Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- On Nov 5, 2020, at 1:04 AM, Vaughan Wickham wrote: > Appreciate all the info that you have provided. > > Although it probably doesn't look like it from my questions; I did actually > read some tutorials prior to posting my initial question; and none made > reference to the need for: > sudo setcap cap_net_raw,cap_net_admin+eip {your program} > > So I'm wondering if you can suggest some reading that I should review to > understand the basics of using libpcap. I suspect most, if not all, tutorials spend little if any time discussing the platform-dependent permission issues with capturing traffic with libpcap; they probably focus on "how to write code using libpcap", not "how to arrange that your program have enough privileges to do something useful with libpcap". The only discussions I can offer for the "permissions" issue are: 1) the "capture privileges" page of the Wireshark Wiki: https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges and, for your case, this particular subsection of that page: https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges#other-linux-based-systems-or-other-installation-methods 2) the main pcap man page: https://www.tcpdump.org/manpages/pcap.3pcap.html in the subsection that begins with "Reading packets from a network interface may require that you have special privileges:". > Also, where can I find an overview of the key differences between version > 1.5.3 and the current release? There isn't one. In this *particular* case, the difference (which may have been introduced before the current 1.9 version) is that pcap_findalldevs() (atop which pcap_lookupdev() is built) checks for operability in older releases and doesn't do so for newer releases. However, as noted, the permissions required to open a device for capture does *not* differ (and *can't* differ - it's a requirement imposed by the OS kernel) between older and newer versions.--- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- content filtering: check whitelisting Hello Guy, Appreciate all the info that you have provided. Although it probably doesn't look like it from my questions; I did actually read some tutorials prior to posting my initial question; and none made reference to the need for: sudo setcap cap_net_raw,cap_net_admin+eip {your program} So I'm wondering if you can suggest some reading that I should review to understand the basics of using libpcap. Also, where can I find an overview of the key differences between version 1.5.3 and the current release? Regards, Vaughan --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- On Nov 4, 2020, at 10:26 PM, Vaughan Wickham wrote: > In regards to your latest comments regarding > > sudo setcap cap_net_raw,cap_net_admin+eip {your program} > > Are you saying that I need to compile my program and then start the compiled > version with these arguments, from a terminal? No. You need to compile your program (within the IDE or on the command line), execute, on the command line, the command sudo setcap cap_net_raw,cap_net_admin+eip {your program} where {your program} is the path to the executable that was built, and then you can run the program from the command line or from the IDE. > Alternatively, while I've been happy using CentOS as a development > environment up until now. As I'm planning on doing some work with pcap; if > there is a "better" distro for doing pcap development I'm more than happy to > build another development system using whatever flavour is easiest to develop > with. Note that, as I said, getting a newer version of libpcap will *not* remove the requirement that you run your program with special privileges; all it means is that pcap_lookupdev() will not require the special privileges, but if you plan to *open* the device that it returns, your program will have to run with, at minimum, the cap_net_raw privileges. And all that choosing a distribution other than CentOS will do is perhaps change the libpcap version. > Basically I would like to be able build and execute within the IDE. Unless you can arrange that the IDE run a special command, *as root*, as part of the build process, you won't be able to do everything within the IDE> The command in question is "setcap cap_net_raw,cap_net_admin+eip {the program that was built}". It will have to ask you for root privileges, which means that, if you want to avoid the command line, the IDE will have to run some GUI program that asks for your password, or the password of somebody with rights to run a program as root (that's what sudo, on the command line, does, but I don't know whether any version of sudo can do a GUI prompt when not run on the command line) and then run a command as root. You will also have to have whatever privileges sudo, or the GUI program, requires you to have in order for it to allow you to run a program as root.--- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- content filtering: check whitelisting Hello Guy, In regards to your latest comments regarding sudo setcap cap_net_raw,cap_net_admin+eip {your program} Are you saying that I need to compile my program and then start the compiled version with these arguments, from a terminal? Or is there a way that I can pass these arguments within the IDE? Alternatively, while I've been happy using CentOS as a development environment up until now. As I'm planning on doing some work with pcap; if there is a "better" distro for doing pcap development I'm more than happy to build another development system using whatever flavour is easiest to develop with. Basically I would like to be able build and execute within the IDE. Regards, Vaughan --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- On Nov 4, 2020, at 9:18 PM, Vaughan Wickham wrote: > Version: libpcap version 1.5.3 That's an older version (CentOS, proudly trailing-edge!), and only returns interfaces that the program can open. Capturing on Linux generally requires, at minimum, the CAP_NET_RAW privilege, and finding devices might also require CAP_NET_ADMIN; root privilege will also work. As such, you program will, by default, not be able to open *any* capture device, so: 1) if you were using a sufficiently more recent of libpcap, which return interfaces that the program doesn't have sufficient privileges to open (so that the user gets a "permission denied" error when trying to capture, which is somewhat clear about the underlying problem, rather than just not seeing any devices), you'd get "eth0" but then you'd get an error trying to open it (presumably that's why you're calling pcap_lookupdev()); 2) you need to give your program sufficient privileges. So try doing sudo setcap cap_net_raw,cap_net_admin+eip {your program} and then running the program. ("cap_net_admin" might not be necessary with 1.5.1.)--- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] pcap_lookupdev returning NULL
--- Begin Message --- What happens if you put printf("Version: %s\n", pcap_lib_version()); before the pcap_lookupdev() call? It won't fix the pcap_lookupdev() call not to return NULL, but it'll indicate what version of libpcap your program is using, which might help determine what the problem is. Let us know what the "Version:" output is.--- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers