At 3:40 PM -0700 2002/04/30, Guy Harris wrote:
> Therefore, either
>
> 1) whatever <pcap.h> you're including isn't the one from
> tcpdump.org
The only pcap.h I have is from tcpdump.org, and was installed via
libpcap-0.7.1:
% find /usr -name pcap.h -print
/usr/local/include/pcap.h
> 2) <pcap.h> is including some version of <net/bpf.h> that
> defines BPF_RELEASE as a value >= 199406 but that *doesn't*
> have typedefs for bpf_int32 and bpf_u_int32.
Well, /usr/include/net/bpf.h is from Apple, and
/usr/local/lib/include/net/bpf.h was installed with libpcap-0.7.1:
% find /usr -name bpf.h -ls
33870 17 -r--r--r-- 1 root wheel 8641 Sep 10 2001
/usr/include/net/bpf.h
303620 27 -rw-r--r-- 1 root wheel 13586 Apr 29 23:03
/usr/local/include/net/bpf.h
Checking the first file, in the first section below the comments, I find:
#ifndef _NET_BPF_H_
#define _NET_BPF_H_
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int32_t bpf_int32;
typedef u_int32_t bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#define BPF_ALIGNMENT sizeof(long)
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
Looking at /usr/local/include/net/bpf.h, I see:
#ifndef BPF_MAJOR_VERSION
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int bpf_int32;
typedef u_int bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#ifndef __NetBSD__
#define BPF_ALIGNMENT sizeof(bpf_int32)
#else
#define BPF_ALIGNMENT sizeof(long)
#endif
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
I don't understand what is wrong here.
> That's not the error that libpcap 0.7.1 generates for a failed
> SIOCGIFADDR, so that's presumably an error coming from xprobe itself,
> not libpcap.
Note that the default system-installed version of tcpdump also
requires that I explicitly specify an interface, in order to work.
If I don't provide one, it gives me:
# tcpdump host 10.0.1.1
tcpdump: no suitable device found
# tcpdump -i en1 host 10.0.1.1
tcpdump: listening on en1
^C
0 packets received by filter
0 packets dropped by kernel
> As such, I don't know why xprobe with no "-i" argument was failing to
> find or open en1.
From what I can tell, the problem is not unique to xprobe.
> I've attached the test program that the guy who did the
> "pcap_findalldevs()" did as a test program; try compiling that, and
> linking it with the version of libpcap 0.7.1 you built, and run it as
> root, and see what it reports.
I'll give it a shot.
> Could be - but that shouldn't have caused pcap_open_live() to fail, just
> caused "pcap_lookupnet()", or something inside xprobe itself, to fail.
Weird. Dunno.
I ain't no programmer (I'm sure you can tell ;-), but I think we
found the problem. When building iflist.c, I get:
% cc iflist.c -o iflist -I/usr/local/include -L/usr/local/lib -lpcap
/usr/bin/ld: Undefined symbols:
_pcap_findalldevs
Looking in inet.c, I notice that the following is defined:
/*
* Get a list of all interfaces that are up and that we can open.
* Returns -1 on error, 0 otherwise.
* The list, as returned through "alldevsp", may be null if no interfaces
* were up and could be opened.
*/
#ifdef HAVE_IFADDRS_H
int
pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
{
I'm just guessing, but it would appear that we are missing a
header file. ;-(
--
Brad Knowles, <[EMAIL PROTECTED]>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
