1To build libpcap, run "./configure" (a shell script). The configure
2script will determine your system attributes and generate an
3appropriate Makefile from Makefile.in. Next run "make". If everything
4goes well you can su to root and run "make install". However, you need
5not install libpcap if you just want to build tcpdump; just make sure
6the tcpdump and libpcap directory trees have the same parent
7directory.
8
9If configure says:
10
11    configure: warning: cannot determine packet capture interface
12    configure: warning: (see INSTALL for more info)
13
14then your system either does not support packet capture or your system
15does support packet capture but libpcap does not support that
16particular type. (If you have HP-UX, see below.) If your system uses a
17packet capture not supported by libpcap, please send us patches; don't
18forget to include an autoconf fragment suitable for use in
19configure.in.
20
21It is possible to override the default packet capture type, although
22the circumstance where this works are limited. For example if you have
23installed bpf under SunOS 4 and wish to build a snit libpcap:
24
25    ./configure --with-pcap=snit
26
27Another example is to force a supported packet capture type in the case
28where the configure scripts fails to detect it.
29
30You will need an ANSI C compiler to build libpcap. The configure script
31will abort if your compiler is not ANSI compliant. If this happens, use
32the generally available GNU C compiler (GCC).
33
34If you use flex, you must use version 2.4.6 or higher. The configure
35script automatically detects the version of flex and will not use it
36unless it is new enough. You can use "flex -V" to see what version you
37have (unless it's really old). The current version of flex is available
38at flex.sourceforge.net and often comes packaged by means of the OS.
39As of this writing, the current version is 2.5.37.
40
41If you use bison, you must use flex (and visa versa). The configure
42script automatically falls back to lex and yacc if both flex and bison
43are not found.
44
45Sometimes the stock C compiler does not interact well with flex and
46bison. The list of problems includes undefined references for alloca.
47You can get around this by installing gcc or manually disabling flex
48and bison with:
49
50    ./configure --without-flex --without-bison
51
52If your system only has AT&T lex, this is okay unless your libpcap
53program uses other lex/yacc generated code. (Although it's possible to
54map the yy* identifiers with a script, we use flex and bison so we
55don't feel this is necessary.)
56
57Some systems support the Berkeley Packet Filter natively; for example
58out of the box OSF and BSD/OS have bpf. If your system does not support
59bpf, you will need to pick up:
60
61	ftp://ftp.ee.lbl.gov/bpf-*.tar.Z
62
63Note well: you MUST have kernel source for your operating system in
64order to install bpf. An exception is SunOS 4; the bpf distribution
65includes replacement kernel objects for some of the standard SunOS 4
66network device drivers. See the bpf INSTALL document for more
67information.
68
69If you use Solaris, there is a bug with bufmod(7) that is fixed in
70Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the
71broken bufmod(7) results in data be truncated from the FRONT of the
72packet instead of the end.  The work around is to not set a snapshot
73length but this results in performance problems since the entire packet
74is copied to user space. If you must run an older version of Solaris,
75there is a patch available from Sun; ask for bugid 1149065. After
76installing the patch, use "setenv BUFMOD_FIXED" to enable use of
77bufmod(7). However, we recommend you run a more current release of
78Solaris.
79
80If you use the SPARCompiler, you must be careful to not use the
81/usr/ucb/cc interface. If you do, you will get bogus warnings and
82perhaps errors. Either make sure your path has /opt/SUNWspro/bin
83before /usr/ucb or else:
84
85    setenv CC /opt/SUNWspro/bin/cc
86
87before running configure. (You might have to do a "make distclean"
88if you already ran configure once).
89
90Also note that "make depend" won't work; while all of the known
91universe uses -M, the SPARCompiler uses -xM to generate makefile
92dependencies.
93
94If you are trying to do packet capture with a FORE ATM card, you may or
95may not be able to. They usually only release their driver in object
96code so unless their driver supports packet capture, there's not much
97libpcap can do.
98
99If you get an error like:
100
101    tcpdump: recv_ack: bind error 0x???
102
103when using DLPI, look for the DL_ERROR_ACK error return values, usually
104in /usr/include/sys/dlpi.h, and find the corresponding value.
105
106Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be
107enabled before it can be used.  For instructions on how to enable packet
108filter support, see:
109
110	ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX
111
112Look for the "How do I configure the Berkeley Packet Filter and capture
113tcpdump traces?" item.
114
115Once you enable packet filter support, your OSF system will support bpf
116natively.
117
118Under Ultrix, packet capture must be enabled before it can be used. For
119instructions on how to enable packet filter support, see:
120
121	ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix
122
123If you use HP-UX, you must have at least version 9 and either the
124version of cc that supports ANSI C (cc -Aa) or else use the GNU C
125compiler. You must also buy the optional streams package. If you don't
126have:
127
128    /usr/include/sys/dlpi.h
129    /usr/include/sys/dlpi_ext.h
130
131then you don't have the streams package. In addition, we believe you
132need to install the "9.X LAN and DLPI drivers cumulative" patch
133(PHNE_6855) to make the version 9 DLPI work with libpcap.
134
135The DLPI streams package is standard starting with HP-UX 10.
136
137The HP implementation of DLPI is a little bit eccentric. Unlike
138Solaris, you must attach /dev/dlpi instead of the specific /dev/*
139network pseudo device entry in order to capture packets. The PPA is
140based on the ifnet "index" number. Under HP-UX 9, it is necessary to
141read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10,
142DLPI can provide information for determining the PPA. It does not seem
143to be possible to trace the loopback interface. Unlike other DLPI
144implementations, PHYS implies MULTI and SAP and you get an error if you
145try to enable more than one promiscuous mode at a time.
146
147It is impossible to capture outbound packets on HP-UX 9.  To do so on
148HP-UX 10, you will, apparently, need a late "LAN products cumulative
149patch" (at one point, it was claimed that this would be PHNE_18173 for
150s700/10.20; at another point, it was claimed that the required patches
151were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do
152so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI
153patches and the latest driver patch for the interface(s) in use on HP-UX
15411 (at one point, it was claimed that patches PHNE_19766, PHNE_19826,
155PHNE_20008, and PHNE_20735 did the trick).
156
157Furthermore, on HP-UX 10, you will need to turn on a kernel switch by
158doing
159
160	echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem
161
162You would have to arrange that this happen on reboots; the right way to
163do that would probably be to put it into an executable script file
164"/sbin/init.d/outbound_promisc" and making
165"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script.
166
167Finally, testing shows that there can't be more than one simultaneous
168DLPI user per network interface.
169
170If you use Linux, this version of libpcap is known to compile and run
171under Red Hat 4.0 with the 2.0.25 kernel.  It may work with earlier 2.X
172versions but is guaranteed not to work with 1.X kernels.  Running more
173than one libpcap program at a time, on a system with a 2.0.X kernel, can
174cause problems since promiscuous mode is implemented by twiddling the
175interface flags from the libpcap application; the packet capture
176mechanism in the 2.2 and later kernels doesn't have this problem.  Also,
177packet timestamps aren't very good.  This appears to be due to haphazard
178handling of the timestamp in the kernel.
179
180Note well: there is rumoured to be a version of tcpdump floating around
181called 3.0.3 that includes libpcap and is supposed to support Linux.
182You should be advised that neither the Network Research Group at LBNL
183nor the Tcpdump Group ever generated a release with this version number.
184The LBNL Network Research Group notes with interest that a standard
185cracker trick to get people to install trojans is to distribute bogus
186packages that have a version number higher than the current release.
187They also noted with annoyance that 90% of the Linux related bug reports
188they got are due to changes made to unofficial versions of their page.
189If you are having trouble but aren't using a version that came from
190tcpdump.org, please try that before submitting a bug report!
191
192On Linux, libpcap will not work if the kernel does not have the packet
193socket option enabled; see the README.linux file for information about
194this.
195
196If you use AIX, you may not be able to build libpcap from this release.
197We do not have an AIX system in house so it's impossible for us to test
198AIX patches submitted to us.  We are told that you must link against
199/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than
2002.7.2, and that you may need to run strload before running a libpcap
201application.
202
203Read the README.aix file for information on installing libpcap and
204configuring your system to be able to support libpcap.
205
206If you use NeXTSTEP, you will not be able to build libpcap from this
207release.
208
209If you use SINIX, you should be able to build libpcap from this
210release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS
211V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc
212emits incorrect code; if grammar.y fails to compile, change every
213occurence of:
214
215	#ifdef YYDEBUG
216
217to:
218	#if YYDEBUG
219
220Another workaround is to use flex and bison.
221
222If you use SCO, you might have trouble building libpcap from this
223release. We do not have a machine running SCO and have not had reports
224of anyone successfully building on it; the current release of libpcap
225does not compile on SCO OpenServer 5.  Although SCO apparently supports
226DLPI to some extent, the DLPI in OpenServer 5 is very non-standard, and
227it appears that completely new code would need to be written to capture
228network traffic.  SCO do not appear to provide tcpdump binaries for
229OpenServer 5 or OpenServer 6 as part of SCO Skunkware:
230
231	http://www.sco.com/skunkware/
232
233If you use UnixWare, you might be able to build libpcap from this
234release, or you might not.  We do not have a machine running UnixWare,
235so we have not tested it; however, SCO provide packages for libpcap
2360.6.2 and tcpdump 3.7.1 in the UnixWare 7/Open UNIX 8 part of SCO
237Skunkware, and the source package for libpcap 0.6.2 is not changed from
238the libpcap 0.6.2 source release, so this release of libpcap might also
239build without changes on UnixWare 7.
240
241If linking tcpdump fails with "Undefined: _alloca" when using bison on
242a Sun4, your version of bison is broken. In any case version 1.16 or
243higher is recommended (1.14 is known to cause problems 1.16 is known to
244work). Either pick up a current version from:
245
246	ftp://ftp.gnu.org/pub/gnu/bison
247
248or hack around it by inserting the lines:
249
250	#ifdef __GNUC__
251	#define alloca __builtin_alloca
252	#else
253	#ifdef sparc
254	#include <alloca.h>
255	#else
256	char *alloca ();
257	#endif
258	#endif
259
260right after the (100 line!) GNU license comment in bison.simple, remove
261grammar.[co] and fire up make again.
262
263If you use SunOS 4, your kernel must support streams NIT. If you run a
264libpcap program and it dies with:
265
266    /dev/nit: No such device
267
268You must add streams NIT support to your kernel configuration, run
269config and boot the new kernel.
270
271If you are running a version of SunOS earlier than 4.1, you will need
272to replace the Sun supplied /sys/sun{3,4,4c}/OBJ/nit_if.o with the
273appropriate version from this distribution's SUNOS4 subdirectory and
274build a new kernel:
275
276	nit_if.o.sun3-sunos4		(any flavor of sun3)
277	nit_if.o.sun4c-sunos4.0.3c	(SS1, SS1+, IPC, SLC, etc.)
278	nit_if.o.sun4-sunos4		(Sun4's not covered by
279					    nit_if.o.sun4c-sunos4.0.3c)
280
281These nit replacements fix a bug that makes nit essentially unusable in
282pre-SunOS 4.1.  In addition, our sun4c-sunos4.0.3c nit gives you
283timestamps to the resolution of the SS-1 clock (1 us) rather than the
284lousy 20ms timestamps Sun gives you  (tcpdump will print out the full
285timestamp resolution if it finds it's running on a SS-1).
286
287FILES
288-----
289CHANGES		- description of differences between releases
290ChmodBPF/*	- Mac OS X startup item to set ownership and permissions
291		  on /dev/bpf*
292CREDITS		- people that have helped libpcap along
293INSTALL.txt	- this file
294LICENSE		- the license under which tcpdump is distributed
295Makefile.in	- compilation rules (input to the configure script)
296README		- description of distribution
297README.aix	- notes on using libpcap on AIX
298README.dag	- notes on using libpcap to capture on Endace DAG devices
299README.hpux	- notes on using libpcap on HP-UX
300README.linux	- notes on using libpcap on Linux
301README.macosx	- notes on using libpcap on Mac OS X
302README.septel   - notes on using libpcap to capture on Intel/Septel devices
303README.sita	- notes on using libpcap to capture on SITA devices
304README.tru64	- notes on using libpcap on Digital/Tru64 UNIX
305README.Win32	- notes on using libpcap on Win32 systems (with WinPcap)
306SUNOS4		- pre-SunOS 4.1 replacement kernel nit modules
307VERSION		- version of this release
308acconfig.h	- support for post-2.13 autoconf
309aclocal.m4	- autoconf macros
310arcnet.h	- ARCNET definitions
311atmuni31.h	- ATM Q.2931 definitions
312bpf/net		- copy of bpf_filter.c
313bpf_dump.c	- BPF program printing routines
314bpf_filter.c	- symlink to bpf/net/bpf_filter.c
315bpf_image.c	- BPF disassembly routine
316config.guess	- autoconf support
317config.h.in	- autoconf input
318config.sub	- autoconf support
319configure	- configure script (run this first)
320configure.in	- configure script source
321dlpisubs.c	- DLPI-related functions for pcap-dlpi.c and pcap-libdlpi.c
322dlpisubs.h	- DLPI-related function declarations
323etherent.c	- /etc/ethers support routines
324ethertype.h	- Ethernet protocol types and names definitions
325fad-getad.c	- pcap_findalldevs() for systems with getifaddrs()
326fad-gifc.c	- pcap_findalldevs() for systems with only SIOCGIFLIST
327fad-glifc.c	- pcap_findalldevs() for systems with SIOCGLIFCONF
328fad-null.c	- pcap_findalldevs() for systems without capture support
329fad-sita.c	- pcap_findalldevs() for systems with SITA support
330fad-win32.c	- pcap_findalldevs() for WinPcap
331filtertest.c	- test program for BPF compiler
332findalldevstest.c - test program for pcap_findalldevs()
333gencode.c	- BPF code generation routines
334gencode.h	- BPF code generation definitions
335grammar.y	- filter string grammar
336ieee80211.h	- 802.11 definitions
337inet.c		- network routines
338install-sh	- BSD style install script
339lbl/os-*.h	- OS-dependent defines and prototypes
340llc.h		- 802.2 LLC SAP definitions
341missing/*	- replacements for missing library functions
342mkdep		- construct Makefile dependency list
343msdos/*		- drivers for MS-DOS capture support
344nametoaddr.c	- hostname to address routines
345nlpid.h		- OSI network layer protocol identifier definitions
346net		- symlink to bpf/net
347optimize.c	- BPF optimization routines
348pcap/bluetooth.h - public definition of DLT_BLUETOOTH_HCI_H4_WITH_PHDR header
349pcap/bpf.h	- BPF definitions
350pcap/namedb.h	- public libpcap name database definitions
351pcap/pcap.h	- public libpcap definitions
352pcap/sll.h	- public definition of DLT_LINUX_SLL header
353pcap/usb.h	- public definition of DLT_USB header
354pcap-bpf.c	- BSD Packet Filter support
355pcap-bpf.h	- header for backwards compatibility
356pcap-bt-linux.c	- Bluetooth capture support for Linux
357pcap-bt-linux.h	- Bluetooth capture support for Linux
358pcap-dag.c	- Endace DAG device capture support
359pcap-dag.h	- Endace DAG device capture support
360pcap-dlpi.c	- Data Link Provider Interface support
361pcap-dos.c	- MS-DOS capture support
362pcap-dos.h	- headers for MS-DOS capture support
363pcap-enet.c	- enet support
364pcap-int.h	- internal libpcap definitions
365pcap-libdlpi.c	- Data Link Provider Interface support for systems with libdlpi
366pcap-linux.c	- Linux packet socket support
367pcap-namedb.h	- header for backwards compatibility
368pcap-nit.c	- SunOS Network Interface Tap support
369pcap-nit.h	- SunOS Network Interface Tap definitions
370pcap-null.c	- dummy monitor support (allows offline use of libpcap)
371pcap-pf.c	- Ultrix and Digital/Tru64 UNIX Packet Filter support
372pcap-pf.h	- Ultrix and Digital/Tru64 UNIX Packet Filter definitions
373pcap-septel.c   - Intel/Septel device capture support
374pcap-septel.h   - Intel/Septel device capture support
375pcap-sita.c	- SITA device capture support
376pcap-sita.h	- SITA device capture support
377pcap-sita.html	- SITA device capture documentation
378pcap-stdinc.h	- includes and #defines for compiling on Win32 systems
379pcap-snit.c	- SunOS 4.x STREAMS-based Network Interface Tap support
380pcap-snoop.c	- IRIX Snoop network monitoring support
381pcap-usb-linux.c - USB capture support for Linux
382pcap-usb-linux.h - USB capture support for Linux
383pcap-win32.c	- WinPcap capture support
384pcap.3pcap	- manual entry for the library
385pcap.c		- pcap utility routines
386pcap.h		- header for backwards compatibility
387pcap_*.3pcap	- manual entries for library functions
388pcap-filter.4	- manual entry for filter syntax
389pcap-linktype.4	- manual entry for link-layer header types
390ppp.h		- Point to Point Protocol definitions
391runlex.sh	- wrapper for Lex/Flex
392savefile.c	- offline support
393scanner.l	- filter string scanner
394sunatmpos.h	- definitions for SunATM capturing
395Win32		- headers and routines for building on Win32 systems
396