--- Begin Message ---
On Mar 7, 2022, at 5:55 AM, Christian via tcpdump-workers
wrote:
> hello out there, I created a kernel probe module and I want to watch the
> outputs of that module with pcap/Wireshark or tcpdump... Just like
> usbmon. My prefered tool is dumpcap. So I defined a char device in the
> dev-directory /dev/kpnode from which the pcap interface can read the
> output of that module. In order to enable reading, I started to place a
> handler function into libpcap:
>
> In pcap.c I put in
>
> #ifdef PCAP_SUPPORT_KPNODE
> #include "pcap-kpnode.h"
> #endif
> and later:
> #ifdef PCAP_SUPPORT_KPNODE
> { kpnode_findalldevs, kpnode_create },
> #endif
That's the correct way to add it to the table of libpcap modules.
> further down:
> #ifdef PCAP_SUPPORT_KPNODE
> || strstr(device, "kpnode") != NULL
> #endif
That's presumably in pcap_lookupnet(); if so, that's the correct way to add
kpnode there.
(I need to change that to use a better mechanism, so that it's the
responsibility of the module to handle that, rather than hardcoding module
information in a function.)
> The functions kpnode_findalldevs and kpnode_create are in my files
> pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the
> subject of this mail is for now, how to connect these functions into
> libpcap and Wireshark so that they are evoked if a device /dev/kpnode
> emerges.
>
> Further I added an entry to configure.ac: AC_DEFINE(PCAP_SUPPORT_KPNODE,
> 1, [target host supports Linux kpmode])
>
> Im not sure if editing the autoconf input file is too much, because I
> don't want to commit my changes to other platforms, it's just a small
> project of my own.
If you're just doing it on your own, and you will be using this modified
libpcap only on systems where kpnode is available, the easiest way to do it
would be to leave out the #ifdef`s for PCAP_SUPPORT_KPNODE.
If your entry in configure.ac unconditionally sets PCAP_SUPPORT_KPNODE, it's
not useful, as it's equivalent to just removing the #ifdefs and hardwiring
kpnode support into your version of libpcap.
If it *doesn't* unconditionally set PCAP_SUPPORT_KPNODE, then you might as well
leave the #ifdefs in.
> But there are also some entries for USBMON in e.x.
> CMakeList.txt and more.
If you're not planning on committing your changes, and you don't plan to use
CMake in the build process, there's no need to modify CMakeList.txt and
anything else CMake-related, such as cmakeconfig.h.in.
> After execution of the configure script I put
> manually my files into the EXTRA_DIST list.
EXTRA_DIST is useful only if you plan to do "make releasetar" to make a source
tarball - and if you want to do *that*, add it to Makefile.in, not to Makefile,
so you won't have to fix Makefile manually.
> But so far, when I build the pcap library not even the symbol kpnode
> appears in the binary
Do you mean that a symbol named "kpnode" doesn't appear in the (shared) library
binary?
Or do you mean that symbols with "kpnode" in their names, such as
kpnode_findalldevs and kpnode_create, don't appear in the library binary?
If so, are you looking for *exported* symbols or *all* symbols? On most
platforms - and Linux is one such platform - we compile libpcap so that *only*
routines we've designated as being libpcap APIs are exported by the library;
others are internal-only symbols. For example, if I do
$ nm libpcap.so.1.11.0-PRE-GIT | egrep usb_
0002f480 t swap_linux_usb_header.isra.0
ee60 t usb_activate
eb00 t usb_cleanup_linux_mmap
f300 t usb_create
f150 t usb_findalldevs
e670 t usb_inject_linux
e6b0 t usb_read_linux_bin
e860 t usb_read_linux_mmap
e660 t usb_setdirection_linux
edc0 t usb_set_ring_size
ed20 t usb_stats_linux_bin
on my Ubuntu 20.04 VM, it shows symbols for the Linux usbmon module, *but* they
aren't exported symbols - they're shown with 't', not 'T'. By contrast, if I do
4$ nm libpcap.so.1.11.0-PRE-GIT | egrep pcap_open
00012ea0 T pcap_open
0001bdc0 T pcap_open_dead
0001bce0 T pcap_open_dead_with_tstamp_precision
0001b9a0 T pcap_open_live
0002cf20 T pcap_open_offline
0001ab10 t pcap_open_offline_common
0002cde0 T pcap_open_offline_with_tstamp_precision
00015b70 t pcap_open_rpcap
symbols such as pcap_open(), pcap_open_live(), pcap_open_offline(), etc. *are*
exported symbols - they're shown with 'T'.
So, to check for symbols, you should do "nm" and pipe the result to "egrep
kpnode_". Those symbols should show up with 't', not 'T', as they aren't part
of the API - kpnode_findalldevs() should automatically get called if a program
calls pcap_findalldevs() (e.g., if tcpdump is compile with this library,
"tcpdump -D" should cause kpnode_findalldevs() to be called, and should show
the kpnode device(s)), and kpnode_create() should automatically get call
