blob: f92cd22b9e915a831d6703c740fe2e9ae8fd9602 [file] [log] [blame] [edit]
In order for libpcap to be able to capture packets on a Linux system,
the "packet" protocol must be supported by your kernel. If it is not,
you may get error messages such as
modprobe: can't locate module net-pf-17
in "/var/adm/messages", or may get messages such as
socket: Address family not supported by protocol
from applications using libpcap.
You must configure the kernel with the CONFIG_PACKET option for this
protocol; the following note is from the Linux "Configure.help" file for
the 2.0[.x] kernel:
Packet socket
CONFIG_PACKET
The Packet protocol is used by applications which communicate
directly with network devices without an intermediate network
protocol implemented in the kernel, e.g. tcpdump. If you want them
to work, choose Y.
This driver is also available as a module called af_packet.o ( =
code which can be inserted in and removed from the running kernel
whenever you want). If you want to compile it as a module, say M
here and read Documentation/modules.txt; if you use modprobe or
kmod, you may also want to add "alias net-pf-17 af_packet" to
/etc/modules.conf.
and the note for the 2.2[.x] kernel says:
Packet socket
CONFIG_PACKET
The Packet protocol is used by applications which communicate
directly with network devices without an intermediate network
protocol implemented in the kernel, e.g. tcpdump. If you want them
to work, choose Y. This driver is also available as a module called
af_packet.o ( = code which can be inserted in and removed from the
running kernel whenever you want). If you want to compile it as a
module, say M here and read Documentation/modules.txt. You will
need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
file for the module version to function automatically. If unsure,
say Y.
In addition, there is an option that, in 2.2 and later kernels, will
allow packet capture filters specified to programs such as tcpdump to be
executed in the kernel, so that packets that don't pass the filter won't
be copied from the kernel to the program, rather than having all packets
copied to the program and libpcap doing the filtering in user mode.
Copying packets from the kernel to the program consumes a significant
amount of CPU, so filtering in the kernel can reduce the overhead of
capturing packets if a filter has been specified that discards a
significant number of packets. (If no filter is specified, it makes no
difference whether the filtering isn't performed in the kernel or isn't
performed in user mode. :-))
The option for this is the CONFIG_FILTER option; the "Configure.help"
file says:
Socket filtering
CONFIG_FILTER
The Linux Socket Filter is derived from the Berkeley Packet Filter.
If you say Y here, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket. Linux Socket
Filtering works on all socket types except TCP for now. See the text
file linux/Documentation/networking/filter.txt for more information.
If unsure, say N.
Note that, by default, libpcap will, if libnl is present, build with it;
it uses libnl to support monitor mode on mac80211 devices. There is a
configuration option to disable building with libnl, but, if that option
is chosen, the monitor-mode APIs (as used by tcpdump's "-I" flag, and as
will probably be used by other applications in the future) won't work
properly on mac80211 devices.
Linux's run-time linker allows shared libraries to be linked with other
shared libraries, which means that if an older version of a shared
library doesn't require routines from some other shared library, and a
later version of the shared library does require those routines, the
later version of the shared library can be linked with that other shared
library and, if it's otherwise binary-compatible with the older version,
can replace that older version without breaking applications built with
the older version, and without breaking configure scripts or the build
procedure for applications whose configure script doesn't use the
pcap-config script if they build with the shared library. (The build
procedure for applications whose configure scripts use the pcap-config
script if present will not break even if they build with the static
library.)
Statistics:
Statistics reported by pcap are platform specific. The statistics
reported by pcap_stats on Linux are as follows:
2.2.x
=====
ps_recv Number of packets that were accepted by the pcap filter
ps_drop Always 0, this statistic is not gatherd on this platform
2.4.x
=====
ps_recv Number of packets that were accepted by the pcap filter
ps_drop Number of packets that had passed filtering but were not
passed on to pcap due to things like buffer shortage, etc.
This is useful because these are packets you are interested in
but won't be reported by, for example, tcpdump output.