Snort mailing list archives
libpcap for linux, to_ms redefined
From: Phil Wood <cpw () lanl gov>
Date: Thu, 28 Mar 2002 16:23:36 -0700
Folks, In my efforts to make a libpcap work better on linux, I've had to redefine the meaning of the 'to_ms'. In the past it was supposed to define a time in milliseconds when a "read" from the network would wait for incoming packets before returning to the pcap function that caused a read from the network. On linux, and possibly other operating systems, this value was not deemed worthy of accomodating. With the advent of memory mapped ring buffers developed by Alexey Kuznetsov, this function could be accomodated. I treat the value of 'to_ms' in the following manner: if (to_ms == 0) return; // if no packet immediately available then return // to calling program it will poll (good for old // versions of NFR or programs that have other // things to do besides capture packets) if (to_ms < 0) // never return just keep pick'n packets off the ring, // doing callbacks, and waiting, in that order, forever. // (Or until the program terminates via a signal, error, // or the PCAP_TIMEOUT time has been exceeded) if (to_ms > 0) // return when the timeout has gone to zero after subtracting // delta time values. Example, if you set to_ms to 1000 // (one second), on a network where 40,000 packets are // being seen per second, then a return is made after // 40,000 callbacks. Note, pcap_loop ignors the timeout // return which is fine, and pcap_dispatch will return when // to_ms decrements to 0 (or less) The linux version keeps track of time using the packet times provided by the kernel. On a busy network (no waits between callbacks), libpcap will not make system calls. The following assumse that WORKING is set to something like /tmp/working. You can find a complete libpcap release at the url below. % cd $WORKING % wget http://public.lanl.gov/cpw/libpcap-current.tar.gz % md5 < libpcap-current.tar.gz < might not work this way for you 36749ba28b3310b1d4c3735ce55ae01f It is based on tcpdump.org libpcap for 2002.03.26, but when expanded will be in a directory called libpcap-0.7.0326. The following should make you a libpcap: % cd $WORKING % tar -zxf libpcap-current.tar.gz % ln -s libpcap-0.7.*[0-9] libpcap % cd libpcap % ./configure --prefix=/usr % make Or you could patch the current libpcap at tcpdump.org with the patch at this url. This could have a short life time, if the libpcap at tcpdump.org undergoes any major changes. % cd $WORKING % wget http://public.lanl.gov/cpw/libpcap.patch.gz % md5 < libpcap.patch.gz d656e4a10113e6ef68084bb21ab51305 With this route, the following should get you a viable linux pcap. (It works on freebsd also [Not the linux stuff just a configure/make pass]) % cd $WORKING % wget http://www.tcpdump.org.daily/libpcap-current.tar.gz % tar -zxf libpcap-current.tar.gz % ln -s libpcap-2002.*[0-9] libpcap % cd libpcap % gzip -d < ../libpcap.patch.gz | patch % ./configure --prefix=/usr % make Once you have made the library, you could be so bold as to install it in the following manner: # cd $WORKING/libpcap # make install But, you might want to wait on that, and try building an application that needs the library, like tcpdump: % cd $WORKING % wget http://tcpdump.org/release/tcpdump-3.7.1.tar.gz % tar -zxf tcpdump-3.7.1.tar.gz % ln -s tcpdump-3.7.1 tcpdump % cd tcpdump % ./configure % make <- assuming you are under a hierarchy like $WORKING/{tcpdump,libpcap} To test: # PCAP_FRAMES=max PCAP_VERBOSE=1 PCAP_TO_MS=-1 ./tcpdump ... -w /dev/null ^ You need around 52Mbytes of extra memory for this if you use -s 1500 Or, you can ignore the whole concept, and proceed as you will. If you do chose to try this stuff out, please be sure to read the README.linux and README.ring. Thanks, -- Phil Wood, cpw () lanl gov
Attachment:
_bin
Description:
Current thread:
- libpcap for linux, to_ms redefined Phil Wood (Mar 28)