From 4740a3ae154edbab169998a1cd06c69a76c9b734 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Wed, 3 Dec 2003 07:46:34 +0000 Subject: Bring it up to date. svn path=/trunk/; revision=9148 --- README.linux | 115 ++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 78 insertions(+), 37 deletions(-) (limited to 'README.linux') diff --git a/README.linux b/README.linux index 632a39c797..adc952e61a 100644 --- a/README.linux +++ b/README.linux @@ -1,14 +1,21 @@ -$Id: README.linux,v 1.7 2001/01/10 09:54:44 guy Exp $ +$Id: README.linux,v 1.8 2003/12/03 07:46:34 guy Exp $ In order to capture packets (with Ethereal/Tethereal, tcpdump, or any -other packet capture program) on a Linux system, the "packet" protocol -must be supported by your kernel. If it is not, you may get error -messages such as +other libpcap-based packet capture program) on a Linux system, the +"packet" protocol must be supported by your kernel. If it is not, you +may get error messages such as modprobe: can't locate module net-pf-17 -in "/var/adm/messages". The following note is from the Linux -"Configure.help" file: +in "/var/adm/messages", or may get messages such as + + socket: Address family not supported by protocol + +from applications using libpcap. + +You must configure the kernel with the CONFIG_PACKET option for this +protocol; the following note is from the Linux "Configure.help" file for +the 2.0[.x] kernel: Packet socket CONFIG_PACKET @@ -24,37 +31,67 @@ in "/var/adm/messages". The following note is from the Linux kmod, you may also want to add "alias net-pf-17 af_packet" to /etc/modules.conf. -In addition, the standard libpcap compiled for Linux has a timeout -problem; it doesn't support the timeout argument to "pcap_open_live()". - -The current version of Ethereal attempts to work around this, so its GUI -shouldn't freeze when capturing on a not-so-busy network. If its GUI -does freeze when that happens, please send a note about this, indicating -which version of which distribution of Linux you're using, and which -version of libpcap you're using, to ethereal-dev@ethereal.com. - -The current version of Ethereal should work with versions of libpcap -that have been patched to fix the timeout problem, as well as working -with unpatched versions. - -An additional problem, on Linux, with current versions of libpcap, is -that capture filters do not work when snooping loopback devices; if -you're capturing on a Linux loopback device, do not use a capture -filter, as it will probably reject most if not all packets, including -the packets it's intended to accept - instead, capture all packets and -use a display filter to select the packets you want to see. - -In addition, current versions of libpcap on at least some Linux -distributions will not turn promiscuous mode off on a network device -until the program using promiscuous mode exits, so if you start a -capture with Ethereal on some Linux distributions, the network interface -will be put in promiscuous mode and will remain in promiscuous mode -until Ethereal exits. There might be additional libpcap bugs that cause -it not to be turned off even when Ethereal exits; if your network is -busy, this could cause the Linux networking stack to do a lot more work -discarding packets not intended for the machine, so you may want to -check, after running Ethereal, whether any network interfaces are in -promiscuous mode (the output of "ifconfig -a" will say something such as +and the note for the 2.2[.x] kernel says: + + Packet socket + CONFIG_PACKET + The Packet protocol is used by applications which communicate + directly with network devices without an intermediate network + protocol implemented in the kernel, e.g. tcpdump. If you want them + to work, choose Y. This driver is also available as a module called + af_packet.o ( = code which can be inserted in and removed from the + running kernel whenever you want). If you want to compile it as a + module, say M here and read Documentation/modules.txt. You will + need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules + file for the module version to function automatically. If unsure, + say Y. + +In addition, there is an option that, in 2.2 and later kernels, will +allow packet capture filters specified to programs such as tcpdump to be +executed in the kernel, so that packets that don't pass the filter won't +be copied from the kernel to the program, rather than having all packets +copied to the program and libpcap doing the filtering in user mode. + +Copying packets from the kernel to the program consumes a significant +amount of CPU, so filtering in the kernel can reduce the overhead of +capturing packets if a filter has been specified that discards a +significant number of packets. (If no filter is specified, it makes no +difference whether the filtering isn't performed in the kernel or isn't +performed in user mode. :-)) + +The option for this is the CONFIG_FILTER option; the "Configure.help" +file says: + + Socket filtering + CONFIG_FILTER + The Linux Socket Filter is derived from the Berkeley Packet Filter. + If you say Y here, user-space programs can attach a filter to any + socket and thereby tell the kernel that it should allow or disallow + certain types of data to get through the socket. Linux Socket + Filtering works on all socket types except TCP for now. See the text + file linux/Documentation/networking/filter.txt for more information. + If unsure, say N. + +An additional problem, on Linux, with older versions of libpcap, is that +capture filters do not work when snooping loopback devices; if you're +capturing on a Linux loopback device, do not use a capture filter, as it +will probably reject most if not all packets, including the packets it's +intended to accept - instead, capture all packets and use a display +filter to select the packets you want to see. Most recent Linux +distribution releases will not have this problem. + +In addition, older versions of libpcap will, on Linux systems with a +2.0[.x] kernel, or if built for systems with a 2.0[.x] kernel, not turn +promiscuous mode off on a network device until the program using +promiscuous mode exits, so if you start a capture with Ethereal on some +Linux distributions, the network interface will be put in promiscuous +mode and will remain in promiscuous mode until Ethereal exits. There +might be additional libpcap bugs that cause it not to be turned off even +when Ethereal exits; if your network is busy, this could cause the Linux +networking stack to do a lot more work discarding packets not intended +for the machine, so you may want to check, after running Ethereal, +whether any network interfaces are in promiscuous mode (the output of +"ifconfig -a" will say something such as eth0 Link encap:Ethernet HWaddr 00:00:66:66:66:66 inet addr:66.66.66.66 Bcast:66.66.66.255 Mask:255.255.255.0 @@ -71,3 +108,7 @@ done on that interface, turn promiscuous mode off by hand with ifconfig -promisc where "" is the name of the interface. + +Newer versions of libpcap shouldn't have this problem, even on 2.0[.x] +kernels; no version of libpcap should have that problem on systems with +2.2 or later kernels. -- cgit v1.2.3