Re: [tcpdump-workers] Problem with libpcap
Guy Harris alum.mit.edu> writes: > > > On Dec 2, 2009, at 4:57 AM, Noro Hasina wrote: > > > hello! > > I'm going to install snort2.8 but it depends on libpcap. So I try to > > install > > it but it doesn't work this is the error : > > gcc -O2 -fPIC -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c > > ./pcap-linux.c > > gcc -O2 -fPIC -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c > > ./pcap-usb-linux.c > > gcc -O2 -fPIC -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c > > ./fad-getad.c > > In file included from ./fad-getad.c:67: /usr/include/linux/ > > if_packet.h:52: > > error: expected specifier-qualifier-list before '__u32' > > make: *** [fad-getad.o] Error 1 > > Could you help me please > > On which version of which Linux distribution are you trying to compile > libpcap? > > Note also that your distribution probably has a package (RPM, dpkg, > Gentoo package, Slackware package, etc.) for libpcap; if so, you > should be able to install libpcap from that package (and your > distribution might even have a package for Snort). > I encountered the same problem trying to compile the latest libpcap-1.1 sources on a RHEL5 system. I fixed it with the following patch to fad-getad.c: --- libpcap-1.1/fad-getad.c 2010-03-11 20:56:53.0 -0500 +++ libpcap-1.1-mine/fad-getad.c2010-03-31 16:05:56.0 -0400 @@ -64,6 +64,7 @@ # ifdef __Lynx__ # include /* LynxOS */ # else +# include # include /* Linux */ # endif #endif - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Problem with libpcap
Guy Harris alum.mit.edu> writes: > Odd - it compiled on my Ubuntu 9.10 virtual machine, with a 2.6.31-19-generic kernel. What kernel does your > RHEL5 system have? "uname -a" reveals: Linux harley 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:14 EST 2007 x86_64 x86_64 x86_64 GNU/Linux - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Raw USB capturing with libpcap 1.1?
I was under the impression that libpcap allowed one to capture raw USB traffic (See http://wiki.wireshark.org/CaptureSetup/USB). However, with libpcap 1.1, this doesn't seem to work as I get an error from pcap_compile() with pcap_geterr() returning, "USB link-layer type filtering not implemented". Looking at the libpcap source code in gencode.c:gen_linktype(), it seem would seem to me that this really is the case and that it's not supported. Can anyone comment? Was it supported at one point but support was removed? If so, I'm curious as to why. Is there a version of libpcap that would support this? Are there plans to support this again in the future? Or am I just doing something wrong? Thanks, Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Raw USB capturing with libpcap 1.1?
Guy Harris alum.mit.edu> writes:
> If you're passing to pcap_compile() a string that includes any filter
> primitives other than the "{expr} {relop} {expr}" primitives mentioned in the
> pcap-filter man page, or where any of the "special packet data accessors"
> ({proto}[{expr}:{size}]) have a {proto} other than "link", yes, you're doing
> something wrong
Yup, I was mistakenly using a filter of "udp". I changed the filter and it
works
as advertised. Thanks for the clarification.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Raw USB capturing with libpcap 1.1?
Chris Maynard gtech.com> writes:
> I changed the filter and it works as advertised.
>
I had to put this aside for awhile, but revisited it today. While I did change
the filter to one of the form "{expr} {relop} {expr}" and was able to
successfully capture packets, the capture filter itself doesn't really seem to
do much of anything. Basically what I've found is that as long as you have a
valid filter specified, ALL packets are captured regardless of what the filter
is. However, if I apply the same exact filter when reading a previously saved
capture file, then the filter works as expected. Has anyone else experienced
this?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Raw USB capturing with libpcap 1.1?
Guy Harris alum.mit.edu> writes: > The Linux USB - and Linux Bluetooth - capture code was ignoring any filter that was set. There's no kernel > filtering for them, so the filtering has to be done in userland; the capture code didn't do that. > > I've checked into the main and 1.1 branches changes that should fix that.- Thanks Guy! The filtering is working well now with 1.2.0-PRE-GIT_2010_06_09. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] cross-compiling
Folkert van Heusden gmail.com> writes: > What can be the cause of this? And how do I solve this problem? It would appear that HAVE_PCAP_DATALINK_NAME_TO_VAL isn't defined. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Libpcap: BPF filter for ipv6 tunnel
Guy Harris alum.mit.edu> writes: > On Jul 31, 2011, at 4:26 PM, ramkumar.paranandi gmail.com wrote: > > > I have smtp traffic over ipv6 tunneled in ipv4. .ip->ipv6->tcp->smtp > > How can we set bpf to filter smtp in ipv6 in ipv4 tunnel traffic? I have tried with ip protochain 0x06 it is not working. > > "ip protochain" doesn't support "shifting gears" from IPv4 to IPv6; it only supports AH. > > There is, unfortunately, currently no way to ask for the type of filtering you need - libpcap doesn't know > about IP protocol 41 (which I assume is what's being used here). Time permitting, I'll look at > implementing something. Would something like this (untested) filter work in a pinch? (ip[9]==41) and (ip[((ip[0]&0x0f)<<2)+6]==6) and ((ip[(((ip[0]&0x0f)<<2)+16):2]==25) or (ip[(((ip[0]&0x0f)<<2)+18):2]==25)) - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Libpcap: BPF filter for ipv6 tunnel
Guy Harris alum.mit.edu> writes: > On Jul 31, 2011, at 4:26 PM, ramkumar.paranandi gmail.com wrote: > > > I have smtp traffic over ipv6 tunneled in ipv4. .ip->ipv6->tcp->smtp > > How can we set bpf to filter smtp in ipv6 in ipv4 tunnel traffic? I have tried with ip protochain 0x06 it is not working. > > "ip protochain" doesn't support "shifting gears" from IPv4 to IPv6; it only supports AH. > > There is, unfortunately, currently no way to ask for the type of filtering you need - libpcap doesn't know > about IP protocol 41 (which I assume is what's being used here). Time permitting, I'll look at > implementing something.- Would something like this (completely untested) filter do the job in a pinch? (ip[9]==41) and (ip[((ip[0]&0x0f)<<2)+6]==6) and ((ip[(((ip[0]&0x0f)<<2)+16):2]==25) or (ip[(((ip[0]&0x0f)<<2)+18):2]==25)) - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] tcpdump license and Nokia
If I visit http://www.wireshark.org/, I can find the GPL license without too much searching at the bottom of this page: http://www.wireshark.org/about.html. I can't seem to find the tcpdump/libpcap license mentioned anywhere on http://www.tcpdump.org/. Is it mentioned somewhere and I'm just missing it? The reason I bring this up is because I believe Nokia has modified tcpdump and is including it with their IPSO software. Tcpdump is GPL'd, isn't it? So Nokia should be making their modified tcpdump sources available; yet I can't seem to find it available for download anywhere. Thanks. - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump license and Nokia
Tyson Key gmail.com> writes: > As far as I'm aware, TCPDump is released under the terms of the BSD Licence > - meaning that Nokia haven't got any obligations regarding releasing their > modifications; and whilst it's not the most reliable information source on > the planet, Wikipedia seems to corroborate that thought. Thanks Tyson. Yes, I see that now in the sources. Still, might it be useful to mention the license somewhere on the web site? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump license and Nokia
Tyson Key gmail.com> writes: > For what it's worth, you could try asking Petra Söderling ( > petra.soderling nokia.com) - who happens to head some of the Open Source > initiatives at Nokia. For what it's worth, I e-mailed him. Thanks again. - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump license and Nokia
Guy Harris alum.mit.edu> writes: > On Dec 22, 2011, at 11:32 AM, Chris Maynard wrote: > > > For what it's worth, I e-mailed him. Thanks again. > > I hope your e-mail didn't use any masculine pronouns when referring to Petra: > > http://www.linkedin.com/in/petrasoderling Oops, thanks for pointing that out. Luckily, I only used "you" in my e-mail to her and no gender-specific pronouns. > Not that it matters, as the Nokia unit whose appliances used IPSO was sold to Check Point: > > http://www.checkpoint.com/nokia/welcome/index.html > > so the mutant flavor of tcpdump (and probably of libpcap and possibly even the kernel BPF code) now belongs > to them. Well, if she's no longer the person in charge of open source at Nokia, there might be a chance she knows who is and can either let me know or forward my request to that person. I won't hold my breath though. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump license and Nokia
Chris Maynard gtech.com> writes: > > Not that it matters, as the Nokia unit whose appliances used IPSO was sold > > to > Check Point: > > > > http://www.checkpoint.com/nokia/welcome/index.html > > > > so the mutant flavor of tcpdump (and probably of libpcap and possibly even > the kernel BPF code) now belongs > > to them. > > Well, if she's no longer the person in charge of open source at Nokia, there > might be a chance she knows who is and can either let me know or forward my > request to that person. I won't hold my breath though. OK, well I decided to open a checkpoint service request about this, basically asking them for more information regarding the IPSO tcpdump/libpcap file format. I understand that they are under no obligation to release any of this information, so it's doubtful I'll receive anything. On the other hand, it's certain that I won't receive anything if I don't even ask for it, so I figured I'd take a chance. In the unlikely event that they do share some information with me, I'll be sure to pass it along. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Typo?
If you visit http://blog.gmane.org/gmane.network.tcpdump.devel, it indicates at the top of the page that tcpdump-workers@lists.tcpdump.org is a, "list about the developpement of tcpdump". - Chris - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
