
34 2. You must use
35echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
36 You can insert this e.g. into /sbin/init.d/lan
37
38 Best regards,
39 Lutz
40
41and
42
43 http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
44
45which says:
46
47 Newsgroups: comp.sys.hp.hpux
48 Subject: Re: tcpdump only shows incoming packets
49 Date: 02/15/2000
50 From: Rick Jones <foo@bar.baz.invalid>
51
52 Harald Skotnes <harald@cc.uit.no> wrote:
53 > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
54 > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
55 > closer look I only get to see the incoming packets not the
56 > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
57 > same thing happens. Could someone please give me a hint on how to
58 > get this right?
59
60 Search/Read the archives ?-)
61
62 What you are seeing is expected, un-patched, behaviour for an HP-UX
63 system. On 11.00, you need to install the latest lancommon/DLPI
64 patches, and then the latest driver patch for the interface(s) in use.
65 At that point, a miracle happens and you should start seeing outbound
66 traffic.
67
68[That article also mentions the patch that appears below.]
69
70and
71
72 https://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
73
74which says:
75
76 Newsgroups: comp.sys.hp.hpux
77 Subject: Re: tcpdump only shows incoming packets
78 Date: 02/16/2000
79 From: Harald Skotnes <harald@cc.uit.no>
80
81 Rick Jones wrote:
82
83 ...
84
85 > What you are seeing is expected, un-patched, behaviour for an HP-UX
86 > system. On 11.00, you need to install the latest lancommon/DLPI
87 > patches, and then the latest driver patch for the interface(s) in
88 > use. At that point, a miracle happens and you should start seeing
89 > outbound traffic.
90
91 Thanks a lot. I have this problem on several machines running HPUX
92 10.20 and 11.00. The machines where patched up before y2k so did not
93 know what to think. Anyway I have now installed PHNE_19766,
94 PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
95 outbound traffic too. Thanks again.
96
97(although those patches may not be the ones to install - there may be
98later patches).
99
100And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
101
102 Date: Mon, 29 Apr 2002 15:59:55 -0700
103 From: Rick Jones
104 To: tcpdump-workers@tcpdump.org
105 Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
106
107 ...
108
109 http://itrc.hp.com/ would be one place to start in a search for the most
110 up-to-date patches for DLPI and the lan driver(s) used on your system (I
111 cannot guess because 9000/800 is too generic - one hs to use the "model"
112 command these days and/or an ioscan command (see manpage) to guess what
113 the drivers (btlan[3456], gelan, etc) might be involved in addition to
114 DLPI.
115
116 Another option is to upgrade to 11i as outbound promiscuous mode support
117 is there in the base OS, no patches required.
118
119Another posting:
120
121 https://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
122
123indicates that you need to install the optional STREAMS product to do
124captures on HP-UX 9.x:
125
126 Newsgroups: comp.sys.hp.hpux
127 Subject: Re: tcpdump HP/UX 9.x
128 Date: 03/22/1999
129 From: Rick Jones <foo@bar.baz>
130
131 Dave Barr (barr@cis.ohio-state.edu) wrote:
132 : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
133
134 I'm reasonably confident that any port of tcpdump to 9.X would require
135 the (then optional) STREAMS product. This would bring DLPI, which is
136 what one uses to access interfaces in promiscuous mode.
137
138 I'm not sure that HP even sells the 9.X STREAMS product any longer,
139 since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
140 devices).
141
142 Your best bet is to be up on 10.20 or better if that is at all
143 possible. If your hardware is supported by it, I'd go with HP-UX 11.
144 If you want to see the system's own outbound traffic, you'll never get
145 that functionality on 9.X, but it might happen at some point for 10.20
146 and 11.X.
147
148 rick jones
149
150(as per other messages cited here, the ability to see the system's own
151outbound traffic did happen).
152
153Rick Jones reports that HP-UX 11i needs no patches for outbound
154promiscuous mode support.
155
156An additional note, from Jost Martin, for HP-UX 10.20:
157
158 Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
159 of an interface
160 A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
161 newer, this is as of 4.4.00) and its dependencies. Then you can
162 enable the feature as described below:
163
164 Patch Name: PHNE_20892
165 Patch Description: s700 10.20 PCI 100Base-T cumulative patch
166 To trace the outbound packets, please do the following
167 to turn on a global promiscuous switch before running
168 the promiscuous applications like snoop or tcpdump:
169
170 adb -w /stand/vmunix /dev/mem
171 lanc_outbound_promisc_flag/W 1
172 (adb will echo the result showing that the flag has
173 been changed)
174 $quit
175 (Thanks for this part to HP-support, Ratingen)
176
177 The attached hack does this and some security-related stuff
178 (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
179 posted the security-part some time ago)
180
181 <<hack_ip_stack>>
182
183 (Don't switch IP-forwarding off, if you need it !)
184 Install the hack as /sbin/init.d/hacl_ip_stack (adjust
185 permissions !) and make a sequencing-symlink
186 /sbin/rc2.d/S350hack_ip_stack pointing to this script.
187 Now all this is done on every reboot.
188
189According to Rick Jones, the global promiscuous switch also has to be
190turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch
191doesn't even exist on 11i.
192
193Here's the "hack_ip_stack" script:
194
195-----------------------------------Cut Here-------------------------------------
196#!/sbin/sh
197#
198# nettune: hack kernel parms for safety
199
200OKAY=0
201ERROR=-1
202
203# /usr/contrib/bin fuer nettune auf Pfad
204PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
205export PATH
206
207
208##########
209# main #
210##########
211
212case $1 in
213 start_msg)
214 print "Tune IP-Stack for security"
215 exit $OKAY
216 ;;
217
218 stop_msg)
219 print "This action is not applicable"
220 exit $OKAY
221 ;;
222
223 stop)
224 exit $OKAY
225 ;;
226
227 start)
228 ;; # fall through
229
230 *)
231 print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
232 exit $ERROR
233 ;;
234 esac
235
236###########
237# start #
238###########
239
240#
241# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
242# Syn-Flood-Protection an
243# ip_forwarding aus
244# Source-Routing aus
245# Ausgehende Packets an ethereal/tcpdump etc.
246
247/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
248/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
249/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
250echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
251echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR
252
253exit $OKAY
254-----------------------------------Cut Here-------------------------------------
255
README.linux.md
1Currently, libpcap supports packet capturing on Linux 2.6.27 and later;
2earlier versions are not supported.
3
4You must configure 2.26.x kernels with the CONFIG_PACKET_MMAP option for
5this protocol. 3.x and later kernels do not require that.
6
7Note that, by default, libpcap will, if libnl is present, build with it;
8it uses libnl to support monitor mode on mac80211 devices. There is a
9configuration option to disable building with libnl, but, if that option
10is chosen, the monitor-mode APIs (as used by tcpdump's "-I" flag, and as
11will probably be used by other applications in the future) won't work
12properly on mac80211 devices.
13
14Linux's run-time linker allows shared libraries to be linked with other
15shared libraries, which means that if an older version of a shared
16library doesn't require routines from some other shared library, and a
17later version of the shared library does require those routines, the
18later version of the shared library can be linked with that other shared
19library and, if it's otherwise binary-compatible with the older version,
20can replace that older version without breaking applications built with
21the older version, and without breaking configure scripts or the build
22procedure for applications whose configure script doesn't use the
23pcap-config script if they build with the shared library. (The build
24procedure for applications whose configure scripts use the pcap-config
25script if present will not break even if they build with the static
26library.)
27
28Statistics:
29Statistics reported by pcap are platform specific. The statistics
30reported by pcap_stats on Linux are as follows:
31
32ps_recv Number of packets that were accepted by the pcap filter
33ps_drop Number of packets that had passed filtering but were not
34 passed on to pcap due to things like buffer shortage, etc.
35 This is useful because these are packets you are interested in
36 but won't be reported by, for example, tcpdump output.
37
README.macos
1As with other systems using BPF, macOS allows users with read access to
2the BPF devices to capture packets with libpcap and allows users with
3write access to the BPF devices to send packets with libpcap.
4
5On some systems that use BPF, the BPF devices live on the root file
6system, and the permissions and/or ownership on those devices can be
7changed to give users other than root permission to read or write those
8devices.
9
10On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
11can be configured to set the permissions and/or ownership of those
12devices to give users other than root permission to read or write those
13devices.
14
15On macOS, the BPF devices live on devfs, but the macOS version of devfs
16is based on an older (non-default) FreeBSD devfs, and that version of
17devfs cannot be configured to set the permissions and/or ownership of
18those devices.
19
20Therefore, we supply:
21
22 a "startup item" for older versions of macOS;
23
24 a launchd daemon for Tiger and later versions of macOS;
25
26Both of them will change the ownership of the BPF devices so that the
27"admin" group owns them, and will change the permission of the BPF
28devices to rw-rw----, so that all users in the "admin" group - i.e., all
29users with "Allow user to administer this computer" turned on - have
30both read and write access to them.
31
32The startup item is in the ChmodBPF directory in the source tree. A
33/Library/StartupItems directory should be created if it doesn't already
34exist, and the ChmodBPF directory should be copied to the
35/Library/StartupItems directory (copy the entire directory, so that
36there's a /Library/StartupItems/ChmodBPF directory, containing all the
37files in the source tree's ChmodBPF directory; don't copy the individual
38items in that directory to /Library/StartupItems). The ChmodBPF
39directory, and all files under it, must be owned by root. Installing
40the files won't immediately cause the startup item to be executed; it
41will be executed on the next reboot. To change the permissions before
42the reboot, run
43
44 sudo SystemStarter start ChmodBPF
45
46The launchd daemon is the chmod_bpf script, plus the
47org.tcpdump.chmod_bpf.plist launchd plist file. chmod_bpf should be
48installed in /usr/local/bin/chmod_bpf, and org.tcpdump.chmod_bpf.plist
49should be installed in /Library/LaunchDaemons. chmod_bpf, and
50org.tcpdump.chmod_bpf.plist, must be owned by root. Installing the
51script and plist file won't immediately cause the script to be executed;
52it will be executed on the next reboot. To change the permissions
53before the reboot, run
54
55 sudo /usr/local/bin/chmod_bpf
56
57or
58
59 sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist
60
61If you want to give a particular user permission to access the BPF
62devices, rather than giving all administrative users permission to
63access them, you can have the ChmodBPF/ChmodBPF script change the
64ownership of /dev/bpf* without changing the permissions. If you want to
65give a particular user permission to read and write the BPF devices and
66give the administrative users permission to read but not write the BPF
67devices, you can have the script change the owner to that user, the
68group to "admin", and the permissions to rw-r-----. Other possibilities
69are left as an exercise for the reader.
70
71(NOTE: due to a bug in Snow Leopard, if you change the permissions not
72to grant write permission to everybody who should be allowed to capture
73traffic, non-root users who cannot open the BPF devices for writing will
74not be able to capture outgoing packets.)
75
README.septel
1The following instructions apply if you have a Linux platform and want
2libpcap to support the Septel range of passive network monitoring cards
3from Intel (https://www.intel.com)
4
51) Install and build the Septel software distribution by following the
6instructions supplied with that package.
7
82) Configure libcap. To allow the 'configure' script to locate the Septel
9software distribution use the '--with-septel' option:
10
11 ./configure --with-septel=DIR
12
13where DIR is the root of the Septel software distribution, for example
14/var/src/septel.
15
16By default (if you write only ./configure --with-septel) it takes
17./../septel as argument for DIR.
18
19If the Septel software is correctly detected 'configure' will
20report:
21
22 checking whether we have Septel API... yes
23
24If 'configure' reports that there is no Septel API, the directory may have been
25incorrectly specified or the Septel software was not built before configuring
26libpcap.
27
28See also the libpcap INSTALL.txt file for further libpcap configuration
29options.
30
31Building libpcap at this stage will include support for both the native
32packet capture stream and for capturing from Septel cards. To build
33libpcap with only Septel support specify the capture type as 'septel'
34when configuring libpcap:
35
36 ./configure --with-septel=DIR --with-pcap=septel
37
38Applications built with libpcap configured in this way will only detect Septel
39cards and will not capture from the native OS packet stream.
40
41Note: As mentioned in pcap-septel.c we should first edit the system.txt
42file to change the user part example (UPE) module id to 0xdd instead of
430x2d for technical reason. So this change in system.txt is crucial and
44things will go wrong if it's not done. System.txt along with config.txt
45are configuration files that are edited by the user before running the
46gctload program that uses these files for initialising modules and
47configuring parameters.
48
49----------------------------------------------------------------------
50for more information please contact me : gil_hoyek@hotmail.com
51
README.sita
1NOTE: this is not currently supported; the configure script doesn't
2support --with-sita, and CMake doesn't support enabling SITA ACN
3support. The code currently does not compile; it should really be
4implemented as an additional remote capture mechanism, using a URL,
5rather than as a separate version of libpcap that supports only the ACN
6product, but the infrastructure for that isn't yet available.
7
8The following instructions apply if you have a Linux platform and want
9libpcap to support the 'ACN' WAN/LAN router product from SITA
10(https://www.sita.aero)
11
12This might also work on non-Linux Unix-compatible platforms, but that
13has not been tested.
14
15See also the libpcap INSTALL.txt file for further libpcap configuration
16options.
17
18These additions/extensions have been made to PCAP to allow it to
19capture packets from a SITA ACN device (and potentially others).
20
21To enable its support you need to ensure that the distribution has
22a correct configure.ac file; that can be created if necessary by
23using the normal autoconf procedure of:
24
25aclocal
26autoconf
27autoheader
28automake
29
30Then run configure with the 'sita' option:
31
32./configure --with-sita
33
34Applications built with libpcap configured in this way will only detect SITA
35ACN interfaces and will not capture from the native OS packet stream.
36
37The SITA extension provides a remote datascope operation for capturing
38both WAN and LAN protocols. It effectively splits the operation of
39PCAP into two halves. The top layer performs the majority of the
40work, but interfaces via a TCP session to remote agents that
41provide the lower layer functionality of actual sniffing and
42filtering. More detailed information regarding the functions and
43inter-device protocol and naming conventions are described in detail
44in 'pcap-sita.html'.
45
46pcap_findalldevs() reads the local system's /etc/hosts file looking
47for host names that match the format of IOP type devices. ie. aaa_I_x_y
48and then queries each associated IP address for a list of its WAN and
49LAN devices. The local system the aggregates the lists obtained from
50each IOP, sorts it, and provides it (to Wireshark et.al) as the
51list of monitorable interfaces.
52
53Once a valid interface has been selected, pcap_open() is called
54which opens a TCP session (to a well known port) on the target IOP
55and tells it to start monitoring.
56
57All captured packets are then forwarded across that TCP session
58back to the local 'top layer' for forwarding to the actual
59sniffing program (wireshark...)
60
61Note that the DLT_SITA link-layer type includes a proprietary header
62that is documented as part of the SITA dissector of Wireshark and is
63also described in 'pcap-sita.html' for posterity sake.
64
65That header provides:
66- Packet direction (in/out) (1 octet)
67- Link layer hardware signal status (1 octet)
68- Transmit/Receive error status (2 octets)
69- Encapsulated WAN protocol ID (1 octet)
70
71
72
README.tru64
1The following instructions are applicable to Tru64 UNIX
2(formerly Digital UNIX (formerly DEC OSF/1)) version 4.0, and
3probably to later versions as well; at least some options apply to
4Digital UNIX 3.2 - perhaps all do.
5
6In order to use kernel packet filtering on this system, you have
7to configure it in such a way:
8
9Kernel configuration
10--------------------
11
12The packet filtering kernel option must be enabled at kernel
13installation. If it was not the case, you can rebuild the kernel with
14"doconfig -c" after adding the following line in the kernel
15configuration file (/sys/conf/<HOSTNAME>):
16
17 option PACKETFILTER
18
19or use "doconfig" without any arguments to add the packet filter driver
20option via the kernel option menu (see the system administration
21documentation for information on how to do this).
22
23Device configuration
24--------------------
25
26Devices used for packet filtering must be created thanks to
27the following command (executed in the /dev directory):
28
29 ./MAKEDEV pfilt
30
31Interface configuration
32-----------------------
33
34In order to capture all packets on a network, you may want to allow
35applications to put the interface on that network into "local copy"
36mode, so that tcpdump can see packets sent by the host on which it's
37running as well as packets received by that host, and to put the
38interface into "promiscuous" mode, so that tcpdump can see packets on
39the network segment not sent to the host on which it's running, by using
40the pfconfig(1) command:
41
42 pfconfig +c +p <network_device>
43
44or allow application to put any interface into "local copy" or
45"promiscuous" mode by using the command:
46
47 pfconfig +c +p -a
48
49Note: all instructions given require root privileges.
50