Friday, April 7, 2023 / The Tcpdump Group
Summary for 1.10.4 libpcap release
Source code:
Fix spaces before tabs in indentation.
rpcap:
Fix name of launchd service.
Documentation:
Document use of rpcapd with systemd, launchd, inetd, and xinetd.
Building and testing:
Require at least pkg-config 0.17.0, as we use --static.
Get rid of the remains of gnuc.h.
Require at least autoconf 2.69.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Thursday, January 12, 2023 / The Tcpdump Group
Summary for 1.10.3 libpcap release
Source code:
Sort the PUBHDR variable in Makefile.in in "ls" order.
Fix typo in comment in pflog.h.
Remove two no-longer-present files from .gitignore.
Update code and comments for handling failure to set promiscuous
mode based on new information.
Building and testing:
install: Fixed not to install the non-public pcap-util.h header.
pcap-config: add a --version flag.
Makefile.in: Add some missing files in the distclean target.
Saturday, December 31, 2022 / The Tcpdump Group
Summary for 1.10.2 libpcap release
Source code:
Use __builtin_unreachable() in PCAP_UNREACHABLE.
Use AS_HELP_STRING macro instead of AC_HELP_STRING in the
configure scripts, to avoid deprecation warnings.
Change availability tags in pcap.h to make it easier to
arrange for it to be used in Darwin releases.
Use AS_HELP_STRING for --enable-remote.
Fix some formatting string issues found by cppcheck.
Various small code and comment cleanups.
Use PCAP_ERROR (defined as -1) rather than explicit -1 for
functions the documentation says return PCAP_ERROR.
Remove unused code from the filter compiler.
Use _declspec(deprecated(msg)) rather than __pragma(deprecated)
for Windows deprecation warnings, so the message that was
specified shows up.
diag-control.h: define PCAP_DO_PRAGMA() iff we're going to use it.
Use "%d" to print some signed ints.
Use the Wayback Machine for a removed document in a comment.
Add some const qualifiers.
RDMA: Use PRIu64 to print a uint64_t.
"Dead" pcap_ts from pcap_open_dead() and ..._with_tstamp_precision():
Don't crash if pcap_breakloop() is called.
Savefiles:
Fix pcap_dispatch() to return number of packets processed, rather
than 0, even at EOF.
If we get an error writing the packet header, don't write the
packet data.
Put PFLOG UID and PID values in the header into host byte order
when reading a LINKTYPE_PFLOG file.
Put CAN ID field in CAN pseudo-headers for LINUX_SLL2, as we do
for LINUX_SLL.
Fix inorrectly-computed "real" length for isochronous USB
transfers when reading savefiles.
Don't crash if pcap_can_set_rfmon() is called.
Fix pcap_offline_read() loop.
Capture:
Never process more than INT_MAX packets in a pcap_dispatch() call,
to avoid integer overflow (issue #1087).
Improve error messages for "no such device" and "permission
denied" errors.
SITA: Fix a typo in a variable name.
Packet filtering:
Get PFLOG header length from the length value in the header.
Support all the direction, reason, and action types supported by
all systems that support PFLOG.
Don't require PFLOG support on the target machine in order to
support PFLOG filtering (also fixes issue #1076).
Expand abbreviations into "proto X" properly.
gencode.c: Update a comment about the VLAN TPID test.
Add the minimum and maximum matching DLTs to an error message.
Linux:
Fix memory leak in capture device open (pull request #1038).
Fix detection of CAN/CAN FD packets in direction check (issue
#1051).
Fix double-free crashes on errors such as running on a kernel with
CONFIG_PACKET_MMAP not configured (issue #1054).
Use DLT_CAN_SOCKETCAN for CANbus interfaces (issue #1052; includes
changes from pull request #1035).
Make sure the CANFD_FDF can be relied on to indicate whether a
CANbus packet is a CAN frame or a CAN FD frame
Improve error message for "out of memory" errors for kernel
filters (see issue #1089).
Fix pcap_findalldevs() to find usbmon devices.
Fix handling of VLAN tagged packets if the link-layer type is
changed from DLT_LINUX_SLL to DLT_LINUX_SLL2 (see issue #1105).
Always turn on PACKET_AUXDATA (see issue #1105).
We require 2.6.27 or later, so PACKET_RESERVE is available.
Make sure there's reserved space for a DLT_LINUX_SLL2 header
when capturing.
Correctly compute the "real" length for isochronous USB transfers.
Don't have an eventfd descriptor open in non-blocking mode, so as
not to waste descriptors.
netfilter: Squelch a narrowing warning (To be look at before 2038).
BPF capture (*BSD, macOS, AIX, Solaris 11):
Fix case where a device open might fail, rather than falling back
to a smaller buffer size, when the initial buffer size is too
big.
Use an unsigned device number to iterate over BPF devices, to
squelch a compiler warning.
NetBSD:
Fix handling of LINKTYPE_HDLC/DLT_HDLC.
rpcap:
Fix unaligned accesses in rpcapd (pull request #1037).
Fix code to process port number.
Clean up findalldevs code in rpcapd.
Clean up bufferizing code.
Fix a file descriptor/handle leak in pcap_findalldevs_ex()
(Coverity CID 1507240).
Improve error messages for host and port resolution errors.
Fix connect code not to fail if both IPv4 and IPv6 addresses are
tried.
Improve connect failure error message.
Provide an error message for a bad authentication reply size.
For link-layer types with host-endian fields in the header, fix
those fields if capturing from a server with a different byte
order.
Suppress temporarily the warnings with "enable remote packet capture".
Windows:
Add support for NdisMediumIP (pull request #1027).
Don't require applications using pcap to be built with VS 2015 or
later.
Use the correct string for the DLL VersionInfo.
Remove unnecessary DllMain() function.
Correctly handle ERROR_INVALID_FUNCTION from
PacketGetTimestampModes() (indicate that WinPcap or an older
version of Npcap is probably installed).
Fix use-after-free in some cases when a pcap_t is closed.
Make sure an error is returned by pcap_create_interface() if
PacketOpenAdapter() fails.
Return an error if the driver reports 0 timestamp modes supported.
Close the ADAPTER handle for some errors in
pcap_create_interface().
Get rid of old umaintained VS project files.
Fix deprecation warning for pcap_handle().
Npcap is now at npcap.com, not npcap.org.
Make sure "no such device" and "no permission to open device"
errors show up in pcap_activate(), not pcap_create() (fixes,
among other things, tcpdump -i <interface-number>).
npcap: squelch deprecation warnings for kernel dump mode.
Haiku:
Implement pcap_lib_version(), as now required.
Handle negative or too-large snaplen values.
Fix various build issues and warnings.
Building and testing:
Update configure-time universal build checks for macOS.
Update config.guess and config.sub.
If we look for an SSL library with pkg-config in configure script,
try pkg-config first.
If we have pkg-config and Homebrew, try to set pkg-config up to
find Homebrew packages.
Handle some Autoconf/make errors better.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Fix compiling on Solaris 9/SPARC and 11/AMD64.
Address assorted compiler warnings.
Fix cross-building on Linux for Windows with mingw32 for Win64
(pull request #1031).
Properly set installation directory on Windows when not compiling
with MSVC.
Fix configure script checks for compiler flags.
Give more details if check for usable (F)Lex fails.
Fix compiling with GCC 4.6.4.
Don't use add_compile_options() with CMake, as we currently don't
require 2.8.12, where it first appeared.
Don't provide -L/usr/lib for pkg-config --libs in pkg-config.
Fix error message for inadequate Bison/Berkeley YACC.
configure: correctly do some DPDK checks.
Only use pkg-config when checking for DPDK.
Allow the path in which DPDK is installed to be specified.
Use pkg-config first when checking for libibverbs.
CMake: fix check for libibverbs with Sun's C compiler.
Have CMake warn if no capture mechanism can be found.
Don't do stuff requiring 3.19 or later on earlier CMakes.
Squelch some CMake warnings.
Fix diag-control.h to handle compiling with clang-cl (issues
#1101 and #1115).
Cleanup various leftover cruft in the configure script.
Fix building without protochain support. (GH #852)
Check for a usable YACC (or Bison) and {F}lex in CMake, as we do
in autotools.
Only check for a C++ compiler on Haiku, as that's the only
platform with C++ code, and make sure they generate code for
the same instruction set bit-width (both 32-bit or both 64-bit)
(issue #1112).
On Solaris, check the target bit-width and set PKG_CONFIG_PATH
appropriately, to handle the mess that is the D-Bus library
package (issue #1112).
Fix generation of pcap-config and libpcap.pc files (issue #1062).
pcap-config: don't assume the system library directory is /usr/lib.
pcap-config: add a --static-pcap-only flag.
Cirrus CI: Use the same configuration as for the main branch.
Add four libpcap test files.
Update Npcap SDK to 1.13.
Makefile.in: Use TEST_DIST, like for tcpdump.
Remove awk code from mkdep.
Cirrus CI: Add the libssl-dev package in the Linux task.
Cirrus CI: Add the openssl@3 brew package in the macOS task.
Get "make shellcheck" to pass again.
CMake: Build valgrindtest only if Autoconf would.
CMake: use ${CMAKE_INSTALL_SBINDIR} rather than just sbin.
CMake: use NUL: as the null device on Windows.
autoconf: fix typo in test of macOS version.
Makefile.in: Add two missing files in EXTRA_DIST.
autotools, cmake: provide an rpath option if necessary.
configure: get rid of the attempt to auto-run PKG_PROG_PKG_CONFIG.
configure: use PKG_CHECK_MODULES to run pkg-config.
Documentation:
Add README.solaris.md.
Add SCTP to pcap-filter(7).
Note that = and == are the same operator in filters (issue #1044).
Update INSTALL.md, README.md, and README.solaris.md.
Update and clean up CONTRIBUTING.md.
Trim documentation of support for now-dead UN*Xe and older
versions of other UN*Xes.
Move the "how to allocate a LINKTYPE_/DLT_ value" documentation to
the web site.
Clean up man pages.
Move README.capture-module to the web site.
Improve some protocol details in pcap-filter(7).
Refine "relop" notes in pcap-filter(7).
In pcap-filter(7) "domain" is an id.
Discuss backward compatibility in pcap-filter(7).
Other improvements to pcap-filter(7).
Document pcap_breakloop(3PCAP) interaction with threads better.
Document PCAP_ERROR_NOT_ACTIVATED for more routines.
Wednesday, June 9, 2021:
Summary for 1.10.1 libpcap release:
Packet filtering:
Fix "type XXX subtype YYY" giving a parse error
Source code:
Add PCAP_AVAILABLE_1_11.
Building and testing:
Rename struct bpf_aux_data to avoid NetBSD compile errors
Squelch some compiler warnings
Squelch some Bison warnings
Fix cross-builds with older kernels lacking BPF_MOD and BPF_XOR
Fix Bison detection for minor version 0.
Fix parallel build with FreeBSD make.
Get DLT_MATCHING_MAX right in gencode.c on NetBSD.
Define timeradd() and timersub() if necessary.
Fix Cygwin/MSYS target directories.
Fix symlinking with DESTDIR.
Fix generation of libpcap.pc with CMake when not building a shared
library.
Check for Arm64 as well as x86-64 when looking for packet.lib on
Windows.
Documentation:
Refine Markdown in README.md.
Improve the description of portrange in filters.
README.linux.md isn't Markdown, rename it just README.linux.
pcapng:
Support reading version 1.2, which some writers produce, and which
is the same as 1.0 (some new block types were added, but
that's not sufficient reason to bump the minor version number,
as code that understands those new block types can handle them
in a 1.0 file)
Linux:
Drop support for text-mode USB captures, as we require a 2.6.27
or later kernel (credit to Chaoyuan Peng for noting the
sscanf vulnerabilities in the text-mode code that got me to
realize that we didn't need this code any more)
Bluetooth: fix non-blocking mode.
Don't assume that all compilers used to build for Linux support
the __atomic builtins
Windows:
Add more information in "interface disappeared" error messages, in
the hopes of trying to figure out the cause.
Treat ERROR_DEVICE_REMOVED as "device was removed".
Indicate in the error message which "device was removed" error
occurred.
Report the Windows error status if PacketSendPacket() fails.
Use %lu for ULONGs in error message formats.
Don't treat the inability to find airpcap.dll as an error.
Ignore spurious error reports by Microsoft Surface mobile
telephony modem driver
rpcap:
Clean up error checking and error messages for server address
lookup.
Tuesday, December 29, 2020
Summary for 1.10.0 libpcap release
Add support for capturing on DPDK devices
Label most APIs by the first release in which they're available
Fix some memory leaks, including in pcap_compile()
Add pcap_datalink_val_to_description_or_dlt()
Handle the pcap private data in a fashion that makes fewer
assumptions about memory layouts (might fix GitHub issue #940
on ARM)
Fix some thread safety issues
pcap_findalldevs(): don't sort interfaces by unit number
Always return a list of supported time-stamp types, even if only
host time stamps are supported
Increase the maximum snaplen for LINKTYPE_USBPCAP/DLT_USBPCAP
Report the DLT description in error messages
Add pcap_init() for first-time initialization and global option
setting; it's not required, but may be used
Remove (unused) SITA support
Capture file reading:
Correctly handle pcapng captures with more than one IDB with a
snspshot length greater than the supported maximum
Capture file writing:
Create the file in pcap_dump_open_append() if it doesn't exist
Packet filtering:
Fix "unknown ether proto 'aarp'"
Add a new filter "ifindex" for DLT_LINUX_SLL2 files on all
platforms and live Linux captures
Add a hack to the optimizer to try to catch certain optimizer
loops (should prevent GitHub issue #112)
Show special Linux BPF offsets symbolically in bpf_image() and
bpf_dump()
Added support for ICMPv6 types 1-4 as tokens with names
Remove undocumented and rather old "ether proto" protocols
Catch invalid IPv4 addresses in filters
Don't assume ARM supports unaligned accesses
Security and other issues found by analysis:
Fix various security issues reported by Charles Smith at Tangible
Security
Fix various security issues reported by Include Security
Fix some issues found by cppcheck.
Add some overflow checks in the optimizer
rpcap:
Support rpcap-over-TLS
Redo protocol version negotiation to avoid problems with old
servers (it still works with servers using the old negotiation,
as well as servers not supporting negotiation)
Error handling cleanups
Add some new authentication libpcap error codes for specific
errors
Fix some inetd issues in rpcapd
Fix rpcapd core dumps with invalid configuration file
On UN*X, don't have rpcapd tell the client why authentication
failed, so a brute-force attacker can't distinguish between
"unknown user name" and "known user name, wrong password"
Allow rpcapd to rebind more rapidly (GitHub issue #765)
Documentation:
Improve man pages, including adding backward compatibility notes
Building and testing:
Require, and assume, some level of C99 support in the C compiler
Require Visual Studio 2015 or later if using Visual Studio
Fix configure script issues, including with libnl on Linux
Fix CMake issues
Squelch complaints from Bison about "%define api.pure" being
deprecated
Fix compilation of pcap-tc.c
Linux:
Require PF_PACKET support, and kernel 2.6.27 or later
Handle systems without AF_INET or AF_UNIX socket support
Get rid of Wireless Extensions for turning monitor mode on
Proper memory sync for PACKET_MMAP (may prevent GitHub issue
#898)
Drop support for libnl 1 and 2.
Return error on interface going away, but not if it just went
down but is still present
Set socket protocol only after packet ring configured,
reducing bogus packet drop reports
Get ifdrop stats from sysfs.
When adjusting BPF programs, do not subtract the
SLL[2]_HDR_LEN if the location is negative (special metadata
offset), to preserve references to metadata; see
https://github.com/the-tcpdump-group/tcpdump/issues/480#issuecomment-486827278
Report a warning for unknown ARPHRD types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Add support for DSA data link types
For raw USB bus capture, use the snapshot length to set the
buffer size, and set the len field to reflect the length
in the URB (GitHub issue #808)
With a timeout of zero, wait indefinitely
Clean up support for some non-GNU libc C libraries
Add DLT_LINUX_SLL2 for cooked-mode captures
Probe CONFIGURATION descriptor of connected USB devices
Treat EPERM on ethtool ioctls as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
macOS:
Cope with getting EPWROFF from SIOCGIFMEDIA
Treat EPERM on SIOCGIFMEDIA as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
Treat ENXIO when reading packets as meaning "the interface
was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
FreeBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
NetBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
OpenBSD:
Treat EIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
DragonFly BSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Solaris:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
AIX:
Fix loading of BPF kernel extension
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Windows:
Make the snapshot length work even if pcap_setfilter()
isn't called
Fix compilation on Cygwin/MSYS
Add pcap_handle(), and deprecate pcap_fileno()
Report PCAP_ERROR_NO_SUCH_DEVICE for a non-existent device
Return an appropriate error message for device removed or
device unusable due to a suspend/resume
Report a warning for unknown NdisMedium types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Clean up building DLL
Handle CRT mismatch for pcap_dump_fopen()
Map NdisMediumWirelessWan to DLT_RAW
Add AirPcap support in a module, rather than using
WinPcap/Npcap's support for it
Report the system error for PacketSetHwFilter() failures
Add support for getting and setting packet time stamp types
with Npcap
Have pcap_init() allow selecting whether the API should use
local code page strings or UTF-8 strings (including error
messages)
Haiku:
Add capture support
libpcap for DOS
---------------
This file contains some notes on building and using libpcap for MS-DOS.
Look in `README' and `pcap.man' for usage and details. These targets are
supported:
- Borland C 4.0+ small or large model.
- Metaware HighC 3.1+ with PharLap DOS-extender
- GNU C 2.7+ with djgpp 2.01+ DOS extender
- Watcom C 11.x with DOS4GW extender
Note: the files in the libpcap.zip contains short truncated filenames.
So for djgpp to work with these, disable the use of long file names by
setting "LFN=n" in the environment. On the other hand, if you get libpcap
from Github or the official libpcap.tar.gz, some filenames are beyond 8+3.
In this case set "LFN=y".
Files specific to DOS are pcap-dos.[ch] and the assembly and C files in
the MSDOS sub-directory. Remember to built the libpcap library from the top
install directory. And not from the MSDOS sub-directory.
Note for djgpp users:
If you got the libpcap from the official site www.tcpdump, then that
distribution does NOT contain any sources for building 32-bit drivers.
Instead get the full version at
https://www.watt-32.net/pcap/libpcap.zip
and set "USE_32BIT_DRIVERS = 1" in msdos\common.dj.
Requirements
------------
DOS-libpcap currently only works reliably with a real-mode Ethernet packet-
driver. This driver must be installed prior to using any program (e.g.
tcpdump) compiled with libpcap. Work is underway to implement protected-
mode drivers for 32-bit targets (djgpp only). The 3Com 3c509 driver is
working almost perfectly. Due to lack of LAN-cards, I've not had the
opportunity to test other drivers. These 32-bit drivers are modified
Linux drivers.
Required packages
-----------------
The following packages and tools must be present for all targets.
1. Watt-32 tcp/ip library. This library is *not* used to send or
receive network data. It's mostly used to access the 'hosts'
file and other <netdb.h> features. Get 'watt32s*.zip' at:
https://www.watt-32.net
2. Exception handler and disassember library (libexc.a) is needed if
"USE_EXCEPT = 1" in common.dj. Available at:
https://www.watt-32.net/misc/exc_dx07.zip
3. Flex & Bison is used to generate parser for the filter handler
pcap_compile:
ftp://ftp.delorie.com/pub/djgpp/current/v2gnu/flx254b.zip
ftp://ftp.delorie.com/pub/djgpp/current/v2gnu/bsn241b.zip
4. NASM assembler v 0.98 or later is required when building djgpp and
Watcom targets:
https://www.nasm.us/
5. sed (Stream Editor) is required for doing `make depend'.
It's available at:
ftp://ftp.delorie.com/pub/djgpp/current/v2gnu/sed422b.zip
A touch tool to update the time-stamp of a file. E.g.:
ftp://ftp.delorie.com/pub/djgpp/current/v2gnu/grep29b.zip
6. For djgpp rm.exe and cp.exe are required. These should already be
part of your djgpp installation. Also required (experimental at the
time) for djgpp is DLX 2.91 or later. This tool is for the generation
of dynamically loadable modules.
Compiling libpcap
-----------------
Follow these steps in building libpcap:
1. Make sure you've installed Watt-32 properly (see it's `INSTALL' file).
During that installation a environment variable `WATT_ROOT' is set.
This variable is used for building libpcap also (`WATT_INC' is
deducted from `WATT_ROOT'). djgpp users should also define environment
variables `C_INCLUDE_PATH' and `LIBRARY_PATH' to point to the include
directory and library directory respectively. E.g. put this in your
AUTOEXEC.BAT:
set C_INCLUDE_PATH=c:/net/watt/inc
set LIBRARY_PATH=c:/net/watt/lib
2. Revise the msdos/common.dj file for your djgpp/gcc installation;
- change the value of `GCCLIB' to match location of libgcc.a.
- set `USE_32BIT_DRIVERS = 1' to build 32-bit driver objects.
3. Build pcap by using appropriate makefile. For djgpp, use:
`make -f msdos/makefile.dj' (i.e. GNU `make')
For a Watcom target say:
`wmake -f msdos\makefile.wc'
For a Borland target say:
`maker -f msdos\Makefile pcap_bc.lib' (Borland's `maker.exe')
And for a HighC/Pharlap target say:
`maker -f msdos\Makefile pcap_hc.lib' (Borland's `maker.exe')
You might like to change some `CFLAGS' -- only `DEBUG' define currently
have any effect. It shows a rotating "fan" in upper right corner of
screen. Remove `DEBUG' if you don't like it. You could add
`-fomit-frame-pointer' to `CFLAGS' to speed up the generated code.
But note, this makes debugging and crash-traceback difficult. Only
add it if you're fully confident your application is 100% stable.
Note: Code in `USE_NDIS2' does not work at the moment.
4. The resulting library is put in current directory. There's some
test-program for `libpcap': `filtertest.exe', `findalldevstest.exe',
`nonblocktest.exe' and `opentest.exe'.
But linking the library with `tcpdump' is the ultimate test. DOS/djgpp
should now hopefully be a supported target. Get the sources at:
https://www.tcpdump.org/
or
https://github.com/the-tcpdump-group/tcpdump/
(click on the 'Download ZIP' on the right side of that page.)
Extensions to libpcap
---------------------
I've included some extra functions to DOS-libpcap:
`pcap_config_hook (const char *keyword, const char *value)' :
Allows an application to set values of internal libpcap variables.
`keyword' and an associated `value' should be present in the `debug_tab[]'
array in pcap-dos.c (currently only used to set debug-levels and parameters
for the 32-bit network drivers.) Thus an application using DOS-libpcap can
override the default value during it's configure process (see tcpdump's
msdos/config.c file for an extended example).
`pcap_set_wait (pcap_t *, void (*)(void), int)' :
Only effective when reading offline traffic from dump-files.
Function `pcap_offline_read()' will wait (and optionally yield)
before printing next packet. This will simulate the pace the packets
where actually recorded.
Happy sniffing !
Gisle Vanem <gvanem@yahoo.no>
October 1999, 2004, 2006, 2013
748408ed59