nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | In order for libpcap to be able to capture packets on a Linux system, |
| 2 | the "packet" protocol must be supported by your kernel. If it is not, |
||
| 3 | you may get error messages such as |
||
| 4 | |||
| 5 | modprobe: can't locate module net-pf-17 |
||
| 6 | |||
| 7 | in "/var/adm/messages", or may get messages such as |
||
| 8 | |||
| 9 | socket: Address family not supported by protocol |
||
| 10 | |||
| 11 | from applications using libpcap. |
||
| 12 | |||
| 13 | You must configure the kernel with the CONFIG_PACKET option for this |
||
| 14 | protocol; the following note is from the Linux "Configure.help" file for |
||
| 15 | the 2.0[.x] kernel: |
||
| 16 | |||
| 17 | Packet socket |
||
| 18 | CONFIG_PACKET |
||
| 19 | The Packet protocol is used by applications which communicate |
||
| 20 | directly with network devices without an intermediate network |
||
| 21 | protocol implemented in the kernel, e.g. tcpdump. If you want them |
||
| 22 | to work, choose Y. |
||
| 23 | |||
| 24 | This driver is also available as a module called af_packet.o ( = |
||
| 25 | code which can be inserted in and removed from the running kernel |
||
| 26 | whenever you want). If you want to compile it as a module, say M |
||
| 27 | here and read Documentation/modules.txt; if you use modprobe or |
||
| 28 | kmod, you may also want to add "alias net-pf-17 af_packet" to |
||
| 29 | /etc/modules.conf. |
||
| 30 | |||
| 31 | and the note for the 2.2[.x] kernel says: |
||
| 32 | |||
| 33 | Packet socket |
||
| 34 | CONFIG_PACKET |
||
| 35 | The Packet protocol is used by applications which communicate |
||
| 36 | directly with network devices without an intermediate network |
||
| 37 | protocol implemented in the kernel, e.g. tcpdump. If you want them |
||
| 38 | to work, choose Y. This driver is also available as a module called |
||
| 39 | af_packet.o ( = code which can be inserted in and removed from the |
||
| 40 | running kernel whenever you want). If you want to compile it as a |
||
| 41 | module, say M here and read Documentation/modules.txt. You will |
||
| 42 | need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules |
||
| 43 | file for the module version to function automatically. If unsure, |
||
| 44 | say Y. |
||
| 45 | |||
| 46 | In addition, there is an option that, in 2.2 and later kernels, will |
||
| 47 | allow packet capture filters specified to programs such as tcpdump to be |
||
| 48 | executed in the kernel, so that packets that don't pass the filter won't |
||
| 49 | be copied from the kernel to the program, rather than having all packets |
||
| 50 | copied to the program and libpcap doing the filtering in user mode. |
||
| 51 | |||
| 52 | Copying packets from the kernel to the program consumes a significant |
||
| 53 | amount of CPU, so filtering in the kernel can reduce the overhead of |
||
| 54 | capturing packets if a filter has been specified that discards a |
||
| 55 | significant number of packets. (If no filter is specified, it makes no |
||
| 56 | difference whether the filtering isn't performed in the kernel or isn't |
||
| 57 | performed in user mode. :-)) |
||
| 58 | |||
| 59 | The option for this is the CONFIG_FILTER option; the "Configure.help" |
||
| 60 | file says: |
||
| 61 | |||
| 62 | Socket filtering |
||
| 63 | CONFIG_FILTER |
||
| 64 | The Linux Socket Filter is derived from the Berkeley Packet Filter. |
||
| 65 | If you say Y here, user-space programs can attach a filter to any |
||
| 66 | socket and thereby tell the kernel that it should allow or disallow |
||
| 67 | certain types of data to get through the socket. Linux Socket |
||
| 68 | Filtering works on all socket types except TCP for now. See the text |
||
| 69 | file linux/Documentation/networking/filter.txt for more information. |
||
| 70 | If unsure, say N. |
||
| 71 | |||
| 72 | Note that, by default, libpcap will, if libnl is present, build with it; |
||
| 73 | it uses libnl to support monitor mode on mac80211 devices. There is a |
||
| 74 | configuration option to disable building with libnl, but, if that option |
||
| 75 | is chosen, the monitor-mode APIs (as used by tcpdump's "-I" flag, and as |
||
| 76 | will probably be used by other applications in the future) won't work |
||
| 77 | properly on mac80211 devices. |
||
| 78 | |||
| 79 | Linux's run-time linker allows shared libraries to be linked with other |
||
| 80 | shared libraries, which means that if an older version of a shared |
||
| 81 | library doesn't require routines from some other shared library, and a |
||
| 82 | later version of the shared library does require those routines, the |
||
| 83 | later version of the shared library can be linked with that other shared |
||
| 84 | library and, if it's otherwise binary-compatible with the older version, |
||
| 85 | can replace that older version without breaking applications built with |
||
| 86 | the older version, and without breaking configure scripts or the build |
||
| 87 | procedure for applications whose configure script doesn't use the |
||
| 88 | pcap-config script if they build with the shared library. (The build |
||
| 89 | procedure for applications whose configure scripts use the pcap-config |
||
| 90 | script if present will not break even if they build with the static |
||
| 91 | library.) |
||
| 92 | |||
| 93 | Statistics: |
||
| 94 | Statistics reported by pcap are platform specific. The statistics |
||
| 95 | reported by pcap_stats on Linux are as follows: |
||
| 96 | |||
| 97 | 2.2.x |
||
| 98 | ===== |
||
| 99 | ps_recv Number of packets that were accepted by the pcap filter |
||
| 100 | ps_drop Always 0, this statistic is not gatherd on this platform |
||
| 101 | |||
| 102 | 2.4.x |
||
| 103 | ===== |
||
| 104 | ps_recv Number of packets that were accepted by the pcap filter |
||
| 105 | ps_drop Number of packets that had passed filtering but were not |
||
| 106 | passed on to pcap due to things like buffer shortage, etc. |
||
| 107 | This is useful because these are packets you are interested in |
||
| 108 | but won't be reported by, for example, tcpdump output. |