Snort mailing list archives
libpcap for linux, to_ms redefined
From: Phil Wood <cpw () lanl gov>
Date: Thu, 28 Mar 2002 16:23:36 -0700
Folks,
In my efforts to make a libpcap work better on linux, I've had to
redefine the meaning of the 'to_ms'. In the past it was supposed
to define a time in milliseconds when a "read" from the network would
wait for incoming packets before returning to the pcap function that
caused a read from the network. On linux, and possibly other operating
systems, this value was not deemed worthy of accomodating.
With the advent of memory mapped ring buffers developed by Alexey Kuznetsov,
this function could be accomodated. I treat the value of 'to_ms' in the
following manner:
if (to_ms == 0) return; // if no packet immediately available then return
// to calling program it will poll (good for old
// versions of NFR or programs that have other
// things to do besides capture packets)
if (to_ms < 0) // never return just keep pick'n packets off the ring,
// doing callbacks, and waiting, in that order, forever.
// (Or until the program terminates via a signal, error,
// or the PCAP_TIMEOUT time has been exceeded)
if (to_ms > 0) // return when the timeout has gone to zero after subtracting
// delta time values. Example, if you set to_ms to 1000
// (one second), on a network where 40,000 packets are
// being seen per second, then a return is made after
// 40,000 callbacks. Note, pcap_loop ignors the timeout
// return which is fine, and pcap_dispatch will return when
// to_ms decrements to 0 (or less)
The linux version keeps track of time using the packet times provided by the
kernel. On a busy network (no waits between callbacks), libpcap will not make
system calls.
The following assumse that WORKING is set to something like /tmp/working.
You can find a complete libpcap release at the url below.
% cd $WORKING
% wget http://public.lanl.gov/cpw/libpcap-current.tar.gz
% md5 < libpcap-current.tar.gz < might not work this way for you
36749ba28b3310b1d4c3735ce55ae01f
It is based on tcpdump.org libpcap for 2002.03.26, but when expanded will
be in a directory called libpcap-0.7.0326. The following should make
you a libpcap:
% cd $WORKING
% tar -zxf libpcap-current.tar.gz
% ln -s libpcap-0.7.*[0-9] libpcap
% cd libpcap
% ./configure --prefix=/usr
% make
Or you could patch the current libpcap at tcpdump.org with the patch at
this url. This could have a short life time, if the libpcap at tcpdump.org
undergoes any major changes.
% cd $WORKING
% wget http://public.lanl.gov/cpw/libpcap.patch.gz
% md5 < libpcap.patch.gz
d656e4a10113e6ef68084bb21ab51305
With this route, the following should get you a viable linux pcap. (It works
on freebsd also [Not the linux stuff just a configure/make pass])
% cd $WORKING
% wget http://www.tcpdump.org.daily/libpcap-current.tar.gz
% tar -zxf libpcap-current.tar.gz
% ln -s libpcap-2002.*[0-9] libpcap
% cd libpcap
% gzip -d < ../libpcap.patch.gz | patch
% ./configure --prefix=/usr
% make
Once you have made the library, you could be so bold as to install it in the
following manner:
# cd $WORKING/libpcap
# make install
But, you might want to wait on that, and try building an application that
needs the library, like tcpdump:
% cd $WORKING
% wget http://tcpdump.org/release/tcpdump-3.7.1.tar.gz
% tar -zxf tcpdump-3.7.1.tar.gz
% ln -s tcpdump-3.7.1 tcpdump
% cd tcpdump
% ./configure
% make <- assuming you are under a hierarchy like $WORKING/{tcpdump,libpcap}
To test:
# PCAP_FRAMES=max PCAP_VERBOSE=1 PCAP_TO_MS=-1 ./tcpdump ... -w /dev/null
^
You need around 52Mbytes of extra memory for this if you
use -s 1500
Or, you can ignore the whole concept, and proceed as you will.
If you do chose to try this stuff out, please be sure to read the README.linux
and README.ring.
Thanks,
--
Phil Wood, cpw () lanl gov
Attachment:
_bin
Description:
Current thread:
- libpcap for linux, to_ms redefined Phil Wood (Mar 28)