1To build libpcap, run "./configure" (a shell script). The configure 2script will determine your system attributes and generate an 3appropriate Makefile from Makefile.in. Next run "make". If everything 4goes well you can su to root and run "make install". However, you need 5not install libpcap if you just want to build tcpdump; just make sure 6the tcpdump and libpcap directory trees have the same parent 7directory. 8 9If configure says: 10 11 configure: warning: cannot determine packet capture interface 12 configure: warning: (see INSTALL for more info) 13 14then your system either does not support packet capture or your system 15does support packet capture but libpcap does not support that 16particular type. (If you have HP-UX, see below.) If your system uses a 17packet capture not supported by libpcap, please send us patches; don't 18forget to include an autoconf fragment suitable for use in 19configure.in. 20 21It is possible to override the default packet capture type, although 22the circumstance where this works are limited. For example if you have 23installed bpf under SunOS 4 and wish to build a snit libpcap: 24 25 ./configure --with-pcap=snit 26 27Another example is to force a supported packet capture type in the case 28where the configure scripts fails to detect it. 29 30You will need an ANSI C compiler to build libpcap. The configure script 31will abort if your compiler is not ANSI compliant. If this happens, use 32the generally available GNU C compiler (GCC). 33 34If you use flex, you must use version 2.4.6 or higher. The configure 35script automatically detects the version of flex and will not use it 36unless it is new enough. You can use "flex -V" to see what version you 37have (unless it's really old). The current version of flex is available 38at flex.sourceforge.net and often comes packaged by means of the OS. 39As of this writing, the current version is 2.5.37. 40 41If you use bison, you must use flex (and visa versa). The configure 42script automatically falls back to lex and yacc if both flex and bison 43are not found. 44 45Sometimes the stock C compiler does not interact well with flex and 46bison. The list of problems includes undefined references for alloca. 47You can get around this by installing gcc or manually disabling flex 48and bison with: 49 50 ./configure --without-flex --without-bison 51 52If your system only has AT&T lex, this is okay unless your libpcap 53program uses other lex/yacc generated code. (Although it's possible to 54map the yy* identifiers with a script, we use flex and bison so we 55don't feel this is necessary.) 56 57Some systems support the Berkeley Packet Filter natively; for example 58out of the box OSF and BSD/OS have bpf. If your system does not support 59bpf, you will need to pick up: 60 61 ftp://ftp.ee.lbl.gov/bpf-*.tar.Z 62 63Note well: you MUST have kernel source for your operating system in 64order to install bpf. An exception is SunOS 4; the bpf distribution 65includes replacement kernel objects for some of the standard SunOS 4 66network device drivers. See the bpf INSTALL document for more 67information. 68 69If you use Solaris, there is a bug with bufmod(7) that is fixed in 70Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the 71broken bufmod(7) results in data be truncated from the FRONT of the 72packet instead of the end. The work around is to not set a snapshot 73length but this results in performance problems since the entire packet 74is copied to user space. If you must run an older version of Solaris, 75there is a patch available from Sun; ask for bugid 1149065. After 76installing the patch, use "setenv BUFMOD_FIXED" to enable use of 77bufmod(7). However, we recommend you run a more current release of 78Solaris. 79 80If you use the SPARCompiler, you must be careful to not use the 81/usr/ucb/cc interface. If you do, you will get bogus warnings and 82perhaps errors. Either make sure your path has /opt/SUNWspro/bin 83before /usr/ucb or else: 84 85 setenv CC /opt/SUNWspro/bin/cc 86 87before running configure. (You might have to do a "make distclean" 88if you already ran configure once). 89 90Also note that "make depend" won't work; while all of the known 91universe uses -M, the SPARCompiler uses -xM to generate makefile 92dependencies. 93 94If you are trying to do packet capture with a FORE ATM card, you may or 95may not be able to. They usually only release their driver in object 96code so unless their driver supports packet capture, there's not much 97libpcap can do. 98 99If you get an error like: 100 101 tcpdump: recv_ack: bind error 0x??? 102 103when using DLPI, look for the DL_ERROR_ACK error return values, usually 104in /usr/include/sys/dlpi.h, and find the corresponding value. 105 106Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be 107enabled before it can be used. For instructions on how to enable packet 108filter support, see: 109 110 ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX 111 112Look for the "How do I configure the Berkeley Packet Filter and capture 113tcpdump traces?" item. 114 115Once you enable packet filter support, your OSF system will support bpf 116natively. 117 118Under Ultrix, packet capture must be enabled before it can be used. For 119instructions on how to enable packet filter support, see: 120 121 ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix 122 123If you use HP-UX, you must have at least version 9 and either the 124version of cc that supports ANSI C (cc -Aa) or else use the GNU C 125compiler. You must also buy the optional streams package. If you don't 126have: 127 128 /usr/include/sys/dlpi.h 129 /usr/include/sys/dlpi_ext.h 130 131then you don't have the streams package. In addition, we believe you 132need to install the "9.X LAN and DLPI drivers cumulative" patch 133(PHNE_6855) to make the version 9 DLPI work with libpcap. 134 135The DLPI streams package is standard starting with HP-UX 10. 136 137The HP implementation of DLPI is a little bit eccentric. Unlike 138Solaris, you must attach /dev/dlpi instead of the specific /dev/* 139network pseudo device entry in order to capture packets. The PPA is 140based on the ifnet "index" number. Under HP-UX 9, it is necessary to 141read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10, 142DLPI can provide information for determining the PPA. It does not seem 143to be possible to trace the loopback interface. Unlike other DLPI 144implementations, PHYS implies MULTI and SAP and you get an error if you 145try to enable more than one promiscuous mode at a time. 146 147It is impossible to capture outbound packets on HP-UX 9. To do so on 148HP-UX 10, you will, apparently, need a late "LAN products cumulative 149patch" (at one point, it was claimed that this would be PHNE_18173 for 150s700/10.20; at another point, it was claimed that the required patches 151were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do 152so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI 153patches and the latest driver patch for the interface(s) in use on HP-UX 15411 (at one point, it was claimed that patches PHNE_19766, PHNE_19826, 155PHNE_20008, and PHNE_20735 did the trick). 156 157Furthermore, on HP-UX 10, you will need to turn on a kernel switch by 158doing 159 160 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem 161 162You would have to arrange that this happen on reboots; the right way to 163do that would probably be to put it into an executable script file 164"/sbin/init.d/outbound_promisc" and making 165"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script. 166 167Finally, testing shows that there can't be more than one simultaneous 168DLPI user per network interface. 169 170If you use Linux, this version of libpcap is known to compile and run 171under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X 172versions but is guaranteed not to work with 1.X kernels. Running more 173than one libpcap program at a time, on a system with a 2.0.X kernel, can 174cause problems since promiscuous mode is implemented by twiddling the 175interface flags from the libpcap application; the packet capture 176mechanism in the 2.2 and later kernels doesn't have this problem. Also, 177packet timestamps aren't very good. This appears to be due to haphazard 178handling of the timestamp in the kernel. 179 180Note well: there is rumoured to be a version of tcpdump floating around 181called 3.0.3 that includes libpcap and is supposed to support Linux. 182You should be advised that neither the Network Research Group at LBNL 183nor the Tcpdump Group ever generated a release with this version number. 184The LBNL Network Research Group notes with interest that a standard 185cracker trick to get people to install trojans is to distribute bogus 186packages that have a version number higher than the current release. 187They also noted with annoyance that 90% of the Linux related bug reports 188they got are due to changes made to unofficial versions of their page. 189If you are having trouble but aren't using a version that came from 190tcpdump.org, please try that before submitting a bug report! 191 192On Linux, libpcap will not work if the kernel does not have the packet 193socket option enabled; see the README.linux file for information about 194this. 195 196If you use AIX, you may not be able to build libpcap from this release. 197We do not have an AIX system in house so it's impossible for us to test 198AIX patches submitted to us. We are told that you must link against 199/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than 2002.7.2, and that you may need to run strload before running a libpcap 201application. 202 203Read the README.aix file for information on installing libpcap and 204configuring your system to be able to support libpcap. 205 206If you use NeXTSTEP, you will not be able to build libpcap from this 207release. 208 209If you use SINIX, you should be able to build libpcap from this 210release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS 211V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc 212emits incorrect code; if grammar.y fails to compile, change every 213occurence of: 214 215 #ifdef YYDEBUG 216 217to: 218 #if YYDEBUG 219 220Another workaround is to use flex and bison. 221 222If you use SCO, you might have trouble building libpcap from this 223release. We do not have a machine running SCO and have not had reports 224of anyone successfully building on it; the current release of libpcap 225does not compile on SCO OpenServer 5. Although SCO apparently supports 226DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and 227it appears that completely new code would need to be written to capture 228network traffic. SCO do not appear to provide tcpdump binaries for 229OpenServer 5 or OpenServer 6 as part of SCO Skunkware: 230 231 http://www.sco.com/skunkware/ 232 233If you use UnixWare, you might be able to build libpcap from this 234release, or you might not. We do not have a machine running UnixWare, 235so we have not tested it; however, SCO provide packages for libpcap 2360.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO 237Skunkware, and the source package for libpcap 0.6.2 is not changed from 238the libpcap 0.6.2 source release, so this release of libpcap might also 239build without changes on UnixWare 7. 240 241If linking tcpdump fails with "Undefined: _alloca" when using bison on 242a Sun4, your version of bison is broken. In any case version 1.16 or 243higher is recommended (1.14 is known to cause problems 1.16 is known to 244work). Either pick up a current version from: 245 246 ftp://ftp.gnu.org/pub/gnu/bison 247 248or hack around it by inserting the lines: 249 250 #ifdef __GNUC__ 251 #define alloca __builtin_alloca 252 #else 253 #ifdef sparc 254 #include <alloca.h> 255 #else 256 char *alloca (); 257 #endif 258 #endif 259 260right after the (100 line!) GNU license comment in bison.simple, remove 261grammar.[co] and fire up make again. 262 263If you use SunOS 4, your kernel must support streams NIT. If you run a 264libpcap program and it dies with: 265 266 /dev/nit: No such device 267 268You must add streams NIT support to your kernel configuration, run 269config and boot the new kernel. 270 271If you are running a version of SunOS earlier than 4.1, you will need 272to replace the Sun supplied /sys/sun{3,4,4c}/OBJ/nit_if.o with the 273appropriate version from this distribution's SUNOS4 subdirectory and 274build a new kernel: 275 276 nit_if.o.sun3-sunos4 (any flavor of sun3) 277 nit_if.o.sun4c-sunos4.0.3c (SS1, SS1+, IPC, SLC, etc.) 278 nit_if.o.sun4-sunos4 (Sun4's not covered by 279 nit_if.o.sun4c-sunos4.0.3c) 280 281These nit replacements fix a bug that makes nit essentially unusable in 282pre-SunOS 4.1. In addition, our sun4c-sunos4.0.3c nit gives you 283timestamps to the resolution of the SS-1 clock (1 us) rather than the 284lousy 20ms timestamps Sun gives you (tcpdump will print out the full 285timestamp resolution if it finds it's running on a SS-1). 286 287FILES 288----- 289CHANGES - description of differences between releases 290ChmodBPF/* - Mac OS X startup item to set ownership and permissions 291 on /dev/bpf* 292CREDITS - people that have helped libpcap along 293INSTALL.txt - this file 294LICENSE - the license under which tcpdump is distributed 295Makefile.in - compilation rules (input to the configure script) 296README - description of distribution 297README.aix - notes on using libpcap on AIX 298README.dag - notes on using libpcap to capture on Endace DAG devices 299README.hpux - notes on using libpcap on HP-UX 300README.linux - notes on using libpcap on Linux 301README.macosx - notes on using libpcap on Mac OS X 302README.septel - notes on using libpcap to capture on Intel/Septel devices 303README.sita - notes on using libpcap to capture on SITA devices 304README.tru64 - notes on using libpcap on Digital/Tru64 UNIX 305README.Win32 - notes on using libpcap on Win32 systems (with WinPcap) 306SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules 307VERSION - version of this release 308acconfig.h - support for post-2.13 autoconf 309aclocal.m4 - autoconf macros 310arcnet.h - ARCNET definitions 311atmuni31.h - ATM Q.2931 definitions 312bpf/net - copy of bpf_filter.c 313bpf_dump.c - BPF program printing routines 314bpf_filter.c - symlink to bpf/net/bpf_filter.c 315bpf_image.c - BPF disassembly routine 316config.guess - autoconf support 317config.h.in - autoconf input 318config.sub - autoconf support 319configure - configure script (run this first) 320configure.in - configure script source 321dlpisubs.c - DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c 322dlpisubs.h - DLPI-related function declarations 323etherent.c - /etc/ethers support routines 324ethertype.h - Ethernet protocol types and names definitions 325fad-getad.c - pcap_findalldevs() for systems with getifaddrs() 326fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST 327fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF 328fad-null.c - pcap_findalldevs() for systems without capture support 329fad-sita.c - pcap_findalldevs() for systems with SITA support 330fad-win32.c - pcap_findalldevs() for WinPcap 331filtertest.c - test program for BPF compiler 332findalldevstest.c - test program for pcap_findalldevs() 333gencode.c - BPF code generation routines 334gencode.h - BPF code generation definitions 335grammar.y - filter string grammar 336ieee80211.h - 802.11 definitions 337inet.c - network routines 338install-sh - BSD style install script 339lbl/os-*.h - OS-dependent defines and prototypes 340llc.h - 802.2 LLC SAP definitions 341missing/* - replacements for missing library functions 342mkdep - construct Makefile dependency list 343msdos/* - drivers for MS-DOS capture support 344nametoaddr.c - hostname to address routines 345nlpid.h - OSI network layer protocol identifier definitions 346net - symlink to bpf/net 347optimize.c - BPF optimization routines 348pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header 349pcap/bpf.h - BPF definitions 350pcap/namedb.h - public libpcap name database definitions 351pcap/pcap.h - public libpcap definitions 352pcap/sll.h - public definition of DLT_LINUX_SLL header 353pcap/usb.h - public definition of DLT_USB header 354pcap-bpf.c - BSD Packet Filter support 355pcap-bpf.h - header for backwards compatibility 356pcap-bt-linux.c - Bluetooth capture support for Linux 357pcap-bt-linux.h - Bluetooth capture support for Linux 358pcap-dag.c - Endace DAG device capture support 359pcap-dag.h - Endace DAG device capture support 360pcap-dlpi.c - Data Link Provider Interface support 361pcap-dos.c - MS-DOS capture support 362pcap-dos.h - headers for MS-DOS capture support 363pcap-enet.c - enet support 364pcap-int.h - internal libpcap definitions 365pcap-libdlpi.c - Data Link Provider Interface support for systems with libdlpi 366pcap-linux.c - Linux packet socket support 367pcap-namedb.h - header for backwards compatibility 368pcap-nit.c - SunOS Network Interface Tap support 369pcap-nit.h - SunOS Network Interface Tap definitions 370pcap-null.c - dummy monitor support (allows offline use of libpcap) 371pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support 372pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions 373pcap-septel.c - Intel/Septel device capture support 374pcap-septel.h - Intel/Septel device capture support 375pcap-sita.c - SITA device capture support 376pcap-sita.h - SITA device capture support 377pcap-sita.html - SITA device capture documentation 378pcap-stdinc.h - includes and #defines for compiling on Win32 systems 379pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support 380pcap-snoop.c - IRIX Snoop network monitoring support 381pcap-usb-linux.c - USB capture support for Linux 382pcap-usb-linux.h - USB capture support for Linux 383pcap-win32.c - WinPcap capture support 384pcap.3pcap - manual entry for the library 385pcap.c - pcap utility routines 386pcap.h - header for backwards compatibility 387pcap_*.3pcap - manual entries for library functions 388pcap-filter.4 - manual entry for filter syntax 389pcap-linktype.4 - manual entry for link-layer header types 390ppp.h - Point to Point Protocol definitions 391runlex.sh - wrapper for Lex/Flex 392savefile.c - offline support 393scanner.l - filter string scanner 394sunatmpos.h - definitions for SunATM capturing 395Win32 - headers and routines for building on Win32 systems 396