Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
On Nov 5, 2020, at 1:04 AM, Vaughan Wickham wrote:
> Appreciate all the info that you have provided.
>
> Although it probably doesn't look like it from my questions; I did actually
> read some tutorials prior to posting my initial question; and none made
> reference to the need for:
> sudo setcap cap_net_raw,cap_net_admin+eip {your program}
>
> So I'm wondering if you can suggest some reading that I should review to
> understand the basics of using libpcap.
I suspect most, if not all, tutorials spend little if any time discussing the
platform-dependent permission issues with capturing traffic with libpcap; they
probably focus on "how to write code using libpcap", not "how to arrange that
your program have enough privileges to do something useful with libpcap".
The only discussions I can offer for the "permissions" issue are:
1) the "capture privileges" page of the Wireshark Wiki:
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges
and, for your case, this particular subsection of that page:
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges#other-linux-based-systems-or-other-installation-methods
2) the main pcap man page:
https://www.tcpdump.org/manpages/pcap.3pcap.html
in the subsection that begins with "Reading packets from a network
interface may require that you have special privileges:".
> Also, where can I find an overview of the key differences between version
> 1.5.3 and the current release?
There isn't one. In this *particular* case, the difference (which may have
been introduced before the current 1.9 version) is that pcap_findalldevs()
(atop which pcap_lookupdev() is built) checks for operability in older releases
and doesn't do so for newer releases. However, as noted, the permissions
required to open a device for capture does *not* differ (and *can't* differ -
it's a requirement imposed by the OS kernel) between older and newer versions.--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
content filtering: check whitelisting
Hello Guy,
Appreciate all the info that you have provided.
Although it probably doesn't look like it from my questions; I did actually
read some tutorials prior to posting my initial question; and none made
reference to the need for:
sudo setcap cap_net_raw,cap_net_admin+eip {your program}
So I'm wondering if you can suggest some reading that I should review to
understand the basics of using libpcap.
Also, where can I find an overview of the key differences between version 1.5.3
and the current release?
Regards,
Vaughan
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
On Nov 4, 2020, at 10:26 PM, Vaughan Wickham wrote:
> In regards to your latest comments regarding
>
> sudo setcap cap_net_raw,cap_net_admin+eip {your program}
>
> Are you saying that I need to compile my program and then start the compiled
> version with these arguments, from a terminal?
No.
You need to compile your program (within the IDE or on the command line),
execute, on the command line, the command
sudo setcap cap_net_raw,cap_net_admin+eip {your program}
where {your program} is the path to the executable that was built, and then you
can run the program from the command line or from the IDE.
> Alternatively, while I've been happy using CentOS as a development
> environment up until now. As I'm planning on doing some work with pcap; if
> there is a "better" distro for doing pcap development I'm more than happy to
> build another development system using whatever flavour is easiest to develop
> with.
Note that, as I said, getting a newer version of libpcap will *not* remove the
requirement that you run your program with special privileges; all it means is
that pcap_lookupdev() will not require the special privileges, but if you plan
to *open* the device that it returns, your program will have to run with, at
minimum, the cap_net_raw privileges.
And all that choosing a distribution other than CentOS will do is perhaps
change the libpcap version.
> Basically I would like to be able build and execute within the IDE.
Unless you can arrange that the IDE run a special command, *as root*, as part
of the build process, you won't be able to do everything within the IDE>
The command in question is "setcap cap_net_raw,cap_net_admin+eip {the program
that was built}". It will have to ask you for root privileges, which means
that, if you want to avoid the command line, the IDE will have to run some GUI
program that asks for your password, or the password of somebody with rights to
run a program as root (that's what sudo, on the command line, does, but I don't
know whether any version of sudo can do a GUI prompt when not run on the
command line) and then run a command as root.
You will also have to have whatever privileges sudo, or the GUI program,
requires you to have in order for it to allow you to run a program as root.--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
content filtering: check whitelisting
Hello Guy,
In regards to your latest comments regarding
sudo setcap cap_net_raw,cap_net_admin+eip {your program}
Are you saying that I need to compile my program and then start the compiled
version with these arguments, from a terminal?
Or is there a way that I can pass these arguments within the IDE?
Alternatively, while I've been happy using CentOS as a development environment
up until now. As I'm planning on doing some work with pcap; if there is a
"better" distro for doing pcap development I'm more than happy to build another
development system using whatever flavour is easiest to develop with.
Basically I would like to be able build and execute within the IDE.
Regards,
Vaughan
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
On Nov 4, 2020, at 9:18 PM, Vaughan Wickham wrote:
> Version: libpcap version 1.5.3
That's an older version (CentOS, proudly trailing-edge!), and only returns
interfaces that the program can open.
Capturing on Linux generally requires, at minimum, the CAP_NET_RAW privilege,
and finding devices might also require CAP_NET_ADMIN; root privilege will also
work. As such, you program will, by default, not be able to open *any* capture
device, so:
1) if you were using a sufficiently more recent of libpcap, which
return interfaces that the program doesn't have sufficient privileges to open
(so that the user gets a "permission denied" error when trying to capture,
which is somewhat clear about the underlying problem, rather than just not
seeing any devices), you'd get "eth0" but then you'd get an error trying to
open it (presumably that's why you're calling pcap_lookupdev());
2) you need to give your program sufficient privileges.
So try doing
sudo setcap cap_net_raw,cap_net_admin+eip {your program}
and then running the program. ("cap_net_admin" might not be necessary with
1.5.1.)--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message ---
What happens if you put
printf("Version: %s\n", pcap_lib_version());
before the pcap_lookupdev() call?
It won't fix the pcap_lookupdev() call not to return NULL, but it'll indicate
what version of libpcap your program is using, which might help determine what
the problem is. Let us know what the "Version:" output is.--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
