Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Phil Wood Libpcap Installation Problems

From: Gentoo-Wally <gentoowally () gmail com>
Date: Wed, 31 Jan 2007 15:12:01 -0500
I'm coming a little late to the party, but I just had a similar
problem. I was trying to compile snort with a libpcap that uses pfring
as the ring buffer (similar to Phil Wood's stuff) and I am also using
CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as
Jesse). This is what I found...

libpcap stuff from /usr/local/src/libpcap-0.9.4...

[root@localhost libpcap-0.9.4]# ./configure --enable-ipv6
[root@localhost libpcap-0.9.4]# make
[root@localhost libpcap-0.9.4]# gcc -shared -Wl,-soname
-Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc
[root@localhost libpcap-0.9.4]# make install && cp libpcap.so.0.9.4
/usr/local/lib
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0.9

Giving me the following setup...

[root@localhost libpcap-0.9.4]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0 ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0.9 ->
/usr/local/lib/libpcap.so.0.9.4
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4

[root@localhost libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@localhost libpcap-0.9.4]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

Just for reference...

[root@localhost libpcap-0.9.4]# ls -l /usr/lib/libpcap*
lrwxrwxrwx  1 root root     23 Jan 29 16:34 /usr/lib/libpcap-nessus.so
-> libpcap-nessus.so.2.2.5
lrwxrwxrwx  1 root root     23 Jan 29 16:34
/usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
-rwxr-xr-x  1 root root 175953 Jan  4 11:34 /usr/lib/libpcap-nessus.so.2.2.5

Now when I try to compile snort from /usr/local/src/snort-2.6.0...

[root@localhost snort-2.6.0]# ./configure --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib

Like Jesse's case, it complains...

[...]
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place

What makes this really weird is that if I delete just the symlinks for
the shared lib's...

[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9
[root@localhost snort-2.6.0]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
[root@localhost snort-2.6.0]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

And then rerun the exact same ./configure for snort that I ran before
it configures and compiles without complaint.

I thought I'd take this a step further. I ran the _exact_ same test
with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_
any pfring stuff and even with the symlinks it configures and compiles
without complaint. Then I removed that and ran the _exact_ same test
with the version of libpcap I pulled with 'yum install libpcap' which
also sets up the symlinks. Only difference is it uses /usr/lib instead
of /usr/local/lib. It also configures and compiles without complaint.

Sounds like there might be a problem with the function in configure
that checks for pcap_datalink in the pcap library when dealing with
nonstandard/patched libpcaps that use shared libraries and symlinks.
Or maybe the culprit is CentOS 4 since we are both using that.

I have no idea how AC_CHECK_LIB in configure actually performs the
check, but I do know that pcap_datalink does exist in a pfring enabled
libpcap...

[root@localhost snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a
Binary file /usr/local/lib/libpcap.a matches
[root@localhost snort-2.6.0]# grep pcap_datalink
/usr/local/lib/libpcap.so.0.9.4
Binary file /usr/local/lib/libpcap.so.0.9.4 matches

Hope this helps,
Wally




On 1/24/07, Darryl Taylor <darryl.taylor () sourcefire com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just did a complete install as follows on my Dual Opteron running
Gentoo 2.6.17-r8:

libpcap (Phil Woods)
./configure --enable-shared
make
sudo make install

(ensure /usr/local/lib is in ld.so.conf)
sudo ldconfig



snort (with the options I use)
./configure --with-libpcap-library=/usr/local/lib --enable-debug \
- --enable-perfprofiling --enable-dynamicplugin
make
sudo make install

ldd /usr/local/bin/snort
        libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000)
        libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so
(0x00002b3e9232a000)
        libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000)
        libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000)
        libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000)

After this I had a working snort-2.6.1.2.


Darryl Taylor


IT Security wrote:

I recompiled libpcap to use shared libraries and now have the following
in /usr/lib:

lrwxrwxrwx  1 root root     16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so ->
libpcap-0.9.3.so
-rwxr-xr-x  1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so
-rw-r--r--  1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a
-rwxr-xr-x  1 root root    792 Jan 23 09:00 /usr/lib/libpcap.la
lrwxrwxrwx  1 root root     16 Jan 23 09:00 /usr/lib/libpcap.so ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:02 /usr/lib/libpcap.so.0 ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 ->
libpcap-0.9.3.so

I added the symlinks for libpcap 0.8.3 with hopes that it would help,
but it didn't.

I have run ldconfig since reinstalling libpcap.

Attempting to recompile snort and tcpdump both end with the result of:

checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place

This makes me think that I'm missing something accosiated with libpcap.

Any more ideas?

Thanks in advance.

- Jesse





-----Original Message-----
From: snort-users-bounces () lists sourceforge net
[mailto:snort-users-bounces () lists sourceforge net] On Behalf Of IT
Security
Sent: Tuesday, January 23, 2007 8:11 AM
To: Darryl Taylor
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems

Darryl -

Tried with no luck.  Still get the same error.

./configure --with-libpcap-library=/usr/local/lib

Thanks for the assistance.

- Jesse



-----Original Message-----
From: Darryl Taylor [mailto:darryl.taylor () sourcefire com]
Sent: Tuesday, January 23, 2007 8:00 AM
To: darryl.taylor () sourcefire com
Cc: IT Security; snort-users-bounces () lists sourceforge net;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems

Sorry bout that. Needed a little more sleep. It should be
--with-libpcap-library=[your path]



Darryl Taylor
Security Engineer
SOURCEfire
Office: 404-474-8454
Cell:   404-783-2064
eFax:   404-521-4309

Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
Key: http://demo.sourcefire.com/dtaylor.pgp.key




darryl.taylor () sourcefire com wrote:

Try ./configure --with-libpcap=/usr/local when compiling snort. If it

still fails then the library was probably compiled statically. If that
is the case, post back and I will tell you how to make it a shared
object. I think I had this problem a few years ago.

Sent from my Verizon Wireless BlackBerry



-----Original Message-----
From: "IT Security" <ITSEC () 24hourfit com>
Date: Mon, 22 Jan 2007 17:46:59
To:<snort-users () lists sourceforge net>
Subject: [Snort-users] Phil Wood Libpcap Installation Problems



I'm trying to get Phil Wood's modified libpcap working on my Snort
2.6.1 sensor, but have run into some difficulties and hoping that
someone out there can help.



I've downloaded and extracted libpcap-0.9.20060417.tar.gz.  I then

run:

   ./configure
   make
   make install



I then downloaded and extracted snort-2.6.1.1.tar.gz.  I then run:



   ./configure
   make



That's where it blows up.  Here is the error:



<snip>



checking for pcap_datalink in -lpcap... no



   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place



</snip>



Any ideas why the headers would be missing?  Header files are
identified with the .h extension correct?  Where are these supposed to



reside on the system?



I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.



Thanks in advance.



- Jesse



----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn



cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn



cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- ------------------------------------------------------------------------
- -
Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

- -------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFt7ZE4lpqfBbyaLYRAjmNAJ94Zrrh+Fy01mK5j5+S9f8apPrRJgCeOBFt
Gf7swfkS4Wv92y0VldKsslw=
=HRZ4
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: