At 3:40 PM -0700 2002/04/30, Guy Harris wrote: > Therefore, either > > 1) whatever <pcap.h> you're including isn't the one from > tcpdump.org
The only pcap.h I have is from tcpdump.org, and was installed via libpcap-0.7.1: % find /usr -name pcap.h -print /usr/local/include/pcap.h > 2) <pcap.h> is including some version of <net/bpf.h> that > defines BPF_RELEASE as a value >= 199406 but that *doesn't* > have typedefs for bpf_int32 and bpf_u_int32. Well, /usr/include/net/bpf.h is from Apple, and /usr/local/lib/include/net/bpf.h was installed with libpcap-0.7.1: % find /usr -name bpf.h -ls 33870 17 -r--r--r-- 1 root wheel 8641 Sep 10 2001 /usr/include/net/bpf.h 303620 27 -rw-r--r-- 1 root wheel 13586 Apr 29 23:03 /usr/local/include/net/bpf.h Checking the first file, in the first section below the comments, I find: #ifndef _NET_BPF_H_ #define _NET_BPF_H_ /* BSD style release date */ #define BPF_RELEASE 199606 typedef int32_t bpf_int32; typedef u_int32_t bpf_u_int32; /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #define BPF_ALIGNMENT sizeof(long) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 Looking at /usr/local/include/net/bpf.h, I see: #ifndef BPF_MAJOR_VERSION /* BSD style release date */ #define BPF_RELEASE 199606 typedef int bpf_int32; typedef u_int bpf_u_int32; /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #ifndef __NetBSD__ #define BPF_ALIGNMENT sizeof(bpf_int32) #else #define BPF_ALIGNMENT sizeof(long) #endif #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 I don't understand what is wrong here. > That's not the error that libpcap 0.7.1 generates for a failed > SIOCGIFADDR, so that's presumably an error coming from xprobe itself, > not libpcap. Note that the default system-installed version of tcpdump also requires that I explicitly specify an interface, in order to work. If I don't provide one, it gives me: # tcpdump host 10.0.1.1 tcpdump: no suitable device found # tcpdump -i en1 host 10.0.1.1 tcpdump: listening on en1 ^C 0 packets received by filter 0 packets dropped by kernel > As such, I don't know why xprobe with no "-i" argument was failing to > find or open en1. From what I can tell, the problem is not unique to xprobe. > I've attached the test program that the guy who did the > "pcap_findalldevs()" did as a test program; try compiling that, and > linking it with the version of libpcap 0.7.1 you built, and run it as > root, and see what it reports. I'll give it a shot. > Could be - but that shouldn't have caused pcap_open_live() to fail, just > caused "pcap_lookupnet()", or something inside xprobe itself, to fail. Weird. Dunno. I ain't no programmer (I'm sure you can tell ;-), but I think we found the problem. When building iflist.c, I get: % cc iflist.c -o iflist -I/usr/local/include -L/usr/local/lib -lpcap /usr/bin/ld: Undefined symbols: _pcap_findalldevs Looking in inet.c, I notice that the following is defined: /* * Get a list of all interfaces that are up and that we can open. * Returns -1 on error, 0 otherwise. * The list, as returned through "alldevsp", may be null if no interfaces * were up and could be opened. */ #ifdef HAVE_IFADDRS_H int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf) { I'm just guessing, but it would appear that we are missing a header file. ;-( -- Brad Knowles, <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe