Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: libpcap on Linux, FOR LINUX USERS ONLY

From: Phil Wood <cpw () lanl gov>
Date: Tue, 26 Nov 2002 12:00:46 -0700
Pull down my current libpcap.  Read README.linux and README.ring.  
Install your own kernel in the 2.4.16+ version from kernel.org.
There are some issues with 2.4.19 and 3Com 3C985 Gigabit Ethernet cards.
Namely, the kernel freezes on boot when it tries to enable those links.  I
haven't tried to debug that problem.  I've heard that the Intel GigE card
is the way to go.  And, that might involve getting the driver from Intel.

The README's above should clue you in to the config options:

These are the ones relevant to Alexey's ring buffer concept.

  * Packet socket, CONFIG_PACKET
  * Packet socket: mmapped IO, CONFIG_PACKET_MMAP
  * Socket Filtering, CONFIG_FILTER

Make your kernel, and install.

Get the sym links right for your /usr/include/{asm,linux}.   In other words,
don't use what your shrinkwrap linux comes with. See tail end of README.linux.

At this point you should be able to ./configure in the libpcap directory and
make the library.  Remember there are a number of whizbang libpcap applications
that your vendor might have installed.  If they use shared libraries, you
could invoke the enable-shared configure option and finagle the system to
use the mmaped libpcap via ld.so.conf and ldconfig.  Remember the default
prefix is /usr/local (which you can change). 

Example:

#!/bin/sh
#
set -e

        SOMEPLACE=/tmp/someplace
        if [ -d $SOMEPLACE ]; then
                echo "Please rm -rf $SOMEPLACE and then restart this process" >&2
                exit 1
        fi
        echo "Creating $SOMEPLACE to hold all the goodies."
        mkdir $SOMEPLACE
        cd $SOMEPLACE
        wget http://public.lanl.gov/cpw/release/tcpdump-3.6.2.tar.gz
        tar -zxf  tcpdump-3.6.2.tar.gz
        ln -s tcpdump-3.6.2 tcpdump
        wget http://public.lanl.gov/cpw/libpcap-0.8.1104.tar.gz
        tar -zxf libpcap-0.8.1104.tar.gz
        ln -s libpcap-0.8.1104 libpcap

cat << EOF

# Note: USE THIS PROCEDURE AT YOUR OWN RISK.  You are responsible for verifying
# that the code will not harm your system.  It would be a good idea to 
# do all this stuff on an isolated system, isolated from the Internet
# (no default route, and on address on your gig interface), and stand alone
# (no other connetions to your network infrastructure).

EOF

        echo -n "To take full responsiblity for continuing this process type 'yes': "
        read i_take_the_risk
        if [ "$i_take_the_risk" != "yes" ]; then echo See you later;exit 1; fi
cat << EOF

Ok then, making configuring and making libpcap!

EOF

        cd libpcap
        aclocal
        autoheader
        automake
        autoconf


cat << EOF

# check CFLAGS in your Makefile.  Next time around you might want to remove
# the -g (gdb) option.
# Enter a newline to continue. (The Enter key on most keyboards)

EOF
        read

        ./configure
        make all

cat << EOF

# only 'make install' in the libpcap directory after you have tried building a
# libpcap based app like # tcpdump and referenced the static lib in the
# libpcap directory.
# Enter a newline to make tcpdump . (The Enter key on most keyboards)

EOF
        read

        cd ../tcpdump
        ./configure
        make

cat << EOF

# Become root and type the following:

        cd $SOMEPLACE/tcpdump

        PCAP_VERBOSE=1 PCAP_FRAMES=1000 ./tcpdump -ttttnqvc 1 udp

EOF


cat << EOF

# It should look something like this:
#
#       libpcap version: 0.8.1104
#       Kernel filter, Protocol 0300, MMAP mode (1008 frames, snapshot 68), socket type: Raw
#       tcpdump: listening on eth0
#       11/26/2002 17:22:31.719248 192.168.253.1.514 > 192.168.114.80.514:  udp 52 (ttl 252, id 5492, len 80)

# now you have to decide if you want to build with shared libraries and such.
# and possibly install so that other pcap based applications can benfit.
# that's beyond this mini howto.
# Re-read README.ring and try the various options.  I'd get myself a lot of
# memory and set PCAP_FRAMES=max.
#

EOF
        exit 0

# =============================================================================

On Tue, Nov 26, 2002 at 09:42:02AM +0100, Lionel CONS wrote:

Hello,

We would like to test libpcap on Linux to check how much data it can
extract out of a 1 Gb link. From your web page (http://public.lanl.gov/cpw)
you seem to have played a lot with this kind of setup. Would you be able
to advise us on the kernel configuration parameters and libpcap patches
to use?

Thanks in advance for your help,
__________________________________________________________
Lionel Cons        http://cern.ch/lionel.cons
CERN               http://www.cern.ch
 
He who hesitates is probably right.


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: