Support capturing on multiple interfaces #480
Labels
Comments
Listening on two or more interfaces isn't supported at all, except by capturing on the "any" device in Linux, and that device doesn't support promiscuous mode.
If we have documentation saying that, it needs to be fixed. If somebody else has documentation saying that, they're mistaken and should stop saying that; perhaps they've confused tcpdump with Wireshark's dumpcap and/or TShark, which do support capturing on multiple interfaces. dumpcap and TShark support writing pcapng files; tcpdump writes capture files using libpcap, which doesn't yet support writing pcapng files. You'd need pcapng to support the general case of capturing on multiple interfaces and saving to a file; we could, in principle, support tcpdump with multiple |
guyharris
changed the title
|
Thanks for the fast reply. |
Yes, please. That needs to be fixed. |
|
@riccardomanfrin, could you provide the link? Thank you. |
|
It's my first output on G when searching for "tcpdump multiple interfaces" |
|
That page has got interesting comments. Apparently we cannot fix the Internet but I have left them a message. Shall this issue remain open as a feature request? |
|
I guess so ;) Thanks, |
|
Could you bridge the connections and capture on that interface? I haven't done that with tcpdump but I've done it with Snort, and it seems to work great. In testing with tcpdump I've just used "&" to initiate multiple captures on different interfaces. Specifically, a tapped connection in which send and receive are on separate wires. Not ideal, but it seems to work. For better performance I've been looking at using taskset to assign particular instances of tcpdump to particular cores. If the timestamps are all accurate, you could combine the resulting capture files and get the same result as if you had multi-interface capable tcpdump. |
|
I tried bridging with tcpdump today and it worked fine. Just tap the connection and bridge send and receive, and you get a capture file that shows everything. |
Not everything. AFAICS you'll get all packets intermingled with no information on which each interface each packet is from. Depending on what you want to accomplish, writing to several |
Sadly.. I thought that since it works for any and single interfaces, supporting a specific set of them would be patch work, but I haven't read the code so I'm not in the position to make such guess |
You're right, I don't get interface in the capture on a bridged connection. I'm running RHEL 6.8 with the latest versions of tcpdump and libpcap. Since I'm just capturing on a single tapped connection at the moment, this works for me, but if I were to capture on a bridge containing unrelated interfaces, I would definitely want to see which interface the packets were on. That would also be extremely useful for a tool like OmniPeek that supports multi-segment analysis. Instead of aggregating multiple capture files with OmniPeek, you could have one capture running on your router or an inline appliance and get all the traffic from multiple interfaces, with a perfect record of which packets came in on which interface. |
|
Thanks, actually I edited my post to remove the Mac OS X section because I realized that I was capturing on "any" interface rather than on a bridged connection, so it wasn't relevant to my post. I was going to try bridging two interfaces and capturing on that, but Mac OS X doesn't apparently have the usual brctl program. I will figure it out and see what happens. Sent from my iPhone On Jun 27, 2016, at 7:02 AM, Gisle Vanem notifications@github.com wrote: Out of curiosity, I tried tcpdump on Mac OS X 10.11.5 on multiple interfaces and it does Answering via email and your nice screen-shots seems to have been dropped by Github somehow 😦 . You can probably edit your answer above here. — |
I noticed that too, but a bit too late. That's why I deleted my reply. |
If "usual" means "common-on-Linux", then that's because OS X/Darwin isn't Linux (just as *BSD, Solaris, AIX, HP-UX, etc. aren't Linux). |
|
As a start, I'm looking at identifying in the output which interface the packets came in on when capturing on a bridged connection. I'm new to this project; anyone know roughly where in the source this feature should go? Thanks. |
|
It may happen you are looking to finish this work. |
|
Hey, I'm the one who has the site with the bad information on |
|
Yes, better late than never. Thank you! |
My suggestion would be to implement the |
|
Given the initial SLL2 implementation, what is the main reason to keep this feature request open? Is it because |
|
For my use cases, it would be great to specify a specific subset of interfaces and capture on that set. Information on which packets came from which interface is important for later decoding. I do not need promiscuous mode except in very rare cases. |
|
Presumably if the |
|
That could be simpler than the one thread per interface parallel captures I had in my mind. |
|
Interestingly, libpcap subtracts |
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Apr 27, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Apr 28, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
|
I’ve also implemented the I haven’t yet dealt with interface names, due to the conflict with the existing PF code. It’s reasonably straightforward to deal with, I think, but does have some subtle details like converting name to ifindex isn’t necessarily correct for save files generated In a different context. |
|
fenner <notifications@github.com> wrote:
I’ve also implemented the ifindex filter keyword at
https://github.com/fenner/libpcap/tree/ifindex . Using this, tcpdump -y
linux_sll2 -i any ifindex 2 or ifindex 4 or ifindex 6 works to capture on 3
interfaces simultaneously. I’ll submit a pull request for this after a little
more testing.
So this might allow one to capture on only an interface that is not yet up.
It's often very difficult to capture the first few packets (DADs, PADTs, etc.)
|
fenner
added a commit
to fenner/libpcap
that referenced
this issue
May 13, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
May 13, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
May 20, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
May 20, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Jun 19, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Jul 2, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Jul 11, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Sep 4, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Sep 4, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fenner
added a commit
to fenner/libpcap
that referenced
this issue
Sep 27, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment)
fxlb
pushed a commit
to fxlb/libpcap
that referenced
this issue
Sep 30, 2019
This fixes the offset issue I mention in the-tcpdump-group/tcpdump#480 (comment) (cherry picked from commit eebbdd4)
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Nov 16, 2021
Summary for 1.10.1 libpcap release (so far!)
Packet filtering:
Fix "type XXX subtype YYY" giving a parse error
Source code:
Add PCAP_AVAILABLE_1_11.
Building and testing:
Rename struct bpf_aux_data to avoid NetBSD compile errors
Squelch some compiler warnings
Squelch some Bison warnings
Fix cross-builds with older kernels lacking BPF_MOD and BPF_XOR
Fix Bison detection for minor version 0.
Fix parallel build with FreeBSD make.
Get DLT_MATCHING_MAX right in gencode.c on NetBSD.
Define timeradd() and timersub() if necessary.
Fix Cygwin/MSYS target directories.
Fix symlinking with DESTDIR.
Fix generation of libpcap.pc with CMake when not building a shared
library.
Check for Arm64 as well as x86-64 when looking for packet.lib on
Windows.
Documentation:
Refine Markdown in README.md.
Improve the description of portrange in filters.
README.linux.md isn't Markdown, rename it just README.linux.
pcapng:
Support reading version 1.2, which some writers produce, and which
is the same as 1.0 (some new block types were added, but
that's not sufficient reason to bump the minor version number,
as code that understands those new block types can handle them
in a 1.0 file)
Linux:
Drop support for text-mode USB captures, as we require a 2.6.27
or later kernel (credit to Chaoyuan Peng for noting the
sscanf vulnerabilities in the text-mode code that got me to
realize that we didn't need this code any more)
Bluetooth: fix non-blocking mode.
Don't assume that all compilers used to build for Linux support
the __atomic builtins
Windows:
Add more information in "interface disappeared" error messages, in
the hopes of trying to figure out the cause.
Treat ERROR_DEVICE_REMOVED as "device was removed".
Indicate in the error message which "device was removed" error
occurred.
Report the Windows error status if PacketSendPacket() fails.
Use %lu for ULONGs in error message formats.
Don't treat the inability to find airpcap.dll as an error.
Ignore spurious error reports by Microsoft Surface mobile
telephony modem driver
rpcap:
Clean up error checking and error messages for server address
lookup.
Summary for 1.10.0 libpcap release
Add support for capturing on DPDK devices
Label most APIs by the first release in which they're available
Fix some memory leaks, including in pcap_compile()
Add pcap_datalink_val_to_description_or_dlt()
Handle the pcap private data in a fashion that makes fewer
assumptions about memory layouts (might fix GitHub issue #940
on ARM)
Fix some thread safety issues
pcap_findalldevs(): don't sort interfaces by unit number
Always return a list of supported time-stamp types, even if only
host time stamps are supported
Increase the maximum snaplen for LINKTYPE_USBPCAP/DLT_USBPCAP
Report the DLT description in error messages
Add pcap_init() for first-time initialization and global option
setting; it's not required, but may be used
Remove (unused) SITA support
Capture file reading:
Correctly handle pcapng captures with more than one IDB with a
snspshot length greater than the supported maximum
Capture file writing:
Create the file in pcap_dump_open_append() if it doesn't exist
Packet filtering:
Fix "unknown ether proto 'aarp'"
Add a new filter "ifindex" for DLT_LINUX_SLL2 files on all
platforms and live Linux captures
Add a hack to the optimizer to try to catch certain optimizer
loops (should prevent GitHub issue #112)
Show special Linux BPF offsets symbolically in bpf_image() and
bpf_dump()
Added support for ICMPv6 types 1-4 as tokens with names
Remove undocumented and rather old "ether proto" protocols
Catch invalid IPv4 addresses in filters
Don't assume ARM supports unaligned accesses
Security and other issues found by analysis:
Fix various security issues reported by Charles Smith at Tangible
Security
Fix various security issues reported by Include Security
Fix some issues found by cppcheck.
Add some overflow checks in the optimizer
rpcap:
Support rpcap-over-TLS
Redo protocol version negotiation to avoid problems with old
servers (it still works with servers using the old negotiation,
as well as servers not supporting negotiation)
Error handling cleanups
Add some new authentication libpcap error codes for specific
errors
Fix some inetd issues in rpcapd
Fix rpcapd core dumps with invalid configuration file
On UN*X, don't have rpcapd tell the client why authentication
failed, so a brute-force attacker can't distinguish between
"unknown user name" and "known user name, wrong password"
Allow rpcapd to rebind more rapidly (GitHub issue #765)
Documentation:
Improve man pages, including adding backward compatibility notes
Building and testing:
Require, and assume, some level of C99 support in the C compiler
Require Visual Studio 2015 or later if using Visual Studio
Fix configure script issues, including with libnl on Linux
Fix CMake issues
Squelch complaints from Bison about "%define api.pure" being
deprecated
Fix compilation of pcap-tc.c
Linux:
Require PF_PACKET support, and kernel 2.6.27 or later
Handle systems without AF_INET or AF_UNIX socket support
Get rid of Wireless Extensions for turning monitor mode on
Proper memory sync for PACKET_MMAP (may prevent GitHub issue
#898)
Drop support for libnl 1 and 2.
Return error on interface going away, but not if it just went
down but is still present
Set socket protocol only after packet ring configured,
reducing bogus packet drop reports
Get ifdrop stats from sysfs.
When adjusting BPF programs, do not subtract the
SLL[2]_HDR_LEN if the location is negative (special metadata
offset), to preserve references to metadata; see
the-tcpdump-group/tcpdump#480 (comment)
Report a warning for unknown ARPHRD types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Add support for DSA data link types
For raw USB bus capture, use the snapshot length to set the
buffer size, and set the len field to reflect the length
in the URB (GitHub issue #808)
With a timeout of zero, wait indefinitely
Clean up support for some non-GNU libc C libraries
Add DLT_LINUX_SLL2 for cooked-mode captures
Probe CONFIGURATION descriptor of connected USB devices
Treat EPERM on ethtool ioctls as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
macOS:
Cope with getting EPWROFF from SIOCGIFMEDIA
Treat EPERM on SIOCGIFMEDIA as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
Treat ENXIO when reading packets as meaning "the interface
was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
FreeBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
NetBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
OpenBSD:
Treat EIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
DragonFly BSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Solaris:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
AIX:
Fix loading of BPF kernel extension
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Windows:
Make the snapshot length work even if pcap_setfilter()
isn't called
Fix compilation on Cygwin/MSYS
Add pcap_handle(), and deprecate pcap_fileno()
Report PCAP_ERROR_NO_SUCH_DEVICE for a non-existent device
Return an appropriate error message for device removed or
device unusable due to a suspend/resume
Report a warning for unknown NdisMedium types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Clean up building DLL
Handle CRT mismatch for pcap_dump_fopen()
Map NdisMediumWirelessWan to DLT_RAW
Add AirPcap support in a module, rather than using
WinPcap/Npcap's support for it
Report the system error for PacketSetHwFilter() failures
Add support for getting and setting packet time stamp types
with Npcap
Have pcap_init() allow selecting whether the API should use
local code page strings or UTF-8 strings (including error
messages)
Haiku:
Add capture support
netbsd-srcmastr
pushed a commit
to NetBSD/src
that referenced
this issue
Aug 20, 2023
Friday, April 7, 2023 / The Tcpdump Group
Summary for 1.10.4 libpcap release
Source code:
Fix spaces before tabs in indentation.
rpcap:
Fix name of launchd service.
Documentation:
Document use of rpcapd with systemd, launchd, inetd, and xinetd.
Building and testing:
Require at least pkg-config 0.17.0, as we use --static.
Get rid of the remains of gnuc.h.
Require at least autoconf 2.69.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Thursday, January 12, 2023 / The Tcpdump Group
Summary for 1.10.3 libpcap release
Source code:
Sort the PUBHDR variable in Makefile.in in "ls" order.
Fix typo in comment in pflog.h.
Remove two no-longer-present files from .gitignore.
Update code and comments for handling failure to set promiscuous
mode based on new information.
Building and testing:
install: Fixed not to install the non-public pcap-util.h header.
pcap-config: add a --version flag.
Makefile.in: Add some missing files in the distclean target.
Saturday, December 31, 2022 / The Tcpdump Group
Summary for 1.10.2 libpcap release
Source code:
Use __builtin_unreachable() in PCAP_UNREACHABLE.
Use AS_HELP_STRING macro instead of AC_HELP_STRING in the
configure scripts, to avoid deprecation warnings.
Change availability tags in pcap.h to make it easier to
arrange for it to be used in Darwin releases.
Use AS_HELP_STRING for --enable-remote.
Fix some formatting string issues found by cppcheck.
Various small code and comment cleanups.
Use PCAP_ERROR (defined as -1) rather than explicit -1 for
functions the documentation says return PCAP_ERROR.
Remove unused code from the filter compiler.
Use _declspec(deprecated(msg)) rather than __pragma(deprecated)
for Windows deprecation warnings, so the message that was
specified shows up.
diag-control.h: define PCAP_DO_PRAGMA() iff we're going to use it.
Use "%d" to print some signed ints.
Use the Wayback Machine for a removed document in a comment.
Add some const qualifiers.
RDMA: Use PRIu64 to print a uint64_t.
"Dead" pcap_ts from pcap_open_dead() and ..._with_tstamp_precision():
Don't crash if pcap_breakloop() is called.
Savefiles:
Fix pcap_dispatch() to return number of packets processed, rather
than 0, even at EOF.
If we get an error writing the packet header, don't write the
packet data.
Put PFLOG UID and PID values in the header into host byte order
when reading a LINKTYPE_PFLOG file.
Put CAN ID field in CAN pseudo-headers for LINUX_SLL2, as we do
for LINUX_SLL.
Fix inorrectly-computed "real" length for isochronous USB
transfers when reading savefiles.
Don't crash if pcap_can_set_rfmon() is called.
Fix pcap_offline_read() loop.
Capture:
Never process more than INT_MAX packets in a pcap_dispatch() call,
to avoid integer overflow (issue #1087).
Improve error messages for "no such device" and "permission
denied" errors.
SITA: Fix a typo in a variable name.
Packet filtering:
Get PFLOG header length from the length value in the header.
Support all the direction, reason, and action types supported by
all systems that support PFLOG.
Don't require PFLOG support on the target machine in order to
support PFLOG filtering (also fixes issue #1076).
Expand abbreviations into "proto X" properly.
gencode.c: Update a comment about the VLAN TPID test.
Add the minimum and maximum matching DLTs to an error message.
Linux:
Fix memory leak in capture device open (pull request #1038).
Fix detection of CAN/CAN FD packets in direction check (issue
#1051).
Fix double-free crashes on errors such as running on a kernel with
CONFIG_PACKET_MMAP not configured (issue #1054).
Use DLT_CAN_SOCKETCAN for CANbus interfaces (issue #1052; includes
changes from pull request #1035).
Make sure the CANFD_FDF can be relied on to indicate whether a
CANbus packet is a CAN frame or a CAN FD frame
Improve error message for "out of memory" errors for kernel
filters (see issue #1089).
Fix pcap_findalldevs() to find usbmon devices.
Fix handling of VLAN tagged packets if the link-layer type is
changed from DLT_LINUX_SLL to DLT_LINUX_SLL2 (see issue #1105).
Always turn on PACKET_AUXDATA (see issue #1105).
We require 2.6.27 or later, so PACKET_RESERVE is available.
Make sure there's reserved space for a DLT_LINUX_SLL2 header
when capturing.
Correctly compute the "real" length for isochronous USB transfers.
Don't have an eventfd descriptor open in non-blocking mode, so as
not to waste descriptors.
netfilter: Squelch a narrowing warning (To be look at before 2038).
BPF capture (*BSD, macOS, AIX, Solaris 11):
Fix case where a device open might fail, rather than falling back
to a smaller buffer size, when the initial buffer size is too
big.
Use an unsigned device number to iterate over BPF devices, to
squelch a compiler warning.
NetBSD:
Fix handling of LINKTYPE_HDLC/DLT_HDLC.
rpcap:
Fix unaligned accesses in rpcapd (pull request #1037).
Fix code to process port number.
Clean up findalldevs code in rpcapd.
Clean up bufferizing code.
Fix a file descriptor/handle leak in pcap_findalldevs_ex()
(Coverity CID 1507240).
Improve error messages for host and port resolution errors.
Fix connect code not to fail if both IPv4 and IPv6 addresses are
tried.
Improve connect failure error message.
Provide an error message for a bad authentication reply size.
For link-layer types with host-endian fields in the header, fix
those fields if capturing from a server with a different byte
order.
Suppress temporarily the warnings with "enable remote packet capture".
Windows:
Add support for NdisMediumIP (pull request #1027).
Don't require applications using pcap to be built with VS 2015 or
later.
Use the correct string for the DLL VersionInfo.
Remove unnecessary DllMain() function.
Correctly handle ERROR_INVALID_FUNCTION from
PacketGetTimestampModes() (indicate that WinPcap or an older
version of Npcap is probably installed).
Fix use-after-free in some cases when a pcap_t is closed.
Make sure an error is returned by pcap_create_interface() if
PacketOpenAdapter() fails.
Return an error if the driver reports 0 timestamp modes supported.
Close the ADAPTER handle for some errors in
pcap_create_interface().
Get rid of old umaintained VS project files.
Fix deprecation warning for pcap_handle().
Npcap is now at npcap.com, not npcap.org.
Make sure "no such device" and "no permission to open device"
errors show up in pcap_activate(), not pcap_create() (fixes,
among other things, tcpdump -i <interface-number>).
npcap: squelch deprecation warnings for kernel dump mode.
Haiku:
Implement pcap_lib_version(), as now required.
Handle negative or too-large snaplen values.
Fix various build issues and warnings.
Building and testing:
Update configure-time universal build checks for macOS.
Update config.guess and config.sub.
If we look for an SSL library with pkg-config in configure script,
try pkg-config first.
If we have pkg-config and Homebrew, try to set pkg-config up to
find Homebrew packages.
Handle some Autoconf/make errors better.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Fix compiling on Solaris 9/SPARC and 11/AMD64.
Address assorted compiler warnings.
Fix cross-building on Linux for Windows with mingw32 for Win64
(pull request #1031).
Properly set installation directory on Windows when not compiling
with MSVC.
Fix configure script checks for compiler flags.
Give more details if check for usable (F)Lex fails.
Fix compiling with GCC 4.6.4.
Don't use add_compile_options() with CMake, as we currently don't
require 2.8.12, where it first appeared.
Don't provide -L/usr/lib for pkg-config --libs in pkg-config.
Fix error message for inadequate Bison/Berkeley YACC.
configure: correctly do some DPDK checks.
Only use pkg-config when checking for DPDK.
Allow the path in which DPDK is installed to be specified.
Use pkg-config first when checking for libibverbs.
CMake: fix check for libibverbs with Sun's C compiler.
Have CMake warn if no capture mechanism can be found.
Don't do stuff requiring 3.19 or later on earlier CMakes.
Squelch some CMake warnings.
Fix diag-control.h to handle compiling with clang-cl (issues
#1101 and #1115).
Cleanup various leftover cruft in the configure script.
Fix building without protochain support. (GH #852)
Check for a usable YACC (or Bison) and {F}lex in CMake, as we do
in autotools.
Only check for a C++ compiler on Haiku, as that's the only
platform with C++ code, and make sure they generate code for
the same instruction set bit-width (both 32-bit or both 64-bit)
(issue #1112).
On Solaris, check the target bit-width and set PKG_CONFIG_PATH
appropriately, to handle the mess that is the D-Bus library
package (issue #1112).
Fix generation of pcap-config and libpcap.pc files (issue #1062).
pcap-config: don't assume the system library directory is /usr/lib.
pcap-config: add a --static-pcap-only flag.
Cirrus CI: Use the same configuration as for the main branch.
Add four libpcap test files.
Update Npcap SDK to 1.13.
Makefile.in: Use TEST_DIST, like for tcpdump.
Remove awk code from mkdep.
Cirrus CI: Add the libssl-dev package in the Linux task.
Cirrus CI: Add the openssl@3 brew package in the macOS task.
Get "make shellcheck" to pass again.
CMake: Build valgrindtest only if Autoconf would.
CMake: use ${CMAKE_INSTALL_SBINDIR} rather than just sbin.
CMake: use NUL: as the null device on Windows.
autoconf: fix typo in test of macOS version.
Makefile.in: Add two missing files in EXTRA_DIST.
autotools, cmake: provide an rpath option if necessary.
configure: get rid of the attempt to auto-run PKG_PROG_PKG_CONFIG.
configure: use PKG_CHECK_MODULES to run pkg-config.
Documentation:
Add README.solaris.md.
Add SCTP to pcap-filter(7).
Note that = and == are the same operator in filters (issue #1044).
Update INSTALL.md, README.md, and README.solaris.md.
Update and clean up CONTRIBUTING.md.
Trim documentation of support for now-dead UN*Xe and older
versions of other UN*Xes.
Move the "how to allocate a LINKTYPE_/DLT_ value" documentation to
the web site.
Clean up man pages.
Move README.capture-module to the web site.
Improve some protocol details in pcap-filter(7).
Refine "relop" notes in pcap-filter(7).
In pcap-filter(7) "domain" is an id.
Discuss backward compatibility in pcap-filter(7).
Other improvements to pcap-filter(7).
Document pcap_breakloop(3PCAP) interaction with threads better.
Document PCAP_ERROR_NOT_ACTIVATED for more routines.
Wednesday, June 9, 2021:
Summary for 1.10.1 libpcap release:
Packet filtering:
Fix "type XXX subtype YYY" giving a parse error
Source code:
Add PCAP_AVAILABLE_1_11.
Building and testing:
Rename struct bpf_aux_data to avoid NetBSD compile errors
Squelch some compiler warnings
Squelch some Bison warnings
Fix cross-builds with older kernels lacking BPF_MOD and BPF_XOR
Fix Bison detection for minor version 0.
Fix parallel build with FreeBSD make.
Get DLT_MATCHING_MAX right in gencode.c on NetBSD.
Define timeradd() and timersub() if necessary.
Fix Cygwin/MSYS target directories.
Fix symlinking with DESTDIR.
Fix generation of libpcap.pc with CMake when not building a shared
library.
Check for Arm64 as well as x86-64 when looking for packet.lib on
Windows.
Documentation:
Refine Markdown in README.md.
Improve the description of portrange in filters.
README.linux.md isn't Markdown, rename it just README.linux.
pcapng:
Support reading version 1.2, which some writers produce, and which
is the same as 1.0 (some new block types were added, but
that's not sufficient reason to bump the minor version number,
as code that understands those new block types can handle them
in a 1.0 file)
Linux:
Drop support for text-mode USB captures, as we require a 2.6.27
or later kernel (credit to Chaoyuan Peng for noting the
sscanf vulnerabilities in the text-mode code that got me to
realize that we didn't need this code any more)
Bluetooth: fix non-blocking mode.
Don't assume that all compilers used to build for Linux support
the __atomic builtins
Windows:
Add more information in "interface disappeared" error messages, in
the hopes of trying to figure out the cause.
Treat ERROR_DEVICE_REMOVED as "device was removed".
Indicate in the error message which "device was removed" error
occurred.
Report the Windows error status if PacketSendPacket() fails.
Use %lu for ULONGs in error message formats.
Don't treat the inability to find airpcap.dll as an error.
Ignore spurious error reports by Microsoft Surface mobile
telephony modem driver
rpcap:
Clean up error checking and error messages for server address
lookup.
Tuesday, December 29, 2020
Summary for 1.10.0 libpcap release
Add support for capturing on DPDK devices
Label most APIs by the first release in which they're available
Fix some memory leaks, including in pcap_compile()
Add pcap_datalink_val_to_description_or_dlt()
Handle the pcap private data in a fashion that makes fewer
assumptions about memory layouts (might fix GitHub issue #940
on ARM)
Fix some thread safety issues
pcap_findalldevs(): don't sort interfaces by unit number
Always return a list of supported time-stamp types, even if only
host time stamps are supported
Increase the maximum snaplen for LINKTYPE_USBPCAP/DLT_USBPCAP
Report the DLT description in error messages
Add pcap_init() for first-time initialization and global option
setting; it's not required, but may be used
Remove (unused) SITA support
Capture file reading:
Correctly handle pcapng captures with more than one IDB with a
snspshot length greater than the supported maximum
Capture file writing:
Create the file in pcap_dump_open_append() if it doesn't exist
Packet filtering:
Fix "unknown ether proto 'aarp'"
Add a new filter "ifindex" for DLT_LINUX_SLL2 files on all
platforms and live Linux captures
Add a hack to the optimizer to try to catch certain optimizer
loops (should prevent GitHub issue #112)
Show special Linux BPF offsets symbolically in bpf_image() and
bpf_dump()
Added support for ICMPv6 types 1-4 as tokens with names
Remove undocumented and rather old "ether proto" protocols
Catch invalid IPv4 addresses in filters
Don't assume ARM supports unaligned accesses
Security and other issues found by analysis:
Fix various security issues reported by Charles Smith at Tangible
Security
Fix various security issues reported by Include Security
Fix some issues found by cppcheck.
Add some overflow checks in the optimizer
rpcap:
Support rpcap-over-TLS
Redo protocol version negotiation to avoid problems with old
servers (it still works with servers using the old negotiation,
as well as servers not supporting negotiation)
Error handling cleanups
Add some new authentication libpcap error codes for specific
errors
Fix some inetd issues in rpcapd
Fix rpcapd core dumps with invalid configuration file
On UN*X, don't have rpcapd tell the client why authentication
failed, so a brute-force attacker can't distinguish between
"unknown user name" and "known user name, wrong password"
Allow rpcapd to rebind more rapidly (GitHub issue #765)
Documentation:
Improve man pages, including adding backward compatibility notes
Building and testing:
Require, and assume, some level of C99 support in the C compiler
Require Visual Studio 2015 or later if using Visual Studio
Fix configure script issues, including with libnl on Linux
Fix CMake issues
Squelch complaints from Bison about "%define api.pure" being
deprecated
Fix compilation of pcap-tc.c
Linux:
Require PF_PACKET support, and kernel 2.6.27 or later
Handle systems without AF_INET or AF_UNIX socket support
Get rid of Wireless Extensions for turning monitor mode on
Proper memory sync for PACKET_MMAP (may prevent GitHub issue
#898)
Drop support for libnl 1 and 2.
Return error on interface going away, but not if it just went
down but is still present
Set socket protocol only after packet ring configured,
reducing bogus packet drop reports
Get ifdrop stats from sysfs.
When adjusting BPF programs, do not subtract the
SLL[2]_HDR_LEN if the location is negative (special metadata
offset), to preserve references to metadata; see
the-tcpdump-group/tcpdump#480 (comment)
Report a warning for unknown ARPHRD types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Add support for DSA data link types
For raw USB bus capture, use the snapshot length to set the
buffer size, and set the len field to reflect the length
in the URB (GitHub issue #808)
With a timeout of zero, wait indefinitely
Clean up support for some non-GNU libc C libraries
Add DLT_LINUX_SLL2 for cooked-mode captures
Probe CONFIGURATION descriptor of connected USB devices
Treat EPERM on ethtool ioctls as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
macOS:
Cope with getting EPWROFF from SIOCGIFMEDIA
Treat EPERM on SIOCGIFMEDIA as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
Treat ENXIO when reading packets as meaning "the interface
was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
FreeBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
NetBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
OpenBSD:
Treat EIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
DragonFly BSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Solaris:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
AIX:
Fix loading of BPF kernel extension
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Windows:
Make the snapshot length work even if pcap_setfilter()
isn't called
Fix compilation on Cygwin/MSYS
Add pcap_handle(), and deprecate pcap_fileno()
Report PCAP_ERROR_NO_SUCH_DEVICE for a non-existent device
Return an appropriate error message for device removed or
device unusable due to a suspend/resume
Report a warning for unknown NdisMedium types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Clean up building DLL
Handle CRT mismatch for pcap_dump_fopen()
Map NdisMediumWirelessWan to DLT_RAW
Add AirPcap support in a module, rather than using
WinPcap/Npcap's support for it
Report the system error for PacketSetHwFilter() failures
Add support for getting and setting packet time stamp types
with Npcap
Have pcap_init() allow selecting whether the API should use
local code page strings or UTF-8 strings (including error
messages)
Haiku:
Add capture support
rokuyama
pushed a commit
to IIJ-NetBSD/netbsd-src
that referenced
this issue
Oct 26, 2023
Friday, April 7, 2023 / The Tcpdump Group
Summary for 1.10.4 libpcap release
Source code:
Fix spaces before tabs in indentation.
rpcap:
Fix name of launchd service.
Documentation:
Document use of rpcapd with systemd, launchd, inetd, and xinetd.
Building and testing:
Require at least pkg-config 0.17.0, as we use --static.
Get rid of the remains of gnuc.h.
Require at least autoconf 2.69.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Thursday, January 12, 2023 / The Tcpdump Group
Summary for 1.10.3 libpcap release
Source code:
Sort the PUBHDR variable in Makefile.in in "ls" order.
Fix typo in comment in pflog.h.
Remove two no-longer-present files from .gitignore.
Update code and comments for handling failure to set promiscuous
mode based on new information.
Building and testing:
install: Fixed not to install the non-public pcap-util.h header.
pcap-config: add a --version flag.
Makefile.in: Add some missing files in the distclean target.
Saturday, December 31, 2022 / The Tcpdump Group
Summary for 1.10.2 libpcap release
Source code:
Use __builtin_unreachable() in PCAP_UNREACHABLE.
Use AS_HELP_STRING macro instead of AC_HELP_STRING in the
configure scripts, to avoid deprecation warnings.
Change availability tags in pcap.h to make it easier to
arrange for it to be used in Darwin releases.
Use AS_HELP_STRING for --enable-remote.
Fix some formatting string issues found by cppcheck.
Various small code and comment cleanups.
Use PCAP_ERROR (defined as -1) rather than explicit -1 for
functions the documentation says return PCAP_ERROR.
Remove unused code from the filter compiler.
Use _declspec(deprecated(msg)) rather than __pragma(deprecated)
for Windows deprecation warnings, so the message that was
specified shows up.
diag-control.h: define PCAP_DO_PRAGMA() iff we're going to use it.
Use "%d" to print some signed ints.
Use the Wayback Machine for a removed document in a comment.
Add some const qualifiers.
RDMA: Use PRIu64 to print a uint64_t.
"Dead" pcap_ts from pcap_open_dead() and ..._with_tstamp_precision():
Don't crash if pcap_breakloop() is called.
Savefiles:
Fix pcap_dispatch() to return number of packets processed, rather
than 0, even at EOF.
If we get an error writing the packet header, don't write the
packet data.
Put PFLOG UID and PID values in the header into host byte order
when reading a LINKTYPE_PFLOG file.
Put CAN ID field in CAN pseudo-headers for LINUX_SLL2, as we do
for LINUX_SLL.
Fix inorrectly-computed "real" length for isochronous USB
transfers when reading savefiles.
Don't crash if pcap_can_set_rfmon() is called.
Fix pcap_offline_read() loop.
Capture:
Never process more than INT_MAX packets in a pcap_dispatch() call,
to avoid integer overflow (issue #1087).
Improve error messages for "no such device" and "permission
denied" errors.
SITA: Fix a typo in a variable name.
Packet filtering:
Get PFLOG header length from the length value in the header.
Support all the direction, reason, and action types supported by
all systems that support PFLOG.
Don't require PFLOG support on the target machine in order to
support PFLOG filtering (also fixes issue #1076).
Expand abbreviations into "proto X" properly.
gencode.c: Update a comment about the VLAN TPID test.
Add the minimum and maximum matching DLTs to an error message.
Linux:
Fix memory leak in capture device open (pull request #1038).
Fix detection of CAN/CAN FD packets in direction check (issue
#1051).
Fix double-free crashes on errors such as running on a kernel with
CONFIG_PACKET_MMAP not configured (issue #1054).
Use DLT_CAN_SOCKETCAN for CANbus interfaces (issue #1052; includes
changes from pull request #1035).
Make sure the CANFD_FDF can be relied on to indicate whether a
CANbus packet is a CAN frame or a CAN FD frame
Improve error message for "out of memory" errors for kernel
filters (see issue #1089).
Fix pcap_findalldevs() to find usbmon devices.
Fix handling of VLAN tagged packets if the link-layer type is
changed from DLT_LINUX_SLL to DLT_LINUX_SLL2 (see issue #1105).
Always turn on PACKET_AUXDATA (see issue #1105).
We require 2.6.27 or later, so PACKET_RESERVE is available.
Make sure there's reserved space for a DLT_LINUX_SLL2 header
when capturing.
Correctly compute the "real" length for isochronous USB transfers.
Don't have an eventfd descriptor open in non-blocking mode, so as
not to waste descriptors.
netfilter: Squelch a narrowing warning (To be look at before 2038).
BPF capture (*BSD, macOS, AIX, Solaris 11):
Fix case where a device open might fail, rather than falling back
to a smaller buffer size, when the initial buffer size is too
big.
Use an unsigned device number to iterate over BPF devices, to
squelch a compiler warning.
NetBSD:
Fix handling of LINKTYPE_HDLC/DLT_HDLC.
rpcap:
Fix unaligned accesses in rpcapd (pull request #1037).
Fix code to process port number.
Clean up findalldevs code in rpcapd.
Clean up bufferizing code.
Fix a file descriptor/handle leak in pcap_findalldevs_ex()
(Coverity CID 1507240).
Improve error messages for host and port resolution errors.
Fix connect code not to fail if both IPv4 and IPv6 addresses are
tried.
Improve connect failure error message.
Provide an error message for a bad authentication reply size.
For link-layer types with host-endian fields in the header, fix
those fields if capturing from a server with a different byte
order.
Suppress temporarily the warnings with "enable remote packet capture".
Windows:
Add support for NdisMediumIP (pull request #1027).
Don't require applications using pcap to be built with VS 2015 or
later.
Use the correct string for the DLL VersionInfo.
Remove unnecessary DllMain() function.
Correctly handle ERROR_INVALID_FUNCTION from
PacketGetTimestampModes() (indicate that WinPcap or an older
version of Npcap is probably installed).
Fix use-after-free in some cases when a pcap_t is closed.
Make sure an error is returned by pcap_create_interface() if
PacketOpenAdapter() fails.
Return an error if the driver reports 0 timestamp modes supported.
Close the ADAPTER handle for some errors in
pcap_create_interface().
Get rid of old umaintained VS project files.
Fix deprecation warning for pcap_handle().
Npcap is now at npcap.com, not npcap.org.
Make sure "no such device" and "no permission to open device"
errors show up in pcap_activate(), not pcap_create() (fixes,
among other things, tcpdump -i <interface-number>).
npcap: squelch deprecation warnings for kernel dump mode.
Haiku:
Implement pcap_lib_version(), as now required.
Handle negative or too-large snaplen values.
Fix various build issues and warnings.
Building and testing:
Update configure-time universal build checks for macOS.
Update config.guess and config.sub.
If we look for an SSL library with pkg-config in configure script,
try pkg-config first.
If we have pkg-config and Homebrew, try to set pkg-config up to
find Homebrew packages.
Handle some Autoconf/make errors better.
Use "git archive" for the "make releasetar" process.
Remove the release candidate rcX targets.
Fix compiling on Solaris 9/SPARC and 11/AMD64.
Address assorted compiler warnings.
Fix cross-building on Linux for Windows with mingw32 for Win64
(pull request #1031).
Properly set installation directory on Windows when not compiling
with MSVC.
Fix configure script checks for compiler flags.
Give more details if check for usable (F)Lex fails.
Fix compiling with GCC 4.6.4.
Don't use add_compile_options() with CMake, as we currently don't
require 2.8.12, where it first appeared.
Don't provide -L/usr/lib for pkg-config --libs in pkg-config.
Fix error message for inadequate Bison/Berkeley YACC.
configure: correctly do some DPDK checks.
Only use pkg-config when checking for DPDK.
Allow the path in which DPDK is installed to be specified.
Use pkg-config first when checking for libibverbs.
CMake: fix check for libibverbs with Sun's C compiler.
Have CMake warn if no capture mechanism can be found.
Don't do stuff requiring 3.19 or later on earlier CMakes.
Squelch some CMake warnings.
Fix diag-control.h to handle compiling with clang-cl (issues
#1101 and #1115).
Cleanup various leftover cruft in the configure script.
Fix building without protochain support. (GH #852)
Check for a usable YACC (or Bison) and {F}lex in CMake, as we do
in autotools.
Only check for a C++ compiler on Haiku, as that's the only
platform with C++ code, and make sure they generate code for
the same instruction set bit-width (both 32-bit or both 64-bit)
(issue #1112).
On Solaris, check the target bit-width and set PKG_CONFIG_PATH
appropriately, to handle the mess that is the D-Bus library
package (issue #1112).
Fix generation of pcap-config and libpcap.pc files (issue #1062).
pcap-config: don't assume the system library directory is /usr/lib.
pcap-config: add a --static-pcap-only flag.
Cirrus CI: Use the same configuration as for the main branch.
Add four libpcap test files.
Update Npcap SDK to 1.13.
Makefile.in: Use TEST_DIST, like for tcpdump.
Remove awk code from mkdep.
Cirrus CI: Add the libssl-dev package in the Linux task.
Cirrus CI: Add the openssl@3 brew package in the macOS task.
Get "make shellcheck" to pass again.
CMake: Build valgrindtest only if Autoconf would.
CMake: use ${CMAKE_INSTALL_SBINDIR} rather than just sbin.
CMake: use NUL: as the null device on Windows.
autoconf: fix typo in test of macOS version.
Makefile.in: Add two missing files in EXTRA_DIST.
autotools, cmake: provide an rpath option if necessary.
configure: get rid of the attempt to auto-run PKG_PROG_PKG_CONFIG.
configure: use PKG_CHECK_MODULES to run pkg-config.
Documentation:
Add README.solaris.md.
Add SCTP to pcap-filter(7).
Note that = and == are the same operator in filters (issue #1044).
Update INSTALL.md, README.md, and README.solaris.md.
Update and clean up CONTRIBUTING.md.
Trim documentation of support for now-dead UN*Xe and older
versions of other UN*Xes.
Move the "how to allocate a LINKTYPE_/DLT_ value" documentation to
the web site.
Clean up man pages.
Move README.capture-module to the web site.
Improve some protocol details in pcap-filter(7).
Refine "relop" notes in pcap-filter(7).
In pcap-filter(7) "domain" is an id.
Discuss backward compatibility in pcap-filter(7).
Other improvements to pcap-filter(7).
Document pcap_breakloop(3PCAP) interaction with threads better.
Document PCAP_ERROR_NOT_ACTIVATED for more routines.
Wednesday, June 9, 2021:
Summary for 1.10.1 libpcap release:
Packet filtering:
Fix "type XXX subtype YYY" giving a parse error
Source code:
Add PCAP_AVAILABLE_1_11.
Building and testing:
Rename struct bpf_aux_data to avoid NetBSD compile errors
Squelch some compiler warnings
Squelch some Bison warnings
Fix cross-builds with older kernels lacking BPF_MOD and BPF_XOR
Fix Bison detection for minor version 0.
Fix parallel build with FreeBSD make.
Get DLT_MATCHING_MAX right in gencode.c on NetBSD.
Define timeradd() and timersub() if necessary.
Fix Cygwin/MSYS target directories.
Fix symlinking with DESTDIR.
Fix generation of libpcap.pc with CMake when not building a shared
library.
Check for Arm64 as well as x86-64 when looking for packet.lib on
Windows.
Documentation:
Refine Markdown in README.md.
Improve the description of portrange in filters.
README.linux.md isn't Markdown, rename it just README.linux.
pcapng:
Support reading version 1.2, which some writers produce, and which
is the same as 1.0 (some new block types were added, but
that's not sufficient reason to bump the minor version number,
as code that understands those new block types can handle them
in a 1.0 file)
Linux:
Drop support for text-mode USB captures, as we require a 2.6.27
or later kernel (credit to Chaoyuan Peng for noting the
sscanf vulnerabilities in the text-mode code that got me to
realize that we didn't need this code any more)
Bluetooth: fix non-blocking mode.
Don't assume that all compilers used to build for Linux support
the __atomic builtins
Windows:
Add more information in "interface disappeared" error messages, in
the hopes of trying to figure out the cause.
Treat ERROR_DEVICE_REMOVED as "device was removed".
Indicate in the error message which "device was removed" error
occurred.
Report the Windows error status if PacketSendPacket() fails.
Use %lu for ULONGs in error message formats.
Don't treat the inability to find airpcap.dll as an error.
Ignore spurious error reports by Microsoft Surface mobile
telephony modem driver
rpcap:
Clean up error checking and error messages for server address
lookup.
Tuesday, December 29, 2020
Summary for 1.10.0 libpcap release
Add support for capturing on DPDK devices
Label most APIs by the first release in which they're available
Fix some memory leaks, including in pcap_compile()
Add pcap_datalink_val_to_description_or_dlt()
Handle the pcap private data in a fashion that makes fewer
assumptions about memory layouts (might fix GitHub issue #940
on ARM)
Fix some thread safety issues
pcap_findalldevs(): don't sort interfaces by unit number
Always return a list of supported time-stamp types, even if only
host time stamps are supported
Increase the maximum snaplen for LINKTYPE_USBPCAP/DLT_USBPCAP
Report the DLT description in error messages
Add pcap_init() for first-time initialization and global option
setting; it's not required, but may be used
Remove (unused) SITA support
Capture file reading:
Correctly handle pcapng captures with more than one IDB with a
snspshot length greater than the supported maximum
Capture file writing:
Create the file in pcap_dump_open_append() if it doesn't exist
Packet filtering:
Fix "unknown ether proto 'aarp'"
Add a new filter "ifindex" for DLT_LINUX_SLL2 files on all
platforms and live Linux captures
Add a hack to the optimizer to try to catch certain optimizer
loops (should prevent GitHub issue #112)
Show special Linux BPF offsets symbolically in bpf_image() and
bpf_dump()
Added support for ICMPv6 types 1-4 as tokens with names
Remove undocumented and rather old "ether proto" protocols
Catch invalid IPv4 addresses in filters
Don't assume ARM supports unaligned accesses
Security and other issues found by analysis:
Fix various security issues reported by Charles Smith at Tangible
Security
Fix various security issues reported by Include Security
Fix some issues found by cppcheck.
Add some overflow checks in the optimizer
rpcap:
Support rpcap-over-TLS
Redo protocol version negotiation to avoid problems with old
servers (it still works with servers using the old negotiation,
as well as servers not supporting negotiation)
Error handling cleanups
Add some new authentication libpcap error codes for specific
errors
Fix some inetd issues in rpcapd
Fix rpcapd core dumps with invalid configuration file
On UN*X, don't have rpcapd tell the client why authentication
failed, so a brute-force attacker can't distinguish between
"unknown user name" and "known user name, wrong password"
Allow rpcapd to rebind more rapidly (GitHub issue #765)
Documentation:
Improve man pages, including adding backward compatibility notes
Building and testing:
Require, and assume, some level of C99 support in the C compiler
Require Visual Studio 2015 or later if using Visual Studio
Fix configure script issues, including with libnl on Linux
Fix CMake issues
Squelch complaints from Bison about "%define api.pure" being
deprecated
Fix compilation of pcap-tc.c
Linux:
Require PF_PACKET support, and kernel 2.6.27 or later
Handle systems without AF_INET or AF_UNIX socket support
Get rid of Wireless Extensions for turning monitor mode on
Proper memory sync for PACKET_MMAP (may prevent GitHub issue
#898)
Drop support for libnl 1 and 2.
Return error on interface going away, but not if it just went
down but is still present
Set socket protocol only after packet ring configured,
reducing bogus packet drop reports
Get ifdrop stats from sysfs.
When adjusting BPF programs, do not subtract the
SLL[2]_HDR_LEN if the location is negative (special metadata
offset), to preserve references to metadata; see
the-tcpdump-group/tcpdump#480 (comment)
Report a warning for unknown ARPHRD types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Add support for DSA data link types
For raw USB bus capture, use the snapshot length to set the
buffer size, and set the len field to reflect the length
in the URB (GitHub issue #808)
With a timeout of zero, wait indefinitely
Clean up support for some non-GNU libc C libraries
Add DLT_LINUX_SLL2 for cooked-mode captures
Probe CONFIGURATION descriptor of connected USB devices
Treat EPERM on ethtool ioctls as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
macOS:
Cope with getting EPWROFF from SIOCGIFMEDIA
Treat EPERM on SIOCGIFMEDIA as meaning "not supported", as
permissions checks are done before checking whether the
ioctl is supported at all
Treat ENXIO when reading packets as meaning "the interface
was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
FreeBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
NetBSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
OpenBSD:
Treat EIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
DragonFly BSD:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Solaris:
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
AIX:
Fix loading of BPF kernel extension
Treat ENXIO as meaning "the interface was removed"
Report "the interface disappeared", not "the interface went
down", if the interface was removed during a capture
Windows:
Make the snapshot length work even if pcap_setfilter()
isn't called
Fix compilation on Cygwin/MSYS
Add pcap_handle(), and deprecate pcap_fileno()
Report PCAP_ERROR_NO_SUCH_DEVICE for a non-existent device
Return an appropriate error message for device removed or
device unusable due to a suspend/resume
Report a warning for unknown NdisMedium types
Have pcap_breakloop() forcibly break out of a sleeping
capture loop
Clean up building DLL
Handle CRT mismatch for pcap_dump_fopen()
Map NdisMediumWirelessWan to DLT_RAW
Add AirPcap support in a module, rather than using
WinPcap/Npcap's support for it
Report the system error for PacketSetHwFilter() failures
Add support for getting and setting packet time stamp types
with Npcap
Have pcap_init() allow selecting whether the API should use
local code page strings or UTF-8 strings (including error
messages)
Haiku:
Add capture support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I would be good to be able to listen on two or more interfaces in promisquous mode, which, to my knowledge/understanding is not supported.
There is unofficial documentation stating that multiple "-i" options do the job, but it appears as only the last interface is actually fetched.
The text was updated successfully, but these errors were encountered: