• Home
Name Date Size #Lines LOC

..--

ChmodBPF/03-May-2024-3916

SUNOS4/03-May-2024-

Win32/03-May-2024-3,5612,232

bpf/net/03-May-2024-687495

doc/03-May-2024-3,4262,443

lbl/03-May-2024-397211

missing/03-May-2024-633503

msdos/03-May-2024-4,3133,124

packaging/03-May-2024-7863

pcap/03-May-2024-2,421709

tests/03-May-2024-1,7001,248

.gitignoreD03-May-2024657 4544

.travis.ymlD03-May-202446 64

Android.mkD03-May-2024670 2315

CHANGESD03-May-202428.8 KiB741595

CREDITSD03-May-202410.7 KiB178172

CleanSpec.mkD03-May-20242.2 KiB500

INSTALL.txtD03-May-202417.4 KiB404334

LICENSED03-May-2024873 2016

Makefile-devel-addsD03-May-2024614 2318

Makefile.inD03-May-202423 KiB746560

READMED03-May-20244 KiB10975

README.Win32D03-May-20242.2 KiB4737

README.aixD03-May-20242.8 KiB8455

README.dagD03-May-20245.1 KiB12387

README.hpuxD03-May-20248.1 KiB255190

README.linuxD03-May-20244.9 KiB10990

README.macosxD03-May-20243.4 KiB7559

README.septelD03-May-20242 KiB5136

README.sitaD03-May-20242.4 KiB6548

README.tru64D03-May-20241.6 KiB5035

TODOD03-May-20241.5 KiB3629

VERSIOND03-May-20246 21

aclocal.m4D03-May-202437.5 KiB1,2961,232

arcnet.hD03-May-20242.5 KiB5310

atmuni31.hD03-May-20244 KiB8841

bpf_dump.cD03-May-20242 KiB6338

bpf_filter.cD03-May-202414.4 KiB687495

bpf_image.cD03-May-20245.2 KiB306232

chmod_bpfD03-May-2024760 202

config.guessD03-May-202443.9 KiB1,5031,292

config.hD03-May-20249 KiB33948

config.h.inD03-May-20248.4 KiB338226

config.subD03-May-202433.7 KiB1,7091,561

configureD03-May-2024262.9 KiB9,7247,533

configure.inD03-May-202443 KiB1,6551,504

dlpisubs.cD03-May-20249 KiB372228

dlpisubs.hD03-May-2024798 4326

etherent.cD03-May-20243.5 KiB175117

ethertype.hD03-May-20243.5 KiB12387

fad-getad.cD03-May-20248.8 KiB293134

fad-gifc.cD03-May-202412.8 KiB426219

fad-glifc.cD03-May-202410.1 KiB378221

fad-null.cD03-May-20242.7 KiB6614

fad-sita.cD03-May-20242.2 KiB6222

fad-win32.cD03-May-20248.8 KiB346174

gencode.cD03-May-2024196.9 KiB8,5405,203

gencode.hD03-May-202410 KiB359217

grammar.cD03-May-2024111.2 KiB3,9772,748

grammar.yD03-May-202419.7 KiB711620

ieee80211.hD03-May-20245.3 KiB14793

inet.cD03-May-202424.3 KiB934540

install-shD03-May-20245.5 KiB251152

llc.hD03-May-20242 KiB7042

mkdepD03-May-20242.5 KiB11668

nametoaddr.cD03-May-202410.3 KiB515377

nlpid.hD03-May-20241.8 KiB5927

optimize.cD03-May-202447.1 KiB2,2481,465

org.tcpdump.chmod_bpf.plistD03-May-2024441 1716

pcap-bpf.cD03-May-202468.6 KiB2,7281,563

pcap-bpf.hD03-May-20242.3 KiB481

pcap-bt-linux.cD03-May-202410.9 KiB416299

pcap-bt-linux.hD03-May-20241.9 KiB412

pcap-can-linux.cD03-May-20247.8 KiB320207

pcap-can-linux.hD03-May-20241.7 KiB372

pcap-canusb-linux.cD03-May-202411.8 KiB473311

pcap-canusb-linux.hD03-May-20241.7 KiB382

pcap-common.cD03-May-202438.7 KiB1,299385

pcap-common.hD03-May-2024955 268

pcap-config.1D03-May-20242.4 KiB7552

pcap-config.inD03-May-20241.6 KiB9067

pcap-dag.cD03-May-202432.1 KiB1,223821

pcap-dag.hD03-May-20242 KiB10971

pcap-dbus.cD03-May-20247.5 KiB280186

pcap-dbus.hD03-May-2024108 32

pcap-dlpi.cD03-May-202442.9 KiB1,7251,059

pcap-dos.cD03-May-202434.8 KiB1,4991,068

pcap-dos.hD03-May-20246.8 KiB228171

pcap-enet.cD03-May-20244.9 KiB236178

pcap-filter.manmisc.inD03-May-202430.3 KiB955928

pcap-int.hD03-May-202413.3 KiB430197

pcap-libdlpi.cD03-May-202410.1 KiB411253

pcap-linktype.manmisc.inD03-May-20242.4 KiB5128

pcap-linux.cD03-May-2024168.1 KiB6,0903,129

pcap-namedb.hD03-May-20242.1 KiB431

pcap-netfilter-linux.cD03-May-202417.8 KiB654471

pcap-netfilter-linux.hD03-May-20241.7 KiB362

pcap-nit.cD03-May-20249.1 KiB372232

pcap-null.cD03-May-20241.8 KiB5425

pcap-pf.cD03-May-202416.9 KiB615344

pcap-savefile.manfile.inD03-May-20245.3 KiB137114

pcap-septel.cD03-May-20247.7 KiB304154

pcap-septel.hD03-May-2024602 162

pcap-sita.cD03-May-202434.6 KiB1,022841

pcap-sita.hD03-May-2024280 112

pcap-sita.htmlD03-May-202437.4 KiB944903

pcap-snf.cD03-May-20246.7 KiB331256

pcap-snf.hD03-May-2024106 32

pcap-snit.cD03-May-202411.5 KiB451282

pcap-snoop.cD03-May-202412.2 KiB423262

pcap-stdinc.hD03-May-20242.8 KiB9041

pcap-tstamp.manmisc.inD03-May-20246.2 KiB133111

pcap-usb-linux.cD03-May-202424.3 KiB933666

pcap-usb-linux.hD03-May-20241.9 KiB412

pcap-win32.cD03-May-202420.8 KiB887587

pcap.3pcap.inD03-May-202427.3 KiB910888

pcap.cD03-May-202451.2 KiB1,9941,371

pcap.hD03-May-20242.3 KiB461

pcap1.hD03-May-20249.4 KiB307167

pcap_activate.3pcapD03-May-20243.2 KiB9876

pcap_breakloop.3pcapD03-May-20243.8 KiB10179

pcap_can_set_rfmon.3pcapD03-May-20242.3 KiB6543

pcap_close.3pcapD03-May-20241.6 KiB4220

pcap_compile.3pcap.inD03-May-20242.7 KiB7351

pcap_create.3pcapD03-May-20242.3 KiB7553

pcap_datalink.3pcap.inD03-May-20242.5 KiB7149

pcap_datalink_name_to_val.3pcapD03-May-20241.9 KiB4927

pcap_datalink_val_to_name.3pcapD03-May-20241.9 KiB4927

pcap_dump.3pcapD03-May-20241.9 KiB5432

pcap_dump_close.3pcapD03-May-20241.6 KiB4018

pcap_dump_file.3pcapD03-May-20241.6 KiB4119

pcap_dump_flush.3pcapD03-May-20241.8 KiB4624

pcap_dump_ftell.3pcapD03-May-20241.8 KiB4523

pcap_dump_open.3pcap.inD03-May-20242.8 KiB8866

pcap_file.3pcapD03-May-20242.2 KiB6038

pcap_fileno.3pcapD03-May-20242.2 KiB6947

pcap_findalldevs.3pcapD03-May-20245.1 KiB187165

pcap_freecode.3pcapD03-May-20241.8 KiB4624

pcap_get_selectable_fd.3pcapD03-May-20243.9 KiB130108

pcap_get_tstamp_precision.3pcap.inD03-May-20241.6 KiB5331

pcap_geterr.3pcapD03-May-20241.9 KiB5432

pcap_inject.3pcapD03-May-20243.4 KiB9169

pcap_is_swapped.3pcapD03-May-20242 KiB5432

pcap_lib_version.3pcapD03-May-20241.7 KiB4220

pcap_list_datalinks.3pcap.inD03-May-20242.6 KiB7654

pcap_list_tstamp_types.3pcap.inD03-May-20242.5 KiB7150

pcap_lookupdev.3pcapD03-May-20242 KiB6341

pcap_lookupnet.3pcapD03-May-20242 KiB6644

pcap_loop.3pcapD03-May-20246.3 KiB195173

pcap_major_version.3pcapD03-May-20242.1 KiB5735

pcap_next_ex.3pcapD03-May-20244.9 KiB144122

pcap_offline_filter.3pcapD03-May-20242.1 KiB5836

pcap_open_dead.3pcap.inD03-May-20242.8 KiB8260

pcap_open_live.3pcapD03-May-20242.7 KiB9068

pcap_open_offline.3pcap.inD03-May-20243.7 KiB11290

pcap_set_buffer_size.3pcapD03-May-20241.9 KiB4826

pcap_set_datalink.3pcapD03-May-20241.9 KiB5432

pcap_set_immediate_mode.3pcapD03-May-20241.9 KiB4827

pcap_set_promisc.3pcapD03-May-20241.9 KiB4927

pcap_set_rfmon.3pcapD03-May-20241.9 KiB5028

pcap_set_snaplen.3pcapD03-May-20241.8 KiB4725

pcap_set_timeout.3pcapD03-May-20242 KiB5129

pcap_set_tstamp_precision.3pcap.inD03-May-20242.2 KiB6240

pcap_set_tstamp_type.3pcap.inD03-May-20242.4 KiB6645

pcap_setdirection.3pcapD03-May-20242.5 KiB7250

pcap_setfilter.3pcapD03-May-20241.9 KiB5533

pcap_setnonblock.3pcapD03-May-20242.7 KiB7654

pcap_snapshot.3pcapD03-May-20242 KiB5533

pcap_stats.3pcapD03-May-20243.4 KiB10078

pcap_statustostr.3pcapD03-May-20241.7 KiB4422

pcap_strerror.3pcapD03-May-20241.6 KiB4321

pcap_tstamp_type_name_to_val.3pcapD03-May-20241.8 KiB4625

pcap_tstamp_type_val_to_name.3pcapD03-May-20241.9 KiB5029

ppp.hD03-May-20242.7 KiB5935

runlex.shD03-May-20244.7 KiB23691

savefile.cD03-May-20249.9 KiB417276

scanner.cD03-May-2024185.7 KiB4,8203,921

scanner.hD03-May-2024122 74

scanner.lD03-May-202410.9 KiB466369

sf-pcap-ng.cD03-May-202430.2 KiB1,277695

sf-pcap-ng.hD03-May-20241.4 KiB335

sf-pcap.cD03-May-202418 KiB733424

sf-pcap.hD03-May-20241.7 KiB385

sunatmpos.hD03-May-20242.2 KiB468

tokdefs.hD03-May-20246.3 KiB317265

version.cD03-May-202431 21

version.hD03-May-202467 21

README

1@(#) $Header: /tcpdump/master/libpcap/README,v 1.34 2008-12-14 19:44:14 guy Exp $ (LBL)
2
3LIBPCAP 1.x.y
4
5www.tcpdump.org
6
7Please send inquiries/comments/reports to:
8	tcpdump-workers@lists.tcpdump.org
9
10Anonymous Git is available via:
11	git clone git://bpf.tcpdump.org/libpcap
12
13Please submit patches by forking the branch on GitHub at
14
15	http://github.com/the-tcpdump-group/libpcap/tree/master
16
17and issuing a pull request.
18
19formerly from 	Lawrence Berkeley National Laboratory
20		Network Research Group <libpcap@ee.lbl.gov>
21		ftp://ftp.ee.lbl.gov/old/libpcap-0.4a7.tar.Z
22
23This directory contains source code for libpcap, a system-independent
24interface for user-level packet capture.  libpcap provides a portable
25framework for low-level network monitoring.  Applications include
26network statistics collection, security monitoring, network debugging,
27etc.  Since almost every system vendor provides a different interface
28for packet capture, and since we've developed several tools that
29require this functionality, we've created this system-independent API
30to ease in porting and to alleviate the need for several
31system-dependent packet capture modules in each application.
32
33For some platforms there are README.{system} files that discuss issues
34with the OS's interface for packet capture on those platforms, such as
35how to enable support for that interface in the OS, if it's not built in
36by default.
37
38The libpcap interface supports a filtering mechanism based on the
39architecture in the BSD packet filter.  BPF is described in the 1993
40Winter Usenix paper ``The BSD Packet Filter: A New Architecture for
41User-level Packet Capture''.  A compressed PostScript version can be
42found at
43
44	ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z
45
46or
47
48	http://www.tcpdump.org/papers/bpf-usenix93.ps.Z
49
50and a gzipped version can be found at
51
52	http://www.tcpdump.org/papers/bpf-usenix93.ps.gz
53
54A PDF version can be found at
55
56	http://www.tcpdump.org/papers/bpf-usenix93.pdf
57
58Although most packet capture interfaces support in-kernel filtering,
59libpcap utilizes in-kernel filtering only for the BPF interface.
60On systems that don't have BPF, all packets are read into user-space
61and the BPF filters are evaluated in the libpcap library, incurring
62added overhead (especially, for selective filters).  Ideally, libpcap
63would translate BPF filters into a filter program that is compatible
64with the underlying kernel subsystem, but this is not yet implemented.
65
66BPF is standard in 4.4BSD, BSD/OS, NetBSD, FreeBSD, OpenBSD, DragonFly
67BSD, and Mac OS X; an older, modified and undocumented version is
68standard in AIX.  {DEC OSF/1, Digital UNIX, Tru64 UNIX} uses the
69packetfilter interface but has been extended to accept BPF filters
70(which libpcap utilizes).  Also, you can add BPF filter support to
71Ultrix using the kernel source and/or object patches available in:
72
73	http://www.tcpdump.org/other/bpfext42.tar.Z
74
75Linux, in the 2.2 kernel and later kernels, has a "Socket Filter"
76mechanism that accepts BPF filters; see the README.linux file for
77information on configuring that option.
78
79Note to Linux distributions and *BSD systems that include libpcap:
80
81There's now a rule to make a shared library, which should work on Linux
82and *BSD, among other platforms.
83
84It sets the soname of the library to "libpcap.so.1"; this is what it
85should be, *NOT* libpcap.so.1.x or libpcap.so.1.x.y or something such as
86that.
87
88We've been maintaining binary compatibility between libpcap releases for
89quite a while; there's no reason to tie a binary linked with libpcap to
90a particular release of libpcap.
91
92Problems, bugs, questions, desirable enhancements, etc. should be sent
93to the address "tcpdump-workers@lists.tcpdump.org".  Bugs, support
94requests, and feature requests may also be submitted on the GitHub issue
95tracker for libpcap at
96
97	https://github.com/the-tcpdump-group/libpcap/issues
98
99Source code contributions, etc. should be sent to the email address
100above or submitted by forking the branch on GitHub at
101
102	http://github.com/the-tcpdump-group/libpcap/tree/master
103
104and issuing a pull request.
105
106Current versions can be found at www.tcpdump.org.
107
108 - The TCPdump team
109

README.Win32

1Under Win32, libpcap is integrated in the WinPcap packet capture system.
2WinPcap provides a framework that allows libpcap to capture the packets
3under Windows 95, Windows 98, Windows ME, Windows NT 4, Windows 2000
4and Windows XP.
5WinPcap binaries and source code can be found at http://winpcap.polito.it:
6they include also a developer's pack with all the necessary to compile
7libpcap-based applications under Windows.
8
9How to compile libpcap with Visual Studio
10-----------------------------------------
11
12In order to compile libpcap you will need:
13
14- version 6 (or higher) of Microsoft Visual Studio
15- The November 2001 (or later) edition of Microsoft Platform
16Software Development Kit (SDK), that contains some necessary includes
17for IPv6 support. You can download it from http://www.microsoft.com/sdk
18- the latest WinPcap sources from http://winpcap.polito.it/install
19
20The WinPcap source code already contains a recent (usually the latest
21stable) version of libpcap. If you need to compile a different one,
22simply download it from www.tcpdump.org and copy the sources in the
23winpcap\wpcap\libpcap folder of the WinPcap distribution. If you want to
24compile a libpcap source retrieved from the tcpdump.org Git, you will
25have to create the scanner and the grammar by hand (with lex and yacc)
26or with the cygnus makefile, since The Visual Studio project is not able
27to build them.
28
29Open the project file winpcap\wpcap\prj\wpcap.dsw with Visual Studio and
30build wpcap.dll. wpcap.lib, the library file to link with the applications,
31will be generated in winpcap\wpcap\lib\. wpcap.dll will be generated in
32winpcap\wpcap\prj\release or winpcap\wpcap\prj\debug depending on the type
33of binary that is being created.
34
35How to compile libpcap with Cygnus
36----------------------------------
37
38To build wpcap.dll, cd to the directory WPCAP/PRJ of the WinPcap source code
39distribution and type "make". libwpcap.a, the library file to link with the
40applications, will be generated in winpcap\wpcap\lib\. wpcap.dll will be
41generated in winpcap\wpcap\prj.
42
43Remember, you CANNOT use the MSVC-generated .lib files with gcc, use
44libwpcap.a instead.
45
46"make install" installs wpcap.dll in the Windows system folder.
47

README.aix

1Using BPF:
2
3(1) AIX 4.x's version of BPF is undocumented and somewhat unstandard; the
4    current BPF support code includes changes that should work around
5    that; it appears to compile and work on at least one AIX 4.3.3
6    machine.
7
8    Note that the BPF driver and the "/dev/bpf" devices might not exist
9    on your machine; AIX's tcpdump loads the driver and creates the
10    devices if they don't already exist.  Our libpcap should do the
11    same, and the configure script should detect that it's on an AIX
12    system and choose BPF even if the devices aren't there.
13
14(2) If libpcap doesn't compile on your machine when configured to use
15    BPF, or if the workarounds fail to make it work correctly, you
16    should send to tcpdump-workers@lists.tcpdump.org a detailed bug
17    report (if the compile fails, send us the compile error messages;
18    if it compiles but fails to work correctly, send us as detailed as
19    possible a description of the symptoms, including indications of the
20    network link-layer type being wrong or time stamps being wrong).
21
22    If you fix the problems yourself, please submit a patch by forking
23    the branch at
24
25	https://github.com/the-tcpdump-group/libpcap/issues
26
27    and issuing a pull request, so we can incorporate the fixes into the
28    next release.
29
30    If you don't fix the problems yourself, you can, as a workaround,
31    make libpcap use DLPI instead of BPF.
32
33    This can be done by specifying the flag:
34
35       --with-pcap=dlpi
36
37    to the "configure" script for libpcap.
38
39If you use DLPI:
40
41(1) It is a good idea to have the latest version of the DLPI driver on
42    your system, since certain versions may be buggy and cause your AIX
43    system to crash.  DLPI is included in the fileset bos.rte.tty.  I
44    found that the DLPI driver that came with AIX 4.3.2 was buggy, and
45    had to upgrade to bos.rte.tty 4.3.2.4:
46
47	    lslpp -l bos.rte.tty
48
49	    bos.rte.tty     4.3.2.4  COMMITTED  Base TTY Support and Commands
50
51    Updates for AIX filesets can be obtained from:
52    ftp://service.software.ibm.com/aix/fixes/
53
54    These updates can be installed with the smit program.
55
56(2) After compiling libpcap, you need to make sure that the DLPI driver
57    is loaded.  Type:
58
59	    strload -q -d dlpi
60
61    If the result is:
62
63	    dlpi: yes
64
65    then the DLPI driver is loaded correctly.
66
67    If it is:
68
69	    dlpi: no
70
71    Then you need to type:
72
73	    strload -f /etc/dlpi.conf
74
75    Check again with strload -q -d dlpi that the dlpi driver is loaded.
76
77    Alternatively, you can uncomment the lines for DLPI in
78    /etc/pse.conf and reboot the machine; this way DLPI will always
79    be loaded when you boot your system.
80
81(3) There appears to be a problem in the DLPI code in some versions of
82    AIX, causing a warning about DL_PROMISC_MULTI failing; this might
83    be responsible for DLPI not being able to capture outgoing packets.
84

README.dag

1
2The following instructions apply if you have a Linux or FreeBSD platform and
3want libpcap to support the DAG range of passive network monitoring cards from
4Endace (http://www.endace.com, see below for further contact details).
5
61) Install and build the DAG software distribution by following the
7instructions supplied with that package. Current Endace customers can download
8the DAG software distibution from https://www.endace.com
9
102) Configure libcap. To allow the 'configure' script to locate the DAG
11software distribution use the '--with-dag' option:
12
13        ./configure --with-dag=DIR
14
15Where DIR is the root of the DAG software distribution, for example
16/var/src/dag. If the DAG software is correctly detected 'configure' will
17report:
18
19        checking whether we have DAG API... yes
20
21If 'configure' reports that there is no DAG API, the directory may have been
22incorrectly specified or the DAG software was not built before configuring
23libpcap.
24
25See also the libpcap INSTALL.txt file for further libpcap configuration
26options.
27
28Building libpcap at this stage will include support for both the native packet
29capture stream (linux or bpf) and for capturing from DAG cards. To build
30libpcap with only DAG support specify the capture type as 'dag' when
31configuring libpcap:
32
33        ./configure --with-dag=DIR --with-pcap=dag
34
35Applications built with libpcap configured in this way will only detect DAG
36cards and will not capture from the native OS packet stream.
37
38----------------------------------------------------------------------
39
40Libpcap when built for DAG cards against dag-2.5.1 or later releases:
41
42Timeouts are supported. pcap_dispatch() will return after to_ms milliseconds
43regardless of how many packets are received. If to_ms is zero pcap_dispatch()
44will block waiting for data indefinitely.
45
46pcap_dispatch() will block on and process a minimum of 64kB of data (before
47filtering) for efficiency. This can introduce high latencies on quiet
48interfaces unless a timeout value is set. The timeout expiring will override
49the 64kB minimum causing pcap_dispatch() to process any available data and
50return.
51
52pcap_setnonblock is supported. When nonblock is set, pcap_dispatch() will
53check once for available data, process any data available up to count, then
54return immediately.
55
56pcap_findalldevs() is supported, e.g. dag0, dag1...
57
58Some DAG cards can provide more than one 'stream' of received data.
59This can be data from different physical ports, or separated by filtering
60or load balancing mechanisms. Receive streams have even numbers, e.g.
61dag0:0, dag0:2 etc. Specifying transmit streams for capture is not supported.
62
63pcap_setfilter() is supported, BPF programs run in userspace.
64
65pcap_setdirection() is not supported. Only received traffic is captured.
66DAG cards normally do not have IP or link layer addresses assigned as
67they are used to passively monitor links.
68
69pcap_breakloop() is supported.
70
71pcap_datalink() and pcap_list_datalinks() are supported. The DAG card does
72not attempt to set the correct datalink type automatically where more than
73one type is possible.
74
75pcap_stats() is supported. ps_drop is the number of packets dropped due to
76RX stream buffer overflow, this count is before filters are applied (it will
77include packets that would have been dropped by the filter). The RX stream
78buffer size is user configurable outside libpcap, typically 16-512MB.
79
80pcap_get_selectable_fd() is not supported, as DAG cards do not support
81poll/select methods.
82
83pcap_inject() and pcap_sendpacket() are not supported.
84
85Some DAG cards now support capturing to multiple virtual interfaces, called
86streams. Capture streams have even numbers. These are available via libpcap
87as separate interfaces, e.g. dag0:0, dag0:2, dag0:4 etc. dag0:0 is the same
88as dag0. These are visible via pcap_findalldevs().
89
90libpcap now does NOT set the card's hardware snaplen (slen). This must now be
91set using the appropriate DAG coniguration program, e.g. dagthree, dagfour,
92dagsix, dagconfig. This is because the snaplen is currently shared between
93all of the streams. In future this may change if per-stream slen is
94implemented.
95
96DAG cards by default capture entire packets including the L2
97CRC/FCS. If the card is not configured to discard the CRC/FCS, this
98can confuse applications that use libpcap if they're not prepared for
99packets to have an FCS.
100
101Libpcap now reads the environment variable ERF_FCS_BITS to determine
102how many bits of CRC/FCS to strip from the end of the captured
103frame. This defaults to 32 for use with Ethernet. If the card is
104configured to strip the CRC/FCS, then set ERF_FCS_BITS=0. If used with
105a HDLC/PoS/PPP/Frame Relay link with 16 bit CRC/FCS, then set
106ERF_FCS_BITS=16.
107
108If you wish to create a pcap file that DOES contain the Ethernet FCS,
109specify the environment variable ERF_DONT_STRIP_FCS. This will cause
110the existing FCS to be captured into the pcap file. Note some
111applications may incorrectly report capture errors or oversize packets
112when reading these files.
113
114----------------------------------------------------------------------
115
116Please submit bug reports via <support@endace.com>.
117
118Please also visit our Web site at:
119
120        http://www.endace.com/
121
122For more information about Endace DAG cards contact <sales@endace.com>.
123

README.hpux

1For HP-UX 11i (11.11) and later, there are no known issues with
2promiscuous mode under HP-UX.  If you are using a earlier version of
3HP-UX and cannot upgrade, please continue reading.
4
5HP-UX patches to fix packet capture problems
6
7Note that packet-capture programs such as tcpdump may, on HP-UX, not be
8able to see packets sent from the machine on which they're running.
9Some articles on groups.google.com discussing this are:
10
11	http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
12
13which says:
14
15  Newsgroups: comp.sys.hp.hpux
16  Subject:  Re: Did someone made tcpdump working on 10.20 ?
17  Date: 12/08/1999
18  From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
19
20  In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
21  wrote:
22   >Hello,
23   >
24   >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
25   >it, but I can only see incoming data, never outgoing.
26   >Someone (raj) explained me that a patch was missing, and that this patch
27   >must me "patched" (poked) in order to see outbound data in promiscuous mode.
28   >Many things to do .... So the question is : did someone has already this
29   >"ready to use" PHNE_**** patch ?
30
31   Two things:
32   1. You do need a late "LAN products cumulative patch" (e.g.  PHNE_18173
33  for   s700/10.20).
34   2. You must use
35echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
36     You can insert this e.g. into /sbin/init.d/lan
37
38   Best regards,
39   Lutz
40
41and
42
43	http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
44
45which says:
46
47  Newsgroups: comp.sys.hp.hpux
48  Subject: Re: tcpdump only shows incoming packets
49  Date: 02/15/2000
50  From: Rick Jones <foo@bar.baz.invalid>
51
52  Harald Skotnes <harald@cc.uit.no> wrote:
53  > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
54  > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
55  > closer look I only get to see the incoming packets not the
56  > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
57  > same thing happens.  Could someone please give me a hint on how to
58  > get this right?
59
60  Search/Read the archives ?-)
61
62  What you are seeing is expected, un-patched, behaviour for an HP-UX
63  system.  On 11.00, you need to install the latest lancommon/DLPI
64  patches, and then the latest driver patch for the interface(s) in use.
65  At that point, a miracle happens and you should start seeing outbound
66  traffic.
67
68[That article also mentions the patch that appears below.]
69
70and
71
72	http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
73
74which says:
75
76  Newsgroups: comp.sys.hp.hpux
77  Subject: Re: tcpdump only shows incoming packets
78  Date: 02/16/2000
79  From: Harald Skotnes <harald@cc.uit.no>
80
81  Rick Jones wrote:
82
83	...
84
85  > What you are seeing is expected, un-patched, behaviour for an HP-UX
86  > system. On 11.00, you need to install the latest lancommon/DLPI
87  > patches, and then the latest driver patch for the interface(s) in
88  > use. At that point, a miracle happens and you should start seeing
89  > outbound traffic.
90
91  Thanks a lot.  I have this problem on several machines running HPUX
92  10.20 and 11.00.  The machines where patched up before y2k so did not
93  know what to think.  Anyway I have now installed PHNE_19766,
94  PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
95  outbound traffic too.  Thanks again.
96
97(although those patches may not be the ones to install - there may be
98later patches).
99
100And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
101
102  Date: Mon, 29 Apr 2002 15:59:55 -0700
103  From: Rick Jones
104  To: tcpdump-workers@tcpdump.org
105  Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
106
107	...
108
109  http://itrc.hp.com/ would be one place to start in a search for the most
110  up-to-date patches for DLPI and the lan driver(s) used on your system (I
111  cannot guess because 9000/800 is too generic - one hs to use the "model"
112  command these days and/or an ioscan command (see manpage) to guess what
113  the drivers (btlan[3456], gelan, etc) might be involved in addition to
114  DLPI.
115
116  Another option is to upgrade to 11i as outbound promiscuous mode support
117  is there in the base OS, no patches required.
118
119Another posting:
120
121	http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
122
123indicates that you need to install the optional STREAMS product to do
124captures on HP-UX 9.x:
125
126  Newsgroups: comp.sys.hp.hpux
127  Subject:  Re: tcpdump HP/UX 9.x
128  Date: 03/22/1999
129  From: Rick Jones <foo@bar.baz>
130
131  Dave Barr (barr@cis.ohio-state.edu) wrote:
132  : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
133
134  I'm reasonably confident that any port of tcpdump to 9.X would require
135  the (then optional) STREAMS product.  This would bring DLPI, which is
136  what one uses to access interfaces in promiscuous mode.
137
138  I'm not sure that HP even sells the 9.X STREAMS product any longer,
139  since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
140  devices).
141
142  Your best bet is to be up on 10.20 or better if that is at all
143  possible.  If your hardware is supported by it, I'd go with HP-UX 11.
144  If you want to see the system's own outbound traffic, you'll never get
145  that functionality on 9.X, but it might happen at some point for 10.20
146  and 11.X.
147
148  rick jones
149
150(as per other messages cited here, the ability to see the system's own
151outbound traffic did happen).
152
153Rick Jones reports that HP-UX 11i needs no patches for outbound
154promiscuous mode support.
155
156An additional note, from Jost Martin, for HP-UX 10.20:
157
158	Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
159	   of an interface
160	A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
161	   newer, this is as of 4.4.00) and its dependencies.  Then you can
162	   enable the feature as descibed below:
163
164	Patch Name: PHNE_20892
165	Patch Description: s700 10.20 PCI 100Base-T cumulative patch
166		To trace the outbound packets, please do the following
167		to turn on a global promiscuous switch before running
168		the promiscuous applications like snoop or tcpdump:
169
170		adb -w /stand/vmunix /dev/mem
171		lanc_outbound_promisc_flag/W 1
172		(adb will echo the result showing that the flag has
173		been changed)
174		$quit
175	(Thanks for this part to HP-support, Ratingen)
176
177		The attached hack does this and some security-related stuff
178	(thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
179	posted the security-part some time ago)
180
181		 <<hack_ip_stack>>
182
183		(Don't switch IP-forwarding off, if you need it !)
184		Install the hack as /sbin/init.d/hacl_ip_stack (adjust
185	permissions !) and make a sequencing-symlink
186	/sbin/rc2.d/S350hack_ip_stack pointing to this script.
187		Now all this is done on every reboot.
188
189According to Rick Jones, the global promiscuous switch also has to be
190turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch
191doesn't even exist on 11i.
192
193Here's the "hack_ip_stack" script:
194
195-----------------------------------Cut Here-------------------------------------
196#!/sbin/sh
197#
198# nettune:  hack kernel parms for safety
199
200OKAY=0
201ERROR=-1
202
203# /usr/contrib/bin fuer nettune auf Pfad
204PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
205export PATH
206
207
208##########
209#  main  #
210##########
211
212case $1 in
213   start_msg)
214      print "Tune IP-Stack for security"
215      exit $OKAY
216      ;;
217
218   stop_msg)
219      print "This action is not applicable"
220      exit $OKAY
221      ;;
222
223   stop)
224      exit $OKAY
225      ;;
226
227   start)
228      ;;  # fall through
229
230   *)
231      print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
232      exit $ERROR
233      ;;
234   esac
235
236###########
237#  start  #
238###########
239
240#
241# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
242# Syn-Flood-Protection an
243# ip_forwarding aus
244# Source-Routing aus
245# Ausgehende Packets an ethereal/tcpdump etc.
246
247/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
248/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
249/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
250echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
251echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem  || exit $ERROR
252
253exit $OKAY
254-----------------------------------Cut Here-------------------------------------
255

README.linux

1In order for libpcap to be able to capture packets on a Linux system,
2the "packet" protocol must be supported by your kernel.  If it is not,
3you may get error messages such as
4
5	modprobe: can't locate module net-pf-17
6
7in "/var/adm/messages", or may get messages such as
8
9	socket: Address family not supported by protocol
10
11from applications using libpcap.
12
13You must configure the kernel with the CONFIG_PACKET option for this
14protocol; the following note is from the Linux "Configure.help" file for
15the 2.0[.x] kernel:
16
17	Packet socket
18	CONFIG_PACKET
19	  The Packet protocol is used by applications which communicate
20	  directly with network devices without an intermediate network
21	  protocol implemented in the kernel, e.g. tcpdump. If you want them
22	  to work, choose Y.
23
24	  This driver is also available as a module called af_packet.o ( =
25	  code which can be inserted in and removed from the running kernel
26	  whenever you want). If you want to compile it as a module, say M
27	  here and read Documentation/modules.txt; if you use modprobe or
28	  kmod, you may also want to add "alias net-pf-17 af_packet" to
29	  /etc/modules.conf.
30
31and the note for the 2.2[.x] kernel says:
32
33	Packet socket
34	CONFIG_PACKET
35	  The Packet protocol is used by applications which communicate
36	  directly with network devices without an intermediate network
37	  protocol implemented in the kernel, e.g. tcpdump. If you want them
38	  to work, choose Y. This driver is also available as a module called
39	  af_packet.o ( = code which can be inserted in and removed from the
40	  running kernel whenever you want). If you want to compile it as a
41	  module, say M here and read Documentation/modules.txt.  You will
42	  need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
43	  file for the module version to function automatically.  If unsure,
44	  say Y.
45
46In addition, there is an option that, in 2.2 and later kernels, will
47allow packet capture filters specified to programs such as tcpdump to be
48executed in the kernel, so that packets that don't pass the filter won't
49be copied from the kernel to the program, rather than having all packets
50copied to the program and libpcap doing the filtering in user mode.
51
52Copying packets from the kernel to the program consumes a significant
53amount of CPU, so filtering in the kernel can reduce the overhead of
54capturing packets if a filter has been specified that discards a
55significant number of packets.  (If no filter is specified, it makes no
56difference whether the filtering isn't performed in the kernel or isn't
57performed in user mode. :-))
58
59The option for this is the CONFIG_FILTER option; the "Configure.help"
60file says:
61
62	Socket filtering
63	CONFIG_FILTER
64	  The Linux Socket Filter is derived from the Berkeley Packet Filter.
65	  If you say Y here, user-space programs can attach a filter to any
66	  socket and thereby tell the kernel that it should allow or disallow
67	  certain types of data to get through the socket. Linux Socket
68	  Filtering works on all socket types except TCP for now. See the text
69	  file linux/Documentation/networking/filter.txt for more information.
70	  If unsure, say N.
71
72Note that, by default, libpcap will, if libnl is present, build with it;
73it uses libnl to support monitor mode on mac80211 devices.  There is a
74configuration option to disable building with libnl, but, if that option
75is chosen, the monitor-mode APIs (as used by tcpdump's "-I" flag, and as
76will probably be used by other applications in the future) won't work
77properly on mac80211 devices.
78
79Linux's run-time linker allows shared libraries to be linked with other
80shared libraries, which means that if an older version of a shared
81library doesn't require routines from some other shared library, and a
82later version of the shared library does require those routines, the
83later version of the shared library can be linked with that other shared
84library and, if it's otherwise binary-compatible with the older version,
85can replace that older version without breaking applications built with
86the older version, and without breaking configure scripts or the build
87procedure for applications whose configure script doesn't use the
88pcap-config script if they build with the shared library.  (The build
89procedure for applications whose configure scripts use the pcap-config
90script if present will not break even if they build with the static
91library.)
92
93Statistics:
94Statistics reported by pcap are platform specific.  The statistics
95reported by pcap_stats on Linux are as follows:
96
972.2.x
98=====
99ps_recv   Number of packets that were accepted by the pcap filter
100ps_drop   Always 0, this statistic is not gatherd on this platform
101
1022.4.x
103=====
104ps_recv   Number of packets that were accepted by the pcap filter
105ps_drop   Number of packets that had passed filtering but were not
106          passed on to pcap due to things like buffer shortage, etc.
107          This is useful because these are packets you are interested in
108          but won't be reported by, for example, tcpdump output.
109

README.macosx

1As with other systems using BPF, Mac OS X allows users with read access
2to the BPF devices to capture packets with libpcap and allows users with
3write access to the BPF devices to send packets with libpcap.
4
5On some systems that use BPF, the BPF devices live on the root file
6system, and the permissions and/or ownership on those devices can be
7changed to give users other than root permission to read or write those
8devices.
9
10On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
11can be configured to set the permissions and/or ownership of those
12devices to give users other than root permission to read or write those
13devices.
14
15On Mac OS X, the BPF devices live on devfs, but the OS X version of
16devfs is based on an older (non-default) FreeBSD devfs, and that version
17of devfs cannot be configured to set the permissions and/or ownership of
18those devices.
19
20Therefore, we supply:
21
22	a "startup item" for older versions of Mac OS X;
23
24	a launchd daemon for Tiger and later versions of Mac OS X;
25
26Both of them will change the ownership of the BPF devices so that the
27"admin" group owns them, and will change the permission of the BPF
28devices to rw-rw----, so that all users in the "admin" group - i.e., all
29users with "Allow user to administer this computer" turned on - have
30both read and write access to them.
31
32The startup item is in the ChmodBPF directory in the source tree.  A
33/Library/StartupItems directory should be created if it doesn't already
34exist, and the ChmodBPF directory should be copied to the
35/Library/StartupItems directory (copy the entire directory, so that
36there's a /Library/StartupItems/ChmodBPF directory, containing all the
37files in the source tree's ChmodBPF directory; don't copy the individual
38items in that directory to /Library/StartupItems).  The ChmodBPF
39directory, and all files under it, must be owned by root.  Installing
40the files won't immediately cause the startup item to be executed; it
41will be executed on the next reboot.  To change the permissions before
42the reboot, run
43
44	sudo SystemStarter start ChmodBPF
45
46The launchd daemon is the chmod_bpf script, plus the
47org.tcpdump.chmod_bpf.plist launchd plist file.  chmod_bpf should be
48installed in /usr/local/bin/chmod_bpf, and org.tcpdump.chmod_bpf.plist
49should be installed in /Library/LaunchDaemons.  chmod_bpf, and
50org.tcpdump.chmod_bpf.plist, must be owned by root.  Installing the
51script and plist file won't immediately cause the script to be executed;
52it will be executed on the next reboot.  To change the permissions
53before the reboot, run
54
55	sudo /usr/local/bin/chmod_bpf
56
57or
58
59	sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist
60
61If you want to give a particular user permission to access the BPF
62devices, rather than giving all administrative users permission to
63access them, you can have the ChmodBPF/ChmodBPF script change the
64ownership of /dev/bpf* without changing the permissions.  If you want to
65give a particular user permission to read and write the BPF devices and
66give the administrative users permission to read but not write the BPF
67devices, you can have the script change the owner to that user, the
68group to "admin", and the permissions to rw-r-----.  Other possibilities
69are left as an exercise for the reader.
70
71(NOTE: due to a bug in Snow Leopard, if you change the permissions not
72to grant write permission to everybody who should be allowed to capture
73traffic, non-root users who cannot open the BPF devices for writing will
74not be able to capture outgoing packets.)
75

README.septel

1The following instructions apply if you have a Linux platform and want
2libpcap to support the Septel range of passive network monitoring cards
3from Intel (http://www.intel.com)
4
51) Install and build the Septel software distribution by following the
6instructions supplied with that package.
7
82) Configure libcap. To allow the 'configure' script to locate the Septel
9software distribution use the '--with-septel' option:
10
11        ./configure --with-septel=DIR
12
13where DIR is the root of the Septel software distribution, for example
14/var/src/septel.
15
16By default (if you write only ./configure --with-septel) it takes
17./../septel as argument for DIR.
18
19If the Septel software is correctly detected 'configure' will
20report:
21
22        checking whether we have Septel API... yes
23
24If 'configure' reports that there is no Septel API, the directory may have been
25incorrectly specified or the Septel software was not built before configuring
26libpcap.
27
28See also the libpcap INSTALL.txt file for further libpcap configuration
29options.
30
31Building libpcap at this stage will include support for both the native
32packet capture stream and for capturing from Septel cards.  To build
33libpcap with only Septel support specify the capture type as 'septel'
34when configuring libpcap:
35
36        ./configure --with-septel=DIR --with-pcap=septel
37
38Applications built with libpcap configured in this way will only detect Septel
39cards and will not capture from the native OS packet stream.
40
41Note: As mentioned in pcap-septel.c we should first edit the system.txt
42file to change the user part example (UPE) module id to 0xdd instead of
430x2d for technical reason.  So this change in system.txt is crutial and
44things will go wrong if it's not done.  System.txt along with config.txt
45are configuration files that are edited by the user before running the
46gctload program that uses these files for initialising modules and
47configuring parameters.
48
49----------------------------------------------------------------------
50for more information please contact me : gil_hoyek@hotmail.com
51

README.sita

1The following instructions apply if you have a Linux platform and want
2libpcap to support the 'ACN' WAN/LAN router product from from SITA
3(http://www.sita.aero)
4
5This might also work on non-Linux Unix-compatible platforms, but that
6has not been tested.
7
8See also the libpcap INSTALL.txt file for further libpcap configuration
9options.
10
11These additions/extensions have been made to PCAP to allow it to
12capture packets from a SITA ACN device (and potentially others).
13
14To enable its support you need to ensure that the distribution has
15a correct configure.in file; that can be created if neccessay by
16using the normal autoconf procedure of:
17
18aclocal
19autoconf
20autoheader
21automake
22
23Then run configure with the 'sita' option:
24
25./configure --with-sita
26
27Applications built with libpcap configured in this way will only detect SITA
28ACN interfaces and will not capture from the native OS packet stream.
29
30The SITA extension provides a remote datascope operation for capturing
31both WAN and LAN protocols.  It effectively splits the operation of
32PCAP into two halves.  The top layer performs the majority of the
33work, but interfaces via a TCP session to remote agents that
34provide the lower layer functionality of actual sniffing and
35filtering. More detailed information regarding the functions and
36inter-device protocol and naming conventions are described in detail
37in 'pcap-sita.html'.
38
39pcap_findalldevs() reads the local system's /etc/hosts file looking
40for host names that match the format of IOP type devices.  ie.  aaa_I_x_y
41and then queries each associated IP address for a list of its WAN and
42LAN devices.  The local system the aggregates the lists obtained from
43each IOP, sorts it, and provides it (to Wireshark et.al) as the
44list of monitorable interfaces.
45
46Once a valid interface has been selected, pcap_open() is called
47which opens a TCP session (to a well known port) on the target IOP
48and tells it to start monitoring.
49
50All captured packets are then forwarded across that TCP session
51back to the local 'top layer' for forwarding to the actual
52sniffing program (wireshark...)
53
54Note that the DLT_SITA link-layer type includes a proprietary header
55that is documented as part of the SITA dissector of Wireshark and is
56also described in 'pcap-sita.html' for posterity sake.
57
58That header provides:
59- Packet direction (in/out) (1 octet)
60- Link layer hardware signal status (1 octet)
61- Transmit/Receive error status (2 octets)
62- Encapsulated WAN protocol ID (1 octet)
63
64
65

README.tru64

1The following instructions are applicable to Tru64 UNIX
2(formerly Digital UNIX (formerly DEC OSF/1)) version 4.0, and
3probably to later versions as well; at least some options apply to
4Digital UNIX 3.2 - perhaps all do.
5
6In order to use kernel packet filtering on this system, you have
7to configure it in such a way:
8
9Kernel configuration
10--------------------
11
12The packet filtering kernel option must be enabled at kernel
13installation.  If it was not the case, you can rebuild the kernel with
14"doconfig -c" after adding the following line in the kernel
15configuration file (/sys/conf/<HOSTNAME>):
16
17	option PACKETFILTER
18
19or use "doconfig" without any arguments to add the packet filter driver
20option via the kernel option menu (see the system administration
21documentation for information on how to do this).
22
23Device configuration
24--------------------
25
26Devices used for packet filtering must be created thanks to
27the following command (executed in the /dev directory):
28
29	./MAKEDEV pfilt
30
31Interface configuration
32-----------------------
33
34In order to capture all packets on a network, you may want to allow
35applications to put the interface on that network into "local copy"
36mode, so that tcpdump can see packets sent by the host on which it's
37running as well as packets received by that host, and to put the
38interface into "promiscuous" mode, so that tcpdump can see packets on
39the network segment not sent to the host on which it's running, by using
40the pfconfig(1) command:
41
42	pfconfig +c +p <network_device>
43
44or allow application to put any interface into "local copy" or
45"promiscuous" mode by using the command:
46
47	pfconfig +c +p -a
48
49Note: all instructions given require root privileges.
50