|
Packit |
209cc3 |
In order for libpcap to be able to capture packets on a Linux system,
|
|
Packit |
209cc3 |
the "packet" protocol must be supported by your kernel. If it is not,
|
|
Packit |
209cc3 |
you may get error messages such as
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
modprobe: can't locate module net-pf-17
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
in "/var/adm/messages", or may get messages such as
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
socket: Address family not supported by protocol
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
from applications using libpcap.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
You must configure the kernel with the CONFIG_PACKET option for this
|
|
Packit |
209cc3 |
protocol; the following note is from the Linux "Configure.help" file for
|
|
Packit |
209cc3 |
the 2.0[.x] kernel:
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Packet socket
|
|
Packit |
209cc3 |
CONFIG_PACKET
|
|
Packit |
209cc3 |
The Packet protocol is used by applications which communicate
|
|
Packit |
209cc3 |
directly with network devices without an intermediate network
|
|
Packit |
209cc3 |
protocol implemented in the kernel, e.g. tcpdump. If you want them
|
|
Packit |
209cc3 |
to work, choose Y.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
This driver is also available as a module called af_packet.o ( =
|
|
Packit |
209cc3 |
code which can be inserted in and removed from the running kernel
|
|
Packit |
209cc3 |
whenever you want). If you want to compile it as a module, say M
|
|
Packit |
209cc3 |
here and read Documentation/modules.txt; if you use modprobe or
|
|
Packit |
209cc3 |
kmod, you may also want to add "alias net-pf-17 af_packet" to
|
|
Packit |
209cc3 |
/etc/modules.conf.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
and the note for the 2.2[.x] kernel says:
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Packet socket
|
|
Packit |
209cc3 |
CONFIG_PACKET
|
|
Packit |
209cc3 |
The Packet protocol is used by applications which communicate
|
|
Packit |
209cc3 |
directly with network devices without an intermediate network
|
|
Packit |
209cc3 |
protocol implemented in the kernel, e.g. tcpdump. If you want them
|
|
Packit |
209cc3 |
to work, choose Y. This driver is also available as a module called
|
|
Packit |
209cc3 |
af_packet.o ( = code which can be inserted in and removed from the
|
|
Packit |
209cc3 |
running kernel whenever you want). If you want to compile it as a
|
|
Packit |
209cc3 |
module, say M here and read Documentation/modules.txt. You will
|
|
Packit |
209cc3 |
need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
|
|
Packit |
209cc3 |
file for the module version to function automatically. If unsure,
|
|
Packit |
209cc3 |
say Y.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
In addition, there is an option that, in 2.2 and later kernels, will
|
|
Packit |
209cc3 |
allow packet capture filters specified to programs such as tcpdump to be
|
|
Packit |
209cc3 |
executed in the kernel, so that packets that don't pass the filter won't
|
|
Packit |
209cc3 |
be copied from the kernel to the program, rather than having all packets
|
|
Packit |
209cc3 |
copied to the program and libpcap doing the filtering in user mode.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Copying packets from the kernel to the program consumes a significant
|
|
Packit |
209cc3 |
amount of CPU, so filtering in the kernel can reduce the overhead of
|
|
Packit |
209cc3 |
capturing packets if a filter has been specified that discards a
|
|
Packit |
209cc3 |
significant number of packets. (If no filter is specified, it makes no
|
|
Packit |
209cc3 |
difference whether the filtering isn't performed in the kernel or isn't
|
|
Packit |
209cc3 |
performed in user mode. :-))
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
The option for this is the CONFIG_FILTER option; the "Configure.help"
|
|
Packit |
209cc3 |
file says:
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Socket filtering
|
|
Packit |
209cc3 |
CONFIG_FILTER
|
|
Packit |
209cc3 |
The Linux Socket Filter is derived from the Berkeley Packet Filter.
|
|
Packit |
209cc3 |
If you say Y here, user-space programs can attach a filter to any
|
|
Packit |
209cc3 |
socket and thereby tell the kernel that it should allow or disallow
|
|
Packit |
209cc3 |
certain types of data to get through the socket. Linux Socket
|
|
Packit |
209cc3 |
Filtering works on all socket types except TCP for now. See the text
|
|
Packit |
209cc3 |
file linux/Documentation/networking/filter.txt for more information.
|
|
Packit |
209cc3 |
If unsure, say N.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Note that, by default, libpcap will, if libnl is present, build with it;
|
|
Packit |
209cc3 |
it uses libnl to support monitor mode on mac80211 devices. There is a
|
|
Packit |
209cc3 |
configuration option to disable building with libnl, but, if that option
|
|
Packit |
209cc3 |
is chosen, the monitor-mode APIs (as used by tcpdump's "-I" flag, and as
|
|
Packit |
209cc3 |
will probably be used by other applications in the future) won't work
|
|
Packit |
209cc3 |
properly on mac80211 devices.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Linux's run-time linker allows shared libraries to be linked with other
|
|
Packit |
209cc3 |
shared libraries, which means that if an older version of a shared
|
|
Packit |
209cc3 |
library doesn't require routines from some other shared library, and a
|
|
Packit |
209cc3 |
later version of the shared library does require those routines, the
|
|
Packit |
209cc3 |
later version of the shared library can be linked with that other shared
|
|
Packit |
209cc3 |
library and, if it's otherwise binary-compatible with the older version,
|
|
Packit |
209cc3 |
can replace that older version without breaking applications built with
|
|
Packit |
209cc3 |
the older version, and without breaking configure scripts or the build
|
|
Packit |
209cc3 |
procedure for applications whose configure script doesn't use the
|
|
Packit |
209cc3 |
pcap-config script if they build with the shared library. (The build
|
|
Packit |
209cc3 |
procedure for applications whose configure scripts use the pcap-config
|
|
Packit |
209cc3 |
script if present will not break even if they build with the static
|
|
Packit |
209cc3 |
library.)
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Statistics:
|
|
Packit |
209cc3 |
Statistics reported by pcap are platform specific. The statistics
|
|
Packit |
209cc3 |
reported by pcap_stats on Linux are as follows:
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
2.2.x
|
|
Packit |
209cc3 |
=====
|
|
Packit |
209cc3 |
ps_recv Number of packets that were accepted by the pcap filter
|
|
Packit |
209cc3 |
ps_drop Always 0, this statistic is not gathered on this platform
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
2.4.x and later
|
|
Packit |
209cc3 |
=====
|
|
Packit |
209cc3 |
ps_recv Number of packets that were accepted by the pcap filter
|
|
Packit |
209cc3 |
ps_drop Number of packets that had passed filtering but were not
|
|
Packit |
209cc3 |
passed on to pcap due to things like buffer shortage, etc.
|
|
Packit |
209cc3 |
This is useful because these are packets you are interested in
|
|
Packit |
209cc3 |
but won't be reported by, for example, tcpdump output.
|