On Tue, Jan 16, 2001 at 02:58:17PM -0800, Guy Harris wrote:
> > All that I want is a libpcap with the "any" keyword as interface name and a
> > tcpdump without buffer overflow.
>
> Then you'll have to repair Slackware 4.0's brokenness
...or grab the next nightly snapshot of libpcap and tcpdump from the
tcpdump.org website, which should show up on 2001-01-17 some time after
4AM North American Eastern Standard Time (10AM in Western Europe); I've
checked in a change that
replaces the include of <netinet/if_ether.h> with an include of
<net/if_arp.h>, so that you don't have to have
<netinet/if_ether.h> to build "pcap-linux.c";
checks for PF_PACKET socket support by checking whether
PF_PACKET is defined rather than whether the system has
<netpacket/packet.h>;
if the platform doesn't have <netpacket/packet.h> but defines
PF_PACKET, includes <linux/if_packet.h>.
(The RCS ID of "pcap-linux.c" should give it a version number of 1.53; if
it's 1.52, you grabbed the snapshot too soon.)
The glibc and libc5 <sys/socket.h> doesn't appear to define PF_PACKET
itself; instead, it includes <linux/socket.h>, which means that, at
least in theory, it should define PF_PACKET iff "/usr/include/linux"
points to the header files from a 2.2 or later kernel, in which case
there should also be a <linux/if_packet.h> header file.
If the underlying platform has 2.2 or later header files under
"/usr/include/linux" but is running a 2.0[.x] kernel, the attempt to
open a PF_PACKET socket should fail, causing libpcap to try to open a
SOCK_PACKET socket; if that succeeds, it should just drive on and use
the SOCK_PACKET socket (with all the deficiencies inherent therein).
Hopefully, some "creative" Linux distribution won't come up with some
"clever" way to break that.
(Boy, am I glad my Linux partition has Debian on it....)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
