nexmon – Blame information for rev 1

Subversion Repositories:
Rev:
Rev Author Line No. Line
1 office 1 In order to capture packets (with Wireshark/TShark, tcpdump, or any
2 other libpcap-based packet capture program) on a Linux system, the
3 "packet" protocol must be supported by your kernel. If it is not, you
4 may get error messages such as
5  
6 modprobe: can't locate module net-pf-17
7  
8 in "/var/adm/messages", or may get messages such as
9  
10 socket: Address family not supported by protocol
11  
12 from applications using libpcap.
13  
14 You must configure the kernel with the CONFIG_PACKET option for this
15 protocol; the following note is from the Linux "Configure.help" file for
16 the 2.0[.x] kernel:
17  
18 Packet socket
19 CONFIG_PACKET
20 The Packet protocol is used by applications which communicate
21 directly with network devices without an intermediate network
22 protocol implemented in the kernel, e.g. tcpdump. If you want them
23 to work, choose Y.
24  
25 This driver is also available as a module called af_packet.o ( =
26 code which can be inserted in and removed from the running kernel
27 whenever you want). If you want to compile it as a module, say M
28 here and read Documentation/modules.txt; if you use modprobe or
29 kmod, you may also want to add "alias net-pf-17 af_packet" to
30 /etc/modules.conf.
31  
32 and the note for the 2.2[.x] kernel says:
33  
34 Packet socket
35 CONFIG_PACKET
36 The Packet protocol is used by applications which communicate
37 directly with network devices without an intermediate network
38 protocol implemented in the kernel, e.g. tcpdump. If you want them
39 to work, choose Y. This driver is also available as a module called
40 af_packet.o ( = code which can be inserted in and removed from the
41 running kernel whenever you want). If you want to compile it as a
42 module, say M here and read Documentation/modules.txt. You will
43 need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
44 file for the module version to function automatically. If unsure,
45 say Y.
46  
47 In addition, there is an option that, in 2.2 and later kernels, will
48 allow packet capture filters specified to programs such as tcpdump to be
49 executed in the kernel, so that packets that don't pass the filter won't
50 be copied from the kernel to the program, rather than having all packets
51 copied to the program and libpcap doing the filtering in user mode.
52  
53 Copying packets from the kernel to the program consumes a significant
54 amount of CPU, so filtering in the kernel can reduce the overhead of
55 capturing packets if a filter has been specified that discards a
56 significant number of packets. (If no filter is specified, it makes no
57 difference whether the filtering isn't performed in the kernel or isn't
58 performed in user mode. :-))
59  
60 The option for this is the CONFIG_FILTER option; the "Configure.help"
61 file says:
62  
63 Socket filtering
64 CONFIG_FILTER
65 The Linux Socket Filter is derived from the Berkeley Packet Filter.
66 If you say Y here, user-space programs can attach a filter to any
67 socket and thereby tell the kernel that it should allow or disallow
68 certain types of data to get through the socket. Linux Socket
69 Filtering works on all socket types except TCP for now. See the text
70 file linux/Documentation/networking/filter.txt for more information.
71 If unsure, say N.
72  
73 An additional problem, on Linux, with older versions of libpcap, is that
74 capture filters do not work when snooping loopback devices; if you're
75 capturing on a Linux loopback device, do not use a capture filter, as it
76 will probably reject most if not all packets, including the packets it's
77 intended to accept - instead, capture all packets and use a display
78 filter to select the packets you want to see. Most recent Linux
79 distribution releases will not have this problem.
80  
81 In addition, older versions of libpcap will, on Linux systems with a
82 2.0[.x] kernel, or if built for systems with a 2.0[.x] kernel, not turn
83 promiscuous mode off on a network device until the program using
84 promiscuous mode exits, so if you start a capture with Wireshark on some
85 Linux distributions, the network interface will be put in promiscuous
86 mode and will remain in promiscuous mode until Wireshark exits. There
87 might be additional libpcap bugs that cause it not to be turned off even
88 when Wireshark exits; if your network is busy, this could cause the Linux
89 networking stack to do a lot more work discarding packets not intended
90 for the machine, so you may want to check, after running Wireshark,
91 whether any network interfaces are in promiscuous mode (the output of
92 "ifconfig -a" will say something such as
93  
94 eth0 Link encap:Ethernet HWaddr 00:00:66:66:66:66
95 inet addr:66.66.66.66 Bcast:66.66.66.255 Mask:255.255.255.0
96 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
97 RX packets:6493 errors:0 dropped:0 overruns:0 frame:0
98 TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
99 collisions:0 txqueuelen:100
100 Interrupt:18 Base address:0xfc80
101  
102 with "PROMISC" indicating that the interface is in promiscuous mode),
103 and, if any interfaces are in promiscuous mode and no capture is being
104 done on that interface, turn promiscuous mode off by hand with
105  
106 ifconfig <ifname> -promisc
107  
108 where "<ifname>" is the name of the interface.
109  
110 Newer versions of libpcap shouldn't have this problem, even on 2.0[.x]
111 kernels; no version of libpcap should have that problem on systems with
112 2.2 or later kernels.