Snort mailing list archives
Re: Phil Wood Libpcap Installation Problems
From: Gentoo-Wally <gentoowally () gmail com>
Date: Wed, 31 Jan 2007 15:12:01 -0500
I'm coming a little late to the party, but I just had a similar problem. I was trying to compile snort with a libpcap that uses pfring as the ring buffer (similar to Phil Wood's stuff) and I am also using CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as Jesse). This is what I found... libpcap stuff from /usr/local/src/libpcap-0.9.4... [root@localhost libpcap-0.9.4]# ./configure --enable-ipv6 [root@localhost libpcap-0.9.4]# make [root@localhost libpcap-0.9.4]# gcc -shared -Wl,-soname -Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc [root@localhost libpcap-0.9.4]# make install && cp libpcap.so.0.9.4 /usr/local/lib [root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4 /usr/local/lib/libpcap.so [root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4 /usr/local/lib/libpcap.so.0 [root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4 /usr/local/lib/libpcap.so.0.9 Giving me the following setup... [root@localhost libpcap-0.9.4]# ls -l /usr/local/lib/ total 372 -rw-r--r-- 1 root root 186300 Jan 31 14:21 libpcap.a lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so -> /usr/local/lib/libpcap.so.0.9.4 lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so.0 -> /usr/local/lib/libpcap.so.0.9.4 lrwxrwxrwx 1 root root 31 Jan 31 14:24 libpcap.so.0.9 -> /usr/local/lib/libpcap.so.0.9.4 -rwxr-xr-x 1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4 [root@localhost libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf [root@localhost libpcap-0.9.4]# ldconfig -v |grep pcap libpcap.so.0.9.4 -> libpcap.so.0.9.4 libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5 Just for reference... [root@localhost libpcap-0.9.4]# ls -l /usr/lib/libpcap* lrwxrwxrwx 1 root root 23 Jan 29 16:34 /usr/lib/libpcap-nessus.so -> libpcap-nessus.so.2.2.5 lrwxrwxrwx 1 root root 23 Jan 29 16:34 /usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5 -rwxr-xr-x 1 root root 175953 Jan 4 11:34 /usr/lib/libpcap-nessus.so.2.2.5 Now when I try to compile snort from /usr/local/src/snort-2.6.0... [root@localhost snort-2.6.0]# ./configure --enable-dynamicplugin --enable-timestats --enable-perfprofiling --enable-linux-smp-stats --with-libpcap-includes=/usr/local/include --with-libpcap-libraries=/usr/local/lib Like Jesse's case, it complains... [...] checking for strerror... yes checking for __FUNCTION__... yes checking for floor in -lm... yes checking for pcap_datalink in -lpcap... no ERROR! Libpcap library/headers not found, go get it from http://www.tcpdump.org or use the --with-libpcap-* options, if you have it installed in unusual place What makes this really weird is that if I delete just the symlinks for the shared lib's... [root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so [root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0 [root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9 [root@localhost snort-2.6.0]# ls -l /usr/local/lib/ total 372 -rw-r--r-- 1 root root 186300 Jan 31 14:21 libpcap.a -rwxr-xr-x 1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4 [root@localhost snort-2.6.0]# ldconfig -v |grep pcap libpcap.so.0.9.4 -> libpcap.so.0.9.4 libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5 And then rerun the exact same ./configure for snort that I ran before it configures and compiles without complaint. I thought I'd take this a step further. I ran the _exact_ same test with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_ any pfring stuff and even with the symlinks it configures and compiles without complaint. Then I removed that and ran the _exact_ same test with the version of libpcap I pulled with 'yum install libpcap' which also sets up the symlinks. Only difference is it uses /usr/lib instead of /usr/local/lib. It also configures and compiles without complaint. Sounds like there might be a problem with the function in configure that checks for pcap_datalink in the pcap library when dealing with nonstandard/patched libpcaps that use shared libraries and symlinks. Or maybe the culprit is CentOS 4 since we are both using that. I have no idea how AC_CHECK_LIB in configure actually performs the check, but I do know that pcap_datalink does exist in a pfring enabled libpcap... [root@localhost snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a Binary file /usr/local/lib/libpcap.a matches [root@localhost snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.so.0.9.4 Binary file /usr/local/lib/libpcap.so.0.9.4 matches Hope this helps, Wally On 1/24/07, Darryl Taylor <darryl.taylor () sourcefire com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just did a complete install as follows on my Dual Opteron running Gentoo 2.6.17-r8: libpcap (Phil Woods) ./configure --enable-shared make sudo make install (ensure /usr/local/lib is in ld.so.conf) sudo ldconfig snort (with the options I use) ./configure --with-libpcap-library=/usr/local/lib --enable-debug \ - --enable-perfprofiling --enable-dynamicplugin make sudo make install ldd /usr/local/bin/snort libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000) libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so (0x00002b3e9232a000) libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000) libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000) libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000) libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000) /lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000) After this I had a working snort-2.6.1.2. Darryl Taylor IT Security wrote:I recompiled libpcap to use shared libraries and now have the following in /usr/lib: lrwxrwxrwx 1 root root 16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so -> libpcap-0.9.3.so -rwxr-xr-x 1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so -rw-r--r-- 1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a -rwxr-xr-x 1 root root 792 Jan 23 09:00 /usr/lib/libpcap.la lrwxrwxrwx 1 root root 16 Jan 23 09:00 /usr/lib/libpcap.so -> libpcap-0.9.3.so lrwxrwxrwx 1 root root 16 Jan 23 09:02 /usr/lib/libpcap.so.0 -> libpcap-0.9.3.so lrwxrwxrwx 1 root root 16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 -> libpcap-0.9.3.so lrwxrwxrwx 1 root root 16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 -> libpcap-0.9.3.so I added the symlinks for libpcap 0.8.3 with hopes that it would help, but it didn't. I have run ldconfig since reinstalling libpcap. Attempting to recompile snort and tcpdump both end with the result of: checking for strerror... yes checking for __FUNCTION__... yes checking for floor in -lm... yes checking for pcap_datalink in -lpcap... no ERROR! Libpcap library/headers not found, go get it from http://www.tcpdump.org or use the --with-libpcap-* options, if you have it installed in unusual place This makes me think that I'm missing something accosiated with libpcap. Any more ideas? Thanks in advance. - Jesse -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of IT Security Sent: Tuesday, January 23, 2007 8:11 AM To: Darryl Taylor Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems Darryl - Tried with no luck. Still get the same error. ./configure --with-libpcap-library=/usr/local/lib Thanks for the assistance. - Jesse -----Original Message----- From: Darryl Taylor [mailto:darryl.taylor () sourcefire com] Sent: Tuesday, January 23, 2007 8:00 AM To: darryl.taylor () sourcefire com Cc: IT Security; snort-users-bounces () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems Sorry bout that. Needed a little more sleep. It should be --with-libpcap-library=[your path] Darryl Taylor Security Engineer SOURCEfire Office: 404-474-8454 Cell: 404-783-2064 eFax: 404-521-4309 Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6 Key: http://demo.sourcefire.com/dtaylor.pgp.key darryl.taylor () sourcefire com wrote:Try ./configure --with-libpcap=/usr/local when compiling snort. If itstill fails then the library was probably compiled statically. If that is the case, post back and I will tell you how to make it a shared object. I think I had this problem a few years ago.Sent from my Verizon Wireless BlackBerry-----Original Message----- From: "IT Security" <ITSEC () 24hourfit com> Date: Mon, 22 Jan 2007 17:46:59 To:<snort-users () lists sourceforge net> Subject: [Snort-users] Phil Wood Libpcap Installation ProblemsI'm trying to get Phil Wood's modified libpcap working on my Snort 2.6.1 sensor, but have run into some difficulties and hoping that someone out there can help.I've downloaded and extracted libpcap-0.9.20060417.tar.gz. I thenrun:./configure make make installI then downloaded and extracted snort-2.6.1.1.tar.gz. I then run:./configure makeThat's where it blows up. Here is the error:<snip>checking for pcap_datalink in -lpcap... noERROR! Libpcap library/headers not found, go get it from http://www.tcpdump.org or use the --with-libpcap-* options, if you have it installed in unusual place</snip>Any ideas why the headers would be missing? Header files are identified with the .h extension correct? Where are these supposed toreside on the system?I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.Thanks in advance.- Jesse---------------------------------------------------------------------- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earncash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV DEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ---------------------------------------------------------------------- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earncash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV DEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users- ------------------------------------------------------------------------ - - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users - ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFt7ZE4lpqfBbyaLYRAjmNAJ94Zrrh+Fy01mK5j5+S9f8apPrRJgCeOBFt Gf7swfkS4Wv92y0VldKsslw= =HRZ4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Phil Wood Libpcap Installation Problems IT Security (Jan 22)
- Re: Phil Wood Libpcap Installation Problems darryl . taylor (Jan 22)
- Re: Phil Wood Libpcap Installation Problems Darryl Taylor (Jan 23)
- Re: Phil Wood Libpcap Installation Problems IT Security (Jan 23)
- Re: Phil Wood Libpcap Installation Problems IT Security (Jan 23)
- Re: Phil Wood Libpcap Installation Problems Darryl Taylor (Jan 24)
- Re: Phil Wood Libpcap Installation Problems Gentoo-Wally (Jan 31)
- Re: Phil Wood Libpcap Installation Problems Jason (Jan 31)
- Message not available
- Message not available
- Re: Phil Wood Libpcap Installation Problems Gentoo-Wally (Feb 01)
- Re: Phil Wood Libpcap Installation Problems Darryl Taylor (Jan 23)
- Re: Phil Wood Libpcap Installation Problems darryl . taylor (Jan 22)
- Re: Phil Wood Libpcap Installation Problems Darryl Taylor (Feb 01)
- Re: Phil Wood Libpcap Installation Problems Stephen John Smoogen (Feb 01)
- <Possible follow-ups>
- FW: Phil Wood Libpcap Installation Problems IT Security (Feb 01)