1To build libpcap, run "./configure" (a shell script). The configure 2script will determine your system attributes and generate an 3appropriate Makefile from Makefile.in. Next run "make". If everything 4goes well you can su to root and run "make install". However, you need 5not install libpcap if you just want to build tcpdump; just make sure 6the tcpdump and libpcap directory trees have the same parent 7directory. 8 9If configure says: 10 11 configure: warning: cannot determine packet capture interface 12 configure: warning: (see INSTALL for more info) 13 14then your system either does not support packet capture or your system 15does support packet capture but libpcap does not support that 16particular type. (If you have HP-UX, see below.) If your system uses a 17packet capture not supported by libpcap, please send us patches; don't 18forget to include an autoconf fragment suitable for use in 19configure.ac. 20 21It is possible to override the default packet capture type, although 22the circumstance where this works are limited. For example if you have 23installed bpf under SunOS 4 and wish to build a snit libpcap: 24 25 ./configure --with-pcap=snit 26 27Another example is to force a supported packet capture type in the case 28where the configure scripts fails to detect it. 29 30You will need an ANSI C compiler to build libpcap. The configure script 31will abort if your compiler is not ANSI compliant. If this happens, use 32the generally available GNU C compiler (GCC). 33 34You will need either Flex 2.5.31 or later, or a version of Lex 35compatible with it (if any exist), to build libpcap. The configure 36script will abort if there isn't any such program. If you have an older 37version of Flex, or don't have a compatible version of Lex, the current 38version of flex is available at flex.sourceforge.net. 39 40You will need either Bison, Berkeley YACC, or a version of YACC 41compatible with them (if any exist), to build libpcap. The configure 42script will abort if there isn't any such program. If you don't have 43any such program, the current version of Bison can be found at 44https://ftp.gnu.org/gnu/bison/ and the current version of Berkeley YACC 45can be found at https://invisible-island.net/byacc/. 46 47Sometimes the stock C compiler does not interact well with Flex and 48Bison. The list of problems includes undefined references for alloca. 49You can get around this by installing GCC. 50 51If you use Solaris, there is a bug with bufmod(7) that is fixed in 52Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 53broken bufmod(7) results in data be truncated from the FRONT of the 54packet instead of the end. The work around is to not set a snapshot 55length but this results in performance problems since the entire packet 56is copied to user space. If you must run an older version of Solaris, 57there is a patch available from Sun; ask for bugid 1149065. After 58installing the patch, use "setenv BUFMOD_FIXED" to enable use of 59bufmod(7). However, we recommend you run a more current release of 60Solaris. 61 62If you use the SPARCompiler, you must be careful to not use the 63/usr/ucb/cc interface. If you do, you will get bogus warnings and 64perhaps errors. Either make sure your path has /opt/SUNWspro/bin 65before /usr/ucb or else: 66 67 setenv CC /opt/SUNWspro/bin/cc 68 69before running configure. (You might have to do a "make distclean" 70if you already ran configure once). 71 72If you are trying to do packet capture with a FORE ATM card, you may or 73may not be able to. They usually only release their driver in object 74code so unless their driver supports packet capture, there's not much 75libpcap can do. 76 77If you get an error like: 78 79 tcpdump: recv_ack: bind error 0x??? 80 81when using DLPI, look for the DL_ERROR_ACK error return values, usually 82in /usr/include/sys/dlpi.h, and find the corresponding value. 83 84Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 85enabled before it can be used. For instructions on how to enable packet 86filter support, see: 87 88 ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 89 90Look for the "How do I configure the Berkeley Packet Filter and capture 91tcpdump traces?" item. 92 93Once you enable packet filter support, your OSF system will support bpf 94natively. 95 96Under Ultrix, packet capture must be enabled before it can be used. For 97instructions on how to enable packet filter support, see: 98 99 ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 100 101If you use HP-UX, you must have at least version 9 and either the 102version of cc that supports ANSI C (cc -Aa) or else use the GNU C 103compiler. You must also buy the optional streams package. If you don't 104have: 105 106 /usr/include/sys/dlpi.h 107 /usr/include/sys/dlpi_ext.h 108 109then you don't have the streams package. In addition, we believe you 110need to install the "9.X LAN and DLPI drivers cumulative" patch 111(PHNE_6855) to make the version 9 DLPI work with libpcap. 112 113The DLPI streams package is standard starting with HP-UX 10. 114 115The HP implementation of DLPI is a little bit eccentric. Unlike 116Solaris, you must attach /dev/dlpi instead of the specific /dev/* 117network pseudo device entry in order to capture packets. The PPA is 118based on the ifnet "index" number. Under HP-UX 9, it is necessary to 119read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 120DLPI can provide information for determining the PPA. It does not seem 121to be possible to trace the loopback interface. Unlike other DLPI 122implementations, PHYS implies MULTI and SAP and you get an error if you 123try to enable more than one promiscuous mode at a time. 124 125It is impossible to capture outbound packets on HP-UX 9. To do so on 126HP-UX 10, you will, apparently, need a late "LAN products cumulative 127patch" (at one point, it was claimed that this would be PHNE_18173 for 128s700/10.20; at another point, it was claimed that the required patches 129were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 130so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 131patches and the latest driver patch for the interface(s) in use on HP-UX 13211 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 133PHNE_20008, and PHNE_20735 did the trick). 134 135Furthermore, on HP-UX 10, you will need to turn on a kernel switch by 136doing 137 138 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 139 140You would have to arrange that this happen on reboots; the right way to 141do that would probably be to put it into an executable script file 142"/sbin/init.d/outbound_promisc" and making 143"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 144 145Finally, testing shows that there can't be more than one simultaneous 146DLPI user per network interface. 147 148If you use Linux, this version of libpcap is known to compile and run 149under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 150versions but is guaranteed not to work with 1.X kernels. Running more 151than one libpcap program at a time, on a system with a 2.0.X kernel, can 152cause problems since promiscuous mode is implemented by twiddling the 153interface flags from the libpcap application; the packet capture 154mechanism in the 2.2 and later kernels doesn't have this problem. Also, 155packet timestamps aren't very good. This appears to be due to haphazard 156handling of the timestamp in the kernel. 157 158Note well: there is rumoured to be a version of tcpdump floating around 159called 3.0.3 that includes libpcap and is supposed to support Linux. 160You should be advised that neither the Network Research Group at LBNL 161nor the Tcpdump Group ever generated a release with this version number. 162The LBNL Network Research Group notes with interest that a standard 163cracker trick to get people to install trojans is to distribute bogus 164packages that have a version number higher than the current release. 165They also noted with annoyance that 90% of the Linux related bug reports 166they got are due to changes made to unofficial versions of their page. 167If you are having trouble but aren't using a version that came from 168tcpdump.org, please try that before submitting a bug report! 169 170On Linux, libpcap will not work if the kernel does not have the packet 171socket option enabled; see the README.linux file for information about 172this. 173 174If you use AIX, you may not be able to build libpcap from this release. 175We do not have an AIX system in house so it's impossible for us to test 176AIX patches submitted to us. We are told that you must link against 177/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 1782.7.2, and that you may need to run strload before running a libpcap 179application. 180 181Read the README.aix file for information on installing libpcap and 182configuring your system to be able to support libpcap. 183 184If you use NeXTSTEP, you will not be able to build libpcap from this 185release. 186 187If you use SINIX, you should be able to build libpcap from this 188release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 189V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 190emits incorrect code; if grammar.y fails to compile, change every 191occurrence of: 192 193 #ifdef YYDEBUG 194 195to: 196 #if YYDEBUG 197 198Another workaround is to use flex and bison. 199 200If you use SCO, you might have trouble building libpcap from this 201release. We do not have a machine running SCO and have not had reports 202of anyone successfully building on it; the current release of libpcap 203does not compile on SCO OpenServer 5. Although SCO apparently supports 204DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 205it appears that completely new code would need to be written to capture 206network traffic. SCO do not appear to provide tcpdump binaries for 207OpenServer 5 or OpenServer 6 as part of SCO Skunkware: 208 209 http://www.sco.com/skunkware/ 210 211If you use UnixWare, you might be able to build libpcap from this 212release, or you might not. We do not have a machine running UnixWare, 213so we have not tested it; however, SCO provide packages for libpcap 2140.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 215Skunkware, and the source package for libpcap 0.6.2 is not changed from 216the libpcap 0.6.2 source release, so this release of libpcap might also 217build without changes on UnixWare 7. 218 219If linking tcpdump fails with "Undefined: _alloca" when using bison on 220a Sun4, your version of Bison is broken. In any case version 1.16 or 221higher is recommended (1.14 is known to cause problems 1.16 is known to 222work). Either pick up a current version from: 223 224 https://ftp.gnu.org/gnu/bison/ 225 226or hack around it by inserting the lines: 227 228 #ifdef __GNUC__ 229 #define alloca __builtin_alloca 230 #else 231 #ifdef sparc 232 #include <alloca.h> 233 #else 234 char *alloca (); 235 #endif 236 #endif 237 238right after the (100 line!) GNU license comment in bison.simple, remove 239grammar.[co] and fire up make again. 240 241If you use SunOS 4, your kernel must support streams NIT. If you run a 242libpcap program and it dies with: 243 244 /dev/nit: No such device 245 246You must add streams NIT support to your kernel configuration, run 247config and boot the new kernel. 248 249FILES 250----- 251 CHANGES - description of differences between releases 252 ChmodBPF/* - macOS startup item to set ownership and permissions on /dev/bpf* 253 CMakeLists.txt - CMake file 254 CONTRIBUTING.md - guidelines for contributing 255 CREDITS - people that have helped libpcap along 256 INSTALL.md - this file 257 LICENSE - the license under which tcpdump is distributed 258 Makefile.in - compilation rules (input to the configure script) 259 README.md - description of distribution 260 doc/README.aix - notes on using libpcap on AIX 261 doc/README.dag - notes on using libpcap to capture on Endace DAG devices 262 doc/README.hpux - notes on using libpcap on HP-UX 263 doc/README.linux - notes on using libpcap on Linux 264 doc/README.macos - notes on using libpcap on macOS 265 doc/README.septel - notes on using libpcap to capture on Intel/Septel devices 266 doc/README.sita - notes on using libpcap to capture on SITA devices 267 doc/README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 268 doc/README.Win32.md - notes on using libpcap on Win32 systems (with Npcap) 269 VERSION - version of this release 270 acconfig.h - support for post-2.13 autoconf 271 aclocal.m4 - autoconf macros 272 arcnet.h - ARCNET definitions 273 atmuni31.h - ATM Q.2931 definitions 274 bpf_dump.c - BPF program printing routines 275 bpf_filter.c - BPF filtering routines 276 bpf_image.c - BPF disassembly routine 277 config.guess - autoconf support 278 config.h.in - autoconf input 279 config.sub - autoconf support 280 configure - configure script (run this first) 281 configure.ac - configure script source 282 dlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 283 dlpisubs.h - DLPI-related function declarations 284 etherent.c - /etc/ethers support routines 285 ethertype.h - Ethernet protocol types and names definitions 286 fad-getad.c - pcap_findalldevs() for systems with getifaddrs() 287 fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 288 fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 289 filtertest.c - test program for BPF compiler 290 findalldevstest.c - test program for pcap_findalldevs() 291 gencode.c - BPF code generation routines 292 gencode.h - BPF code generation definitions 293 grammar.y - filter string grammar 294 ieee80211.h - 802.11 definitions 295 install-sh - BSD style install script 296 lbl/os-*.h - OS-dependent defines and prototypes 297 llc.h - 802.2 LLC SAP definitions 298 missing/* - replacements for missing library functions 299 mkdep - construct Makefile dependency list 300 msdos/* - drivers for MS-DOS capture support 301 nametoaddr.c - hostname to address routines 302 nlpid.h - OSI network layer protocol identifier definitions 303 net - symlink to bpf/net 304 optimize.c - BPF optimization routines 305 pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 306 pcap/bpf.h - BPF definitions 307 pcap/namedb.h - public libpcap name database definitions 308 pcap/pcap.h - public libpcap definitions 309 pcap/sll.h - public definitions of DLT_LINUX_SLL and DLT_LINUX_SLL2 headers 310 pcap/usb.h - public definition of DLT_USB header 311 pcap-bpf.c - BSD Packet Filter support 312 pcap-bpf.h - header for backwards compatibility 313 pcap-bt-linux.c - Bluetooth capture support for Linux 314 pcap-bt-linux.h - Bluetooth capture support for Linux 315 pcap-dag.c - Endace DAG device capture support 316 pcap-dag.h - Endace DAG device capture support 317 pcap-dlpi.c - Data Link Provider Interface support 318 pcap-dos.c - MS-DOS capture support 319 pcap-dos.h - headers for MS-DOS capture support 320 pcap-enet.c - enet support 321 pcap-int.h - internal libpcap definitions 322 pcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 323 pcap-linux.c - Linux packet socket support 324 pcap-namedb.h - header for backwards compatibility 325 pcap-nit.c - SunOS Network Interface Tap support 326 pcap-nit.h - SunOS Network Interface Tap definitions 327 pcap-npf.c - Npcap capture support 328 pcap-null.c - dummy monitor support (allows offline use of libpcap) 329 pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 330 pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 331 pcap-septel.c - Intel/Septel device capture support 332 pcap-septel.h - Intel/Septel device capture support 333 pcap-sita.c - SITA device capture support 334 pcap-sita.h - SITA device capture support 335 pcap-sita.html - SITA device capture documentation 336 pcap-stdinc.h - includes and #defines for compiling on Win32 systems 337 pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 338 pcap-snoop.c - IRIX Snoop network monitoring support 339 pcap-usb-linux.c - USB capture support for Linux 340 pcap-usb-linux.h - USB capture support for Linux 341 pcap.3pcap - manual entry for the library 342 pcap.c - pcap utility routines 343 pcap.h - header for backwards compatibility 344 pcap_*.3pcap - manual entries for library functions 345 pcap-filter.4 - manual entry for filter syntax 346 pcap-linktype.4 - manual entry for link-layer header types 347 ppp.h - Point to Point Protocol definitions 348 savefile.c - offline support 349 scanner.l - filter string scanner 350 sunatmpos.h - definitions for SunATM capturing 351 Win32 - headers and routines for building on Win32 systems 352