From aaedba987536838d88995c12476e09880f209684 Mon Sep 17 00:00:00 2001 From: matt-0123 Date: Fri, 12 Dec 2025 21:24:45 +0000 Subject: [PATCH 1/2] Add ARM64 / Graviton build support and fixes for rpcapd --- .gitignore | 21 +- README-ARM64.md | 53 + winpcap/wpcap/libpcap/Makefile | 555 ++++++++++ winpcap/wpcap/libpcap/bpf_filter.c | 1 + winpcap/wpcap/libpcap/config.h | 253 +++++ winpcap/wpcap/libpcap/config.status | 902 +++++++++++++++++ winpcap/wpcap/libpcap/net | 1 + winpcap/wpcap/libpcap/pcap-config | 16 + winpcap/wpcap/libpcap/pcap-filter.manmisc | 949 ++++++++++++++++++ winpcap/wpcap/libpcap/pcap-linktype.manmisc | 282 ++++++ winpcap/wpcap/libpcap/pcap-linux.c | 1 + winpcap/wpcap/libpcap/pcap-new.c | 3 +- winpcap/wpcap/libpcap/pcap-savefile.manfile | 127 +++ winpcap/wpcap/libpcap/pcap.3pcap | 386 +++++++ winpcap/wpcap/libpcap/pcap_compile.3pcap | 72 ++ winpcap/wpcap/libpcap/pcap_datalink.3pcap | 41 + winpcap/wpcap/libpcap/pcap_dump_open.3pcap | 87 ++ .../wpcap/libpcap/pcap_list_datalinks.3pcap | 58 ++ winpcap/wpcap/libpcap/pcap_open_dead.3pcap | 52 + winpcap/wpcap/libpcap/pcap_open_offline.3pcap | 78 ++ winpcap/wpcap/libpcap/remote-ext.h.orig | 448 +++++++++ winpcap/wpcap/libpcap/remote-ext.h.rej | 11 + winpcap/wpcap/libpcap/rpcapd/Makefile | 2 +- winpcap/wpcap/libpcap/rpcapd/daemon.c | 55 +- winpcap/wpcap/libpcap/rpcapd/fileconf.c | 1 + winpcap/wpcap/libpcap/scanner.h | 6 + winpcap/wpcap/libpcap/version.c | 1 + winpcap/wpcap/libpcap/version.h | 1 + 28 files changed, 4447 insertions(+), 16 deletions(-) create mode 100644 README-ARM64.md create mode 100644 winpcap/wpcap/libpcap/Makefile create mode 120000 winpcap/wpcap/libpcap/bpf_filter.c create mode 100644 winpcap/wpcap/libpcap/config.h create mode 100755 winpcap/wpcap/libpcap/config.status create mode 120000 winpcap/wpcap/libpcap/net create mode 100755 winpcap/wpcap/libpcap/pcap-config create mode 100644 winpcap/wpcap/libpcap/pcap-filter.manmisc create mode 100644 winpcap/wpcap/libpcap/pcap-linktype.manmisc create mode 100644 winpcap/wpcap/libpcap/pcap-savefile.manfile create mode 100644 winpcap/wpcap/libpcap/pcap.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_compile.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_datalink.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_dump_open.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_list_datalinks.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_open_dead.3pcap create mode 100644 winpcap/wpcap/libpcap/pcap_open_offline.3pcap create mode 100644 winpcap/wpcap/libpcap/remote-ext.h.orig create mode 100644 winpcap/wpcap/libpcap/remote-ext.h.rej create mode 100644 winpcap/wpcap/libpcap/scanner.h create mode 100644 winpcap/wpcap/libpcap/version.c create mode 100644 winpcap/wpcap/libpcap/version.h diff --git a/.gitignore b/.gitignore index cbf7672..393bc81 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,11 @@ -wpcap/libpcap/grammar.c -wpcap/libpcap/scanner.c -wpcap/libpcap/tokdefs.h -wpcap/libpcap/rpcapd/win32-messages.bin -wpcap/libpcap/rpcapd/win32-messages.h -wpcap/libpcap/rpcapd/win32-messages.rc -wpcap/libpcap/rpcapd/rpcapd -wpcap/libpcap/rpcapd/rpcapd.exe -wpcap/libpcap/rpcapd/rpcapd-dist/rpcapd-64bit-linux -install-rpcapd.sh +*.o +*.a +rpcapd +*.exe +*.osx +*.bin +*.log +*.tar.gz +scanner.c +grammar.c +y.tab.* diff --git a/README-ARM64.md b/README-ARM64.md new file mode 100644 index 0000000..40ca92e --- /dev/null +++ b/README-ARM64.md @@ -0,0 +1,53 @@ +# ARM64 / Graviton Build Instructions for rpcapd + +This fork includes the changes required to build the ExtraHop rpcapd agent on ARM64 platforms such as: + +- AWS Graviton (Amazon Linux 2 / 2023) +- Other modern ARM64 Linux distributions + +## Changes in this fork (high level) + +- Enabled remote capture support in libpcap (HAVE_REMOTE). +- Patched old libpcap sources for modern Linux headers (e.g. SIOCGSTAMP requires ). +- Removed x86-only inline assembly (sfence / lfence) and replaced with portable memory barriers. +- Fixed missing includes for types like UINT16_MAX. +- Resolved multiple-definition of `sockmain` between rpcapd.c and pcap-new.c. +- Switched from static linking (-static) to dynamic linking to avoid missing -lc / -lcrypt issues. +- Ensured rpcapd links against libpcap and libcrypt on Amazon Linux. + +## Build Steps (Amazon Linux / Graviton) + +```bash +sudo yum groupinstall -y "Development Tools" +sudo yum install -y libpcap libpcap-devel libxcrypt libxcrypt-devel flex bison + +cd /opt +sudo git clone https://github.com/matt-0123/rpcapd.git +sudo chown -R "$USER":"$USER" rpcapd +cd rpcapd/winpcap/wpcap/libpcap + +# Enable remote capture support +./configure --build=aarch64-unknown-linux-gnu --enable-remote +make + +# Build rpcapd +cd rpcapd +make clean || true +make +The resulting binary will be: + +bash +Copy code +winpcap/wpcap/libpcap/rpcapd/rpcapd +Install it with: + +bash +Copy code +sudo cp rpcapd /usr/local/sbin/rpcapd +sudo chmod 755 /usr/local/sbin/rpcapd +sudo chown root:root /usr/local/sbin/rpcapd +Run in active mode: + +bash +Copy code +sudo /usr/local/sbin/rpcapd -n -v -a ,2003 diff --git a/winpcap/wpcap/libpcap/Makefile b/winpcap/wpcap/libpcap/Makefile new file mode 100644 index 0000000..19e6030 --- /dev/null +++ b/winpcap/wpcap/libpcap/Makefile @@ -0,0 +1,555 @@ +# Copyright (c) 1993, 1994, 1995, 1996 +# The Regents of the University of California. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that: (1) source code distributions +# retain the above copyright notice and this paragraph in its entirety, (2) +# distributions including binary code include the above copyright notice and +# this paragraph in its entirety in the documentation or other materials +# provided with the distribution, and (3) all advertising materials mentioning +# features or use of this software display the following acknowledgement: +# ``This product includes software developed by the University of California, +# Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +# the University nor the names of its contributors may be used to endorse +# or promote products derived from this software without specific prior +# written permission. +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +# +# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.108.2.28 2008-10-23 22:13:21 guy Exp $ (LBL) + +# +# Various configurable paths (remember to edit Makefile.in, not Makefile) +# + +# Top level hierarchy +prefix = /usr/local +exec_prefix = ${prefix} +datarootdir = ${prefix}/share +# Pathname of directory to install the configure program +bindir = ${exec_prefix}/bin +# Pathname of directory to install the include files +includedir = ${prefix}/include +# Pathname of directory to install the library +libdir = ${exec_prefix}/lib +# Pathname of directory to install the man pages +mandir = ${datarootdir}/man + +# VPATH +srcdir = . + + +# +# You shouldn't need to edit anything below. +# + +CC = gcc +CCOPT = -O2 -fPIC +INCLS = -I. +# HAVE_REMOTE +DEFS = -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -DHAVE_REMOTE +LIBS = +TCLIBS = +DAGLIBS = +DEPLIBS = +DYEXT = so +PROG=libpcap + +# Standard CFLAGS +CFLAGS = $(CCOPT) $(INCLS) $(DEFS) + +INSTALL = /usr/bin/install -c +INSTALL_PROGRAM = ${INSTALL} +INSTALL_DATA = ${INSTALL} -m 644 +RANLIB = ranlib + +# +# Flex and bison allow you to specify the prefixes of the global symbols +# used by the generated parser. This allows programs to use lex/yacc +# and link against libpcap. If you don't have flex or bison, get them. +# +LEX = flex -Ppcap_ +YACC = bison -y -p pcap_ + +# Explicitly define compilation rule since SunOS 4's make doesn't like gcc. +# Also, gcc does not remove the .o before forking 'as', which can be a +# problem if you don't own the file but can write to the directory. +.c.o: + @rm -f $@ + $(CC) $(CFLAGS) -c $(srcdir)/$*.c + +PSRC = pcap-linux.c pcap-usb-linux.c +FSRC = fad-getad.c +SSRC = +CSRC = pcap.c inet.c gencode.c optimize.c nametoaddr.c \ + etherent.c savefile.c bpf_filter.c bpf_image.c bpf_dump.c +GENSRC = scanner.c grammar.c version.c +# HAVE_REMOTE +REMOTESRC = pcap-new.c pcap-remote.c sockutils.c +TCSRC = +LIBOBJS = + +# HAVE_REMOTE +SRC = $(PSRC) $(FSRC) $(CSRC) $(SSRC) $(GENSRC) $(TCSRC) $(REMOTESRC) + +# We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot +# hack the extra indirection +# HAVE_REMOTE +OBJ = $(PSRC:.c=.o) $(FSRC:.c=.o) $(CSRC:.c=.o) $(SSRC:.c=.o) $(GENSRC:.c=.o) $(TCSRC:.c=.o) $(REMOTESRC:.c=.o) $(LIBOBJS) +HDR = \ + acconfig.h \ + arcnet.h \ + atmuni31.h \ + ethertype.h \ + gencode.h \ + ieee80211.h \ + llc.h \ + nlpid.h \ + pcap/bluetooth.h \ + pcap/bpf.h \ + pcap/namedb.h \ + pcap/pcap.h \ + pcap/sll.h \ + pcap/usb.h \ + pcap/vlan.h \ + pcap.h \ + pcap-int.h \ + pcap-namedb.h \ + pcap-stdinc.h \ + ppp.h \ + sunatmpos.h + +GENHDR = \ + scanner.h tokdefs.h version.h + +TAGHDR = \ + pcap-bpf.h + +TAGFILES = \ + $(SRC) $(HDR) $(TAGHDR) + +CLEANFILES = $(OBJ) libpcap.a $(GENSRC) $(GENHDR) lex.yy.c + +MAN1 = pcap-config.1 + +MAN3PCAP_EXPAND = \ + pcap.3pcap.in \ + pcap_compile.3pcap.in \ + pcap_datalink.3pcap.in \ + pcap_dump_open.3pcap.in \ + pcap_list_datalinks.3pcap.in \ + pcap_open_dead.3pcap.in \ + pcap_open_offline.3pcap.in + +MAN3PCAP_NOEXPAND = \ + pcap_activate.3pcap \ + pcap_breakloop.3pcap \ + pcap_can_set_rfmon.3pcap \ + pcap_close.3pcap \ + pcap_create.3pcap \ + pcap_datalink_name_to_val.3pcap \ + pcap_datalink_val_to_name.3pcap \ + pcap_dump.3pcap \ + pcap_dump_close.3pcap \ + pcap_dump_file.3pcap \ + pcap_dump_flush.3pcap \ + pcap_dump_ftell.3pcap \ + pcap_file.3pcap \ + pcap_fileno.3pcap \ + pcap_findalldevs.3pcap \ + pcap_freealldevs.3pcap \ + pcap_freecode.3pcap \ + pcap_free_datalinks.3pcap \ + pcap_get_selectable_fd.3pcap \ + pcap_geterr.3pcap \ + pcap_inject.3pcap \ + pcap_is_swapped.3pcap \ + pcap_lib_version.3pcap \ + pcap_lookupdev.3pcap \ + pcap_lookupnet.3pcap \ + pcap_loop.3pcap \ + pcap_major_version.3pcap \ + pcap_next_ex.3pcap \ + pcap_offline_filter.3pcap \ + pcap_open_live.3pcap \ + pcap_set_buffer_size.3pcap \ + pcap_set_datalink.3pcap \ + pcap_set_promisc.3pcap \ + pcap_set_rfmon.3pcap \ + pcap_set_snaplen.3pcap \ + pcap_set_timeout.3pcap \ + pcap_setdirection.3pcap \ + pcap_setfilter.3pcap \ + pcap_setnonblock.3pcap \ + pcap_snapshot.3pcap \ + pcap_stats.3pcap \ + pcap_statustostr.3pcap \ + pcap_strerror.3pcap + +MAN3PCAP = $(MAN3PCAP_NOEXPAND) $(MAN3PCAP_EXPAND:.in=) + +MANFILE = \ + pcap-savefile.manfile.in + +MANMISC = \ + pcap-filter.manmisc.in \ + pcap-linktype.manmisc.in + +EXTRA_DIST = \ + CHANGES \ + ChmodBPF/ChmodBPF \ + ChmodBPF/StartupParameters.plist \ + CREDITS \ + INSTALL.txt \ + LICENSE \ + Makefile.in \ + README \ + README.aix \ + README.dag \ + README.hpux \ + README.linux \ + README.macosx \ + README.septel \ + README.sita \ + README.tru64 \ + README.Win32 \ + SUNOS4/nit_if.o.sparc \ + SUNOS4/nit_if.o.sun3 \ + SUNOS4/nit_if.o.sun4c.4.0.3c \ + TODO \ + VERSION \ + aclocal.m4 \ + bpf/net/bpf_filter.c \ + chmod_bpf \ + config.guess \ + config.h.in \ + config.sub \ + configure \ + configure.in \ + dlpisubs.c \ + dlpisubs.h \ + fad-getad.c \ + fad-gifc.c \ + fad-glifc.c \ + fad-null.c \ + fad-sita.c \ + fad-win32.c \ + filtertest.c \ + findalldevstest.c \ + grammar.y \ + install-sh \ + lbl/os-aix4.h \ + lbl/os-hpux11.h \ + lbl/os-osf4.h \ + lbl/os-osf5.h \ + lbl/os-solaris2.h \ + lbl/os-sunos4.h \ + lbl/os-ultrix4.h \ + missing/snprintf.c \ + mkdep \ + msdos/bin2c.c \ + msdos/common.dj \ + msdos/makefile \ + msdos/makefile.dj \ + msdos/makefile.wc \ + msdos/ndis2.c \ + msdos/ndis2.h \ + msdos/ndis_0.asm \ + msdos/pkt_rx0.asm \ + msdos/pkt_rx1.s \ + msdos/pktdrvr.c \ + msdos/pktdrvr.h \ + msdos/readme.dos \ + net/bpf_filter.c \ + org.tcpdump.chmod_bpf.plist \ + packaging/pcap.spec.in \ + pcap-bpf.c \ + pcap-bpf.h \ + pcap-bt-linux.c \ + pcap-bt-linux.h \ + pcap-config.in \ + pcap-dag.c \ + pcap-dag.h \ + pcap-dlpi.c \ + pcap-dos.c \ + pcap-dos.h \ + pcap-enet.c \ + pcap-int.h \ + pcap-libdlpi.c \ + pcap-linux.c \ + pcap-namedb.h \ + pcap-nit.c \ + pcap-null.c \ + pcap-pf.c \ + pcap-septel.c \ + pcap-septel.h \ + pcap-sita.h \ + pcap-sita.c \ + pcap-sita.html \ + pcap-snit.c \ + pcap-snoop.c \ + pcap-usb-linux.c \ + pcap-usb-linux.h \ + pcap-win32.c \ + runlex.sh \ + scanner.l \ + Win32/Include/Gnuc.h \ + Win32/Include/addrinfo.h \ + Win32/Include/bittypes.h \ + Win32/Include/cdecl_ext.h \ + Win32/Include/inetprivate.h \ + Win32/Include/ip6_misc.h \ + Win32/Include/sockstorage.h \ + Win32/Include/arpa/nameser.h \ + Win32/Include/net/if.h \ + Win32/Include/net/netdb.h \ + Win32/Include/net/paths.h \ + Win32/Prj/libpcap.dsp \ + Win32/Prj/libpcap.dsw \ + Win32/Src/ffs.c \ + Win32/Src/gai_strerror.c \ + Win32/Src/getaddrinfo.c \ + Win32/Src/getnetbynm.c \ + Win32/Src/getnetent.c \ + Win32/Src/getopt.c \ + Win32/Src/getservent.c \ + Win32/Src/inet_aton.c \ + Win32/Src/inet_net.c \ + Win32/Src/inet_pton.c + +all: libpcap.a pcap-config + +libpcap.a: $(OBJ) + @rm -f $@ + $(AR) rc $@ $(OBJ) $(LIBS) + $(RANLIB) $@ + +shared: libpcap.$(DYEXT) + +# +# XXX - this works with GNU ld, but won't necessarily work with native +# ld on, for example, various SVR4-flavored platforms, or Digital UNIX. +# +libpcap.so: $(OBJ) + @rm -f $@ + $(CC) -shared -Wl,-soname,$@.1 -o $@.`cat $(srcdir)/VERSION` $(OBJ) $(DAGLIBS) $(TCLIBS) + +# +# The following rule succeeds, but the result is untested. +# +# XXX - OS X installs the library as "libpcap.A.dylib", with that as the +# install_name, and sets the current version to 1 as well. VERSION +# might contain a not-purely-numeric version number, but +# -current_version requires a purely numeric version, so this won't +# work with top-of-tree builds. +# +libpcap.dylib: $(OBJ) + rm -f libpcap*.dylib + $(CC) -dynamiclib -undefined error -o libpcap.`cat $(srcdir)/VERSION`.dylib $(OBJ) \ + -install_name $(libdir)/libpcap.A.dylib \ + -compatibility_version 1 \ + -current_version `sed 's/[^0-9.].*$$//' $(srcdir)/VERSION` + +scanner.c: $(srcdir)/scanner.l + @rm -f $@ + ./runlex.sh $(LEX) -o$@ $< + +scanner.o: scanner.c tokdefs.h + $(CC) $(CFLAGS) -c scanner.c + +pcap.o: version.h + +tokdefs.h: grammar.c +grammar.c: $(srcdir)/grammar.y + @rm -f grammar.c tokdefs.h + $(YACC) -d $< + mv y.tab.c grammar.c + mv y.tab.h tokdefs.h + +grammar.o: grammar.c + @rm -f $@ + $(CC) $(CFLAGS) -Dyylval=pcap_lval -c grammar.c + +version.o: version.c + $(CC) $(CFLAGS) -c version.c + +snprintf.o: $(srcdir)/missing/snprintf.c + $(CC) $(CFLAGS) -o $@ -c $(srcdir)/missing/snprintf.c + +version.c: $(srcdir)/VERSION + @rm -f $@ + sed -e 's/.*/char pcap_version[] = "&";/' $(srcdir)/VERSION > $@ + +# +# NOTE: this really is supposed to be static; importing a string +# from a shared library does not work very well on many +# versions of UNIX (Solaris, Linux, and the BSDs, for example), +# so we make the version string static and return it from +# a function, which does work. +# +version.h: $(srcdir)/VERSION + @rm -f $@ + sed -e 's/.*/static const char pcap_version_string[] = "libpcap version &";/' $(srcdir)/VERSION > $@ + +bpf_filter.c: $(srcdir)/bpf/net/bpf_filter.c + rm -f bpf_filter.c + ln -s $(srcdir)/bpf/net/bpf_filter.c bpf_filter.c + +bpf_filter.o: bpf_filter.c + $(CC) $(CFLAGS) -c bpf_filter.c + +# +# Generate the pcap-config script. +# +pcap-config: pcap-config.in Makefile + @rm -f $@ $@.tmp + sed -e 's|@includedir[@]|$(includedir)|g' \ + -e 's|@libdir[@]|$(libdir)|g' \ + -e 's|@DEPLIBS[@]|$(DEPLIBS)|g' \ + pcap-config.in >$@.tmp + mv $@.tmp $@ + chmod a+x $@ + +# +# Test programs - not built by default, and not installed. +# +filtertest: filtertest.c libpcap.a + $(CC) $(CFLAGS) -I. -L. -o filtertest filtertest.c libpcap.a + +findalldevstest: findalldevstest.c libpcap.a + $(CC) $(CFLAGS) -I. -L. -o findalldevstest findalldevstest.c libpcap.a + +install: libpcap.a pcap-config + [ -d $(DESTDIR)$(libdir) ] || \ + (mkdir -p $(DESTDIR)$(libdir); chmod 755 $(DESTDIR)$(libdir)) + $(INSTALL_DATA) libpcap.a $(DESTDIR)$(libdir)/libpcap.a + $(RANLIB) $(DESTDIR)$(libdir)/libpcap.a + [ -d $(DESTDIR)$(includedir) ] || \ + (mkdir -p $(DESTDIR)$(includedir); chmod 755 $(DESTDIR)$(includedir)) + [ -d $(DESTDIR)$(includedir)/pcap ] || \ + (mkdir -p $(DESTDIR)$(includedir)/pcap; chmod 755 $(DESTDIR)$(includedir)/pcap) + [ -d $(DESTDIR)$(mandir)/man1 ] || \ + (mkdir -p $(DESTDIR)$(mandir)/man1; chmod 755 $(DESTDIR)$(mandir)/man1) + [ -d $(DESTDIR)$(mandir)/man3 ] || \ + (mkdir -p $(DESTDIR)$(mandir)/man3; chmod 755 $(DESTDIR)$(mandir)/man3) + [ -d $(DESTDIR)$(mandir)/man5 ] || \ + (mkdir -p $(DESTDIR)$(mandir)/man5; chmod 755 $(DESTDIR)$(mandir)/man5) + [ -d $(DESTDIR)$(mandir)/man7 ] || \ + (mkdir -p $(DESTDIR)$(mandir)/man7; chmod 755 $(DESTDIR)$(mandir)/man7) + $(INSTALL_DATA) $(srcdir)/pcap/pcap.h \ + $(DESTDIR)$(includedir)/pcap/pcap.h + $(INSTALL_DATA) $(srcdir)/pcap/bpf.h \ + $(DESTDIR)$(includedir)/pcap/bpf.h + $(INSTALL_DATA) $(srcdir)/pcap/namedb.h \ + $(DESTDIR)$(includedir)/pcap/namedb.h + $(INSTALL_DATA) $(srcdir)/pcap/sll.h \ + $(DESTDIR)$(includedir)/pcap/sll.h + $(INSTALL_DATA) $(srcdir)/pcap/usb.h \ + $(DESTDIR)$(includedir)/pcap/usb.h + $(INSTALL_DATA) $(srcdir)/pcap.h $(DESTDIR)$(includedir)/pcap.h + $(INSTALL_DATA) $(srcdir)/pcap-bpf.h \ + $(DESTDIR)$(includedir)/pcap-bpf.h + $(INSTALL_DATA) $(srcdir)/pcap-namedb.h \ + $(DESTDIR)$(includedir)/pcap-namedb.h + $(INSTALL_PROGRAM) pcap-config $(DESTDIR)$(bindir)/pcap-config + for i in $(MAN1); do \ + $(INSTALL_DATA) $(srcdir)/$$i \ + $(DESTDIR)$(mandir)/man1/$$i; done + for i in $(MAN3PCAP); do \ + $(INSTALL_DATA) $(srcdir)/$$i \ + $(DESTDIR)$(mandir)/man3/$$i; done + ln $(DESTDIR)$(mandir)/man3/pcap_datalink_val_to_name.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_datalink_val_to_description.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_dump_open.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_geterr.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_perror.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_inject.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_loop.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_major_version.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_next_ex.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_next.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_open_offline.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap + ln $(DESTDIR)$(mandir)/man3/pcap_setnonblock.3pcap \ + $(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap + for i in $(MANFILE); do \ + $(INSTALL_DATA) $(srcdir)/`echo $$i | sed 's/.manfile.in/.manfile/'` \ + $(DESTDIR)$(mandir)/man5/`echo $$i | sed 's/.manfile.in/.5/'`; done + for i in $(MANMISC); do \ + $(INSTALL_DATA) $(srcdir)/`echo $$i | sed 's/.manmisc.in/.manmisc/'` \ + $(DESTDIR)$(mandir)/man7/`echo $$i | sed 's/.manmisc.in/.7/'`; done + +install-shared: install-shared-$(DYEXT) +install-shared-so: libpcap.so + $(INSTALL_PROGRAM) libpcap.so.`cat VERSION` $(DESTDIR)$(libdir)/libpcap.so.`cat VERSION` +install-shared-dylib: libpcap.dylib + $(INSTALL_PROGRAM) libpcap.`cat VERSION`.dylib $(DESTDIR)$(libdir)/libpcap.`cat VERSION`.dylib + VER=`cat VERSION`; cd $(DESTDIR)$(libdir) && ln -sf libpcap.$$VER.dylib libpcap.A.dylib; ln -sf libpcap.A.dylib libpcap.dylib + +uninstall: + rm -f $(DESTDIR)$(libdir)/libpcap.a + rm -f $(DESTDIR)$(includedir)/pcap/pcap.h + rm -f $(DESTDIR)$(includedir)/pcap/bpf.h + rm -f $(DESTDIR)$(includedir)/pcap/namedb.h + rm -f $(DESTDIR)$(includedir)/pcap/sll.h + rm -f $(DESTDIR)$(includedir)/pcap/usb.h + -rmdir $(DESTDIR)$(includedir)/pcap + rm -f $(DESTDIR)$(includedir)/pcap.h + rm -f $(DESTDIR)$(includedir)/pcap-bpf.h + rm -f $(DESTDIR)$(includedir)/pcap-namedb.h + for i in $(MAN1); do \ + rm -f $(DESTDIR)$(mandir)/man1/$$i; done + for i in $(MAN3PCAP); do \ + rm -f $(DESTDIR)$(mandir)/man3/$$i; done + rm -f $(DESTDIR)$(mandir)/man3/pcap_datalink_val_to_description.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_dump_fopen.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_perror.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_sendpacket.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_dispatch.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_minor_version.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_next.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_fopen_offline.3pcap + rm -f $(DESTDIR)$(mandir)/man3/pcap_getnonblock.3pcap + for i in $(MANFILE); do \ + rm -f $(DESTDIR)$(mandir)/man5/`echo $$i | sed 's/.manfile.in/.5/'`; done + for i in $(MANMISC); do \ + rm -f $(DESTDIR)$(mandir)/man7/`echo $$i | sed 's/.manmisc.in/.7/'`; done + +clean: + rm -f $(CLEANFILES) libpcap*.dylib libpcap.so* + +distclean: clean + rm -f Makefile config.cache config.log config.status \ + config.h gnuc.h os-proto.h bpf_filter.c pcap-config \ + stamp-h stamp-h.in + rm -f $(MAN3PCAP_EXPAND:.in=) $(MANFILE:.in=) $(MANMISC:.in=) + rm -rf autom4te.cache + +tags: $(TAGFILES) + ctags -wtd $(TAGFILES) + +packaging/pcap.spec: packaging/pcap.spec.in VERSION + RPMVERSION=`cat VERSION | sed s/-.*//g`; \ + sed -e s/@VERSION@/$$RPMVERSION/ -e s/@NAME@/libpcap-`cat VERSION`/ $< > $@ + +releasetar: + @cwd=`pwd` ; dir=`basename $$cwd` ; name=$(PROG)-`cat VERSION` ; \ + mkdir $$name; \ + tar cf - $(CSRC) $(HDR) $(MAN1) $(MAN3PCAP_EXPAND) \ + $(MAN3PCAP_NOEXPAND) $(MANFILE) $(MANMISC) $(EXTRA_DIST) | \ + (cd $$name; tar xf -); \ + tar -c -z -f $$name.tar.gz $$name; \ + rm -rf $$name + +depend: $(GENSRC) $(GENHDR) bpf_filter.c + ./mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC) + +Makefile: Makefile.in config.status + ./config.status + @echo your Makefile was out of date, now run $(MAKE) again + exit 1 diff --git a/winpcap/wpcap/libpcap/bpf_filter.c b/winpcap/wpcap/libpcap/bpf_filter.c new file mode 120000 index 0000000..0605488 --- /dev/null +++ b/winpcap/wpcap/libpcap/bpf_filter.c @@ -0,0 +1 @@ +./bpf/net/bpf_filter.c \ No newline at end of file diff --git a/winpcap/wpcap/libpcap/config.h b/winpcap/wpcap/libpcap/config.h new file mode 100644 index 0000000..9eaed88 --- /dev/null +++ b/winpcap/wpcap/libpcap/config.h @@ -0,0 +1,253 @@ +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.in by autoheader. */ +/* Long story short: aclocal.m4 depends on autoconf 2.13 + * implementation details wrt "const"; newer versions + * have different implementation details so for now we + * put "const" here. This may cause duplicate definitions + * in config.h but that should be OK since they're the same. + */ +/* #undef const */ + +/* Enable optimizer debugging */ +/* #undef BDEBUG */ + +/* define if you have a cloning BPF device */ +/* #undef HAVE_CLONING_BPF */ + +/* define if you have the DAG API */ +/* #undef HAVE_DAG_API */ + +/* define if you have dag_get_erf_types() */ +/* #undef HAVE_DAG_GET_ERF_TYPES */ + +/* define if you have dag_get_stream_erf_types() */ +/* #undef HAVE_DAG_GET_STREAM_ERF_TYPES */ + +/* define if you have streams capable DAG API */ +/* #undef HAVE_DAG_STREAMS_API */ + +/* Define to 1 if you have the declaration of `ether_hostton', and to 0 if you + don't. */ +#define HAVE_DECL_ETHER_HOSTTON 1 + +/* define if you have a /dev/dlpi */ +/* #undef HAVE_DEV_DLPI */ + +/* if passive_req_t primitive exists */ +/* #undef HAVE_DLPI_PASSIVE */ + +/* Define to 1 if you have the `ether_hostton' function. */ +#define HAVE_ETHER_HOSTTON 1 + +/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */ +#define HAVE_FSEEKO 1 + +/* on HP-UX 10.20 or later */ +/* #undef HAVE_HPUX10_20_OR_LATER */ + +/* on HP-UX 9.x */ +/* #undef HAVE_HPUX9 */ + +/* if ppa_info_t_dl_module_id exists */ +/* #undef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1 */ + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* if libdlpi exists */ +/* #undef HAVE_LIBDLPI */ + +/* Define to 1 if you have the header file. */ +#define HAVE_LIMITS_H 1 + +/* if tp_vlan_tci exists */ +/* #undef HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI */ + +/* Define to 1 if you have the header file. */ +#define HAVE_LINUX_WIRELESS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_ETHER_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_IF_ETHER_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NET_IF_MEDIA_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NET_PFVAR_H */ + +/* if there's an os_proto.h */ +/* #undef HAVE_OS_PROTO_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_PATHS_H 1 + +/* define if net/pfvar.h defines PF_NAT through PF_NORDR */ +/* #undef HAVE_PF_NAT_THROUGH_PF_NORDR */ + +/* define if you have a /proc/net/dev */ +#define HAVE_PROC_NET_DEV 1 + +/* define if you have a Septel API */ +/* #undef HAVE_SEPTEL_API */ + +/* Define to 1 if you have the `snprintf' function. */ +#define HAVE_SNPRINTF 1 + +/* if struct sockaddr has sa_len */ +/* #undef HAVE_SOCKADDR_SA_LEN */ + +/* if struct sockaddr_storage exists */ +#define HAVE_SOCKADDR_STORAGE 1 + +/* define if socklen_t is defined */ +#define HAVE_SOCKLEN_T 1 + +/* On solaris */ +/* #undef HAVE_SOLARIS */ + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcpy' function. */ +/* #undef HAVE_STRLCPY */ + +/* Define to 1 if the system has the type `struct ether_addr'. */ +/* #undef HAVE_STRUCT_ETHER_ADDR */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_BUFMOD_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_DLPI_EXT_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_IOCCOM_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_SOCKIO_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* if if_packet.h has tpacket_stats defined */ +#define HAVE_TPACKET_STATS 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UNISTD_H 1 + +/* define if version.h is generated in the build procedure */ +#define HAVE_VERSION_H 1 + +/* Define to 1 if you have the `vsnprintf' function. */ +#define HAVE_VSNPRINTF 1 + +/* define if the system supports zerocopy BPF */ +/* #undef HAVE_ZEROCOPY_BPF */ + +/* define if your compiler has __attribute__ */ +#define HAVE___ATTRIBUTE__ 1 + +/* IPv6 */ +#define INET6 1 + +/* if unaligned access fails */ +/* #undef LBL_ALIGN */ + +/* path for device for USB sniffing */ +#define LINUX_USB_MON_DEV "/dev/usbmon" + +/* Define to 1 if netinet/ether.h declares `ether_hostton' */ +#define NETINET_ETHER_H_DECLARES_ETHER_HOSTTON + +/* Define to 1 if netinet/if_ether.h declares `ether_hostton' */ +/* #undef NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON */ + +/* do not use protochain */ +/* #undef NO_PROTOCHAIN */ + +/* Define to the address where bug reports for this package should be sent. */ +#define PACKAGE_BUGREPORT "" + +/* Define to the full name of this package. */ +#define PACKAGE_NAME "" + +/* Define to the full name and version of this package. */ +#define PACKAGE_STRING "" + +/* Define to the one symbol short name of this package. */ +#define PACKAGE_TARNAME "" + +/* Define to the version of this package. */ +#define PACKAGE_VERSION "" + +/* /dev/dlpi directory */ +/* #undef PCAP_DEV_PREFIX */ + +/* target host supports Bluetooth sniffing */ +/* #undef PCAP_SUPPORT_BT */ + +/* target host supports USB sniffing */ +#define PCAP_SUPPORT_USB 1 + +/* include ACN support */ +/* #undef SITA */ + +/* Define to 1 if you have the ANSI C header files. */ +#define STDC_HEADERS 1 + +/* Enable parser debugging */ +/* #undef YYDEBUG */ + +/* Number of bits in a file offset, on hosts where this is settable. */ +/* #undef _FILE_OFFSET_BITS */ + +/* needed on HP-UX */ +/* #undef _HPUX_SOURCE */ + +/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */ +/* #undef _LARGEFILE_SOURCE */ + +/* Define for large files, on AIX-style hosts. */ +/* #undef _LARGE_FILES */ + +/* define on AIX to get certain functions */ +/* #undef _SUN */ + +/* Define as token for inline if inlining supported */ +#define inline inline + +/* on sinix */ +/* #undef sinix */ + +/* if we have u_int16_t */ +/* #undef u_int16_t */ + +/* if we have u_int32_t */ +/* #undef u_int32_t */ + +/* if we have u_int64_t */ +/* #undef u_int64_t */ + +/* if we have u_int8_t */ +/* #undef u_int8_t */ diff --git a/winpcap/wpcap/libpcap/config.status b/winpcap/wpcap/libpcap/config.status new file mode 100755 index 0000000..5e5f47d --- /dev/null +++ b/winpcap/wpcap/libpcap/config.status @@ -0,0 +1,902 @@ +#! /bin/sh +# Generated by configure. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false +SHELL=${CONFIG_SHELL-/bin/sh} +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + + + +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi + +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +as_nl=' +' +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + { (exit 1); exit 1; } +fi + +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +for as_var in \ + LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ + LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ + LC_TELEPHONE LC_TIME +do + if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then + eval $as_var=C; export $as_var + else + ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var + fi +done + +# Required to use basename. +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + + +# Name of the executable. +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# CDPATH. +$as_unset CDPATH + + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in +-n*) + case `echo 'x\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + *) ECHO_C='\c';; + esac;; +*) + ECHO_N='-n';; +esac + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir +fi +echo >conf$$.file +if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' +elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p=: +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 + +# Save the log message, to keep $[0] and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by $as_me, which was +generated by GNU Autoconf 2.61. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +# Files that config.status was made for. +config_files=" Makefile pcap-filter.manmisc pcap-linktype.manmisc pcap-savefile.manfile pcap.3pcap pcap_compile.3pcap pcap_datalink.3pcap pcap_dump_open.3pcap pcap_list_datalinks.3pcap pcap_open_dead.3pcap pcap_open_offline.3pcap" +config_headers=" config.h" + +ac_cs_usage="\ +\`$as_me' instantiates files from templates according to the +current configuration. + +Usage: $0 [OPTIONS] [FILE]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + -q, --quiet do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Report bugs to ." + +ac_cs_version="\ +config.status +configured by ./configure, generated by GNU Autoconf 2.61, + with options \"'--build=aarch64-unknown-linux-gnu' '--enable-remote' 'build_alias=aarch64-unknown-linux-gnu'\" + +Copyright (C) 2006 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='/opt/rpcapd/winpcap/wpcap/libpcap' +srcdir='.' +INSTALL='/usr/bin/install -c' +# If no file are specified by the user, then we need to provide default +# value. By we need to know if files were specified by the user. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + echo "$ac_cs_version"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + CONFIG_FILES="$CONFIG_FILES $ac_optarg" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + { echo "$as_me: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; };; + --help | --hel | -h ) + echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) { echo "$as_me: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; + + *) ac_config_targets="$ac_config_targets $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +if $ac_cs_recheck; then + echo "running CONFIG_SHELL=/bin/sh /bin/sh ./configure " '--build=aarch64-unknown-linux-gnu' '--enable-remote' 'build_alias=aarch64-unknown-linux-gnu' $ac_configure_extra_args " --no-create --no-recursion" >&6 + CONFIG_SHELL=/bin/sh + export CONFIG_SHELL + exec /bin/sh "./configure" '--build=aarch64-unknown-linux-gnu' '--enable-remote' 'build_alias=aarch64-unknown-linux-gnu' $ac_configure_extra_args --no-create --no-recursion +fi + +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + echo "$ac_log" +} >&5 + + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "pcap-filter.manmisc") CONFIG_FILES="$CONFIG_FILES pcap-filter.manmisc" ;; + "pcap-linktype.manmisc") CONFIG_FILES="$CONFIG_FILES pcap-linktype.manmisc" ;; + "pcap-savefile.manfile") CONFIG_FILES="$CONFIG_FILES pcap-savefile.manfile" ;; + "pcap.3pcap") CONFIG_FILES="$CONFIG_FILES pcap.3pcap" ;; + "pcap_compile.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_compile.3pcap" ;; + "pcap_datalink.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_datalink.3pcap" ;; + "pcap_dump_open.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_dump_open.3pcap" ;; + "pcap_list_datalinks.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_list_datalinks.3pcap" ;; + "pcap_open_dead.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_open_dead.3pcap" ;; + "pcap_open_offline.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_open_offline.3pcap" ;; + + *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 +echo "$as_me: error: invalid argument: $ac_config_target" >&2;} + { (exit 1); exit 1; }; };; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= + trap 'exit_status=$? + { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status +' 0 + trap '{ (exit 1); exit 1; }' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -n "$tmp" && test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || +{ + echo "$me: cannot create a temporary directory in ." >&2 + { (exit 1); exit 1; } +} + +# +# Set up the sed scripts for CONFIG_FILES section. +# + +# No need to generate the scripts if there are no CONFIG_FILES. +# This happens for instance when ./config.status config.h +if test -n "$CONFIG_FILES"; then + +cat >"$tmp/subs-1.sed" <<\CEOF +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end +s,@SHELL@,|#_!!_#|/bin/sh,g +s,@PATH_SEPARATOR@,|#_!!_#|:,g +s,@PACKAGE_NAME@,|#_!!_#|,g +s,@PACKAGE_TARNAME@,|#_!!_#|,g +s,@PACKAGE_VERSION@,|#_!!_#|,g +s,@PACKAGE_STRING@,|#_!!_#|,g +s,@PACKAGE_BUGREPORT@,|#_!!_#|,g +s,@exec_prefix@,|#_!!_#|${prefix},g +s,@prefix@,|#_!!_#|/usr/local,g +s,@program_transform_name@,|#_!!_#|s\,x\,x\,,g +s,@bindir@,|#_!!_#|${exec_prefix}/bin,g +s,@sbindir@,|#_!!_#|${exec_prefix}/sbin,g +s,@libexecdir@,|#_!!_#|${exec_prefix}/libexec,g +s,@datarootdir@,|#_!!_#|${prefix}/share,g +s,@datadir@,|#_!!_#|${datarootdir},g +s,@sysconfdir@,|#_!!_#|${prefix}/etc,g +s,@sharedstatedir@,|#_!!_#|${prefix}/com,g +s,@localstatedir@,|#_!!_#|${prefix}/var,g +s,@includedir@,|#_!!_#|${prefix}/include,g +s,@oldincludedir@,|#_!!_#|/usr/include,g +s,@docdir@,|#_!!_#|${datarootdir}/doc/${PACKAGE},g +s,@infodir@,|#_!!_#|${datarootdir}/info,g +s,@htmldir@,|#_!!_#|${docdir},g +s,@dvidir@,|#_!!_#|${docdir},g +s,@pdfdir@,|#_!!_#|${docdir},g +s,@psdir@,|#_!!_#|${docdir},g +s,@libdir@,|#_!!_#|${exec_prefix}/lib,g +s,@localedir@,|#_!!_#|${datarootdir}/locale,g +s,@mandir@,|#_!!_#|${datarootdir}/man,g +s,@DEFS@,|#_!!_#|-DHAVE_CONFIG_H,g +s,@ECHO_C@,|#_!!_#|,g +s,@ECHO_N@,|#_!!_#|-n,g +s,@ECHO_T@,|#_!!_#|,g +s,@LIBS@,|#_!!_#|,g +s,@build_alias@,|#_!!_#|aarch64-unknown-linux-gnu,g +s,@host_alias@,|#_!!_#|,g +s,@target_alias@,|#_!!_#|,g +s,@build@,|#_!!_#|aarch64-unknown-linux-gnu,g +s,@build_cpu@,|#_!!_#|aarch64,g +s,@build_vendor@,|#_!!_#|unknown,g +s,@build_os@,|#_!!_#|linux-gnu,g +s,@host@,|#_!!_#|aarch64-unknown-linux-gnu,g +s,@host_cpu@,|#_!!_#|aarch64,g +s,@host_vendor@,|#_!!_#|unknown,g +s,@host_os@,|#_!!_#|linux-gnu,g +s,@target@,|#_!!_#|aarch64-unknown-linux-gnu,g +s,@target_cpu@,|#_!!_#|aarch64,g +s,@target_vendor@,|#_!!_#|unknown,g +s,@target_os@,|#_!!_#|linux-gnu,g +s,@SHLICC2@,|#_!!_#|,g +s,@CC@,|#_!!_#|gcc,g +s,@CFLAGS@,|#_!!_#|-g -O2,g +s,@LDFLAGS@,|#_!!_#|,g +s,@CPPFLAGS@,|#_!!_#|,g +s,@ac_ct_CC@,|#_!!_#|gcc,g +s,@EXEEXT@,|#_!!_#|,g +s,@OBJEXT@,|#_!!_#|o,g +s,@CPP@,|#_!!_#|gcc -E,g +s,@GREP@,|#_!!_#|/usr/bin/grep,g +s,@EGREP@,|#_!!_#|/usr/bin/grep -E,g +s,@LIBOBJS@,|#_!!_#|,g +s,@V_LEX@,|#_!!_#|flex -Ppcap_,g +s,@V_YACC@,|#_!!_#|bison -y -p pcap_,g +s,@RANLIB@,|#_!!_#|ranlib,g +s,@V_CCOPT@,|#_!!_#|-O2 -fPIC,g +s,@V_DEFS@,|#_!!_#| -D_U_="__attribute__((unused))",g +s,@V_INCLS@,|#_!!_#|,g +s,@V_LIBS@,|#_!!_#|,g +s,@V_PCAP@,|#_!!_#|linux,g +s,@V_FINDALLDEVS@,|#_!!_#|getad,g +s,@V_HAVE_REMOTE@,|#_!!_#|-DHAVE_REMOTE,g +s,@V_REMOTE_FILES@,|#_!!_#|pcap-new.c pcap-remote.c sockutils.c,g +s,@V_HAVE_TC_API@,|#_!!_#|,g +s,@V_TC_FILES@,|#_!!_#|,g +s,@V_TCLIBS@,|#_!!_#|,g +s,@SSRC@,|#_!!_#|,g +s,@DYEXT@,|#_!!_#|so,g +s,@DAGLIBS@,|#_!!_#|,g +s,@DEPLIBS@,|#_!!_#|,g +s,@MAN_FILE_FORMATS@,|#_!!_#|5,g +s,@MAN_MISC_INFO@,|#_!!_#|7,g +s,@PCAP_SUPPORT_USB@,|#_!!_#|,g +s,@USB_SRC@,|#_!!_#|pcap-usb-linux.c,g +s,@PCAP_SUPPORT_BT@,|#_!!_#|,g +s,@BT_SRC@,|#_!!_#|,g +s,@INSTALL_PROGRAM@,|#_!!_#|${INSTALL},g +s,@INSTALL_SCRIPT@,|#_!!_#|${INSTALL},g +s,@INSTALL_DATA@,|#_!!_#|${INSTALL} -m 644,g +s,@LTLIBOBJS@,|#_!!_#|,g +:end +s/|#_!!_#|//g +CEOF +fi # test -n "$CONFIG_FILES" + + +for ac_tag in :F $CONFIG_FILES :H $CONFIG_HEADERS +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5 +echo "$as_me: error: Invalid tag $ac_tag." >&2;} + { (exit 1); exit 1; }; };; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 +echo "$as_me: error: cannot find input file: $ac_f" >&2;} + { (exit 1); exit 1; }; };; + esac + ac_file_inputs="$ac_file_inputs $ac_f" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input="Generated from "`IFS=: + echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure." + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { echo "$as_me:$LINENO: creating $ac_file" >&5 +echo "$as_me: creating $ac_file" >&6;} + fi + + case $ac_tag in + *:-:* | *:-) cat >"$tmp/stdin";; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + { as_dir="$ac_dir" + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + + case $INSTALL in + [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; + *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; + esac +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= + +case `sed -n '/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p +' $ac_file_inputs` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} + ac_datarootdir_hack=' + s&@datadir@&${datarootdir}&g + s&@docdir@&${datarootdir}/doc/${PACKAGE}&g + s&@infodir@&${datarootdir}/info&g + s&@localedir@&${datarootdir}/locale&g + s&@mandir@&${datarootdir}/man&g + s&\${datarootdir}&${prefix}/share&g' ;; +esac + sed "/^[ ]*VPATH[ ]*=/{ +s/:*\$(srcdir):*/:/ +s/:*\${srcdir}:*/:/ +s/:*@srcdir@:*/:/ +s/^\([^=]*=[ ]*\):*/\1/ +s/:*$// +s/^[^=]*=[ ]*$// +} + +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s&@configure_input@&$configure_input&;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +s&@INSTALL@&$ac_INSTALL&;t t +$ac_datarootdir_hack +" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && + { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&5 +echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&2;} + + rm -f "$tmp/stdin" + case $ac_file in + -) cat "$tmp/out"; rm -f "$tmp/out";; + *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;; + esac + ;; + :H) + # + # CONFIG_HEADER + # + # First, check the format of the line: + cat >"$tmp/defines.sed" <<\CEOF +/^[ ]*#[ ]*undef[ ][ ]*[_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ][_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]*[ ]*$/b def +/^[ ]*#[ ]*define[ ][ ]*[_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ][_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]*[( ]/b def +b +:def +s/$/ / +s,^\([ #]*\)[^ ]*\([ ]*PACKAGE_NAME\)[ (].*,\1define\2 "" , +s,^\([ #]*\)[^ ]*\([ ]*PACKAGE_TARNAME\)[ (].*,\1define\2 "" , +s,^\([ #]*\)[^ ]*\([ ]*PACKAGE_VERSION\)[ (].*,\1define\2 "" , +s,^\([ #]*\)[^ ]*\([ ]*PACKAGE_STRING\)[ (].*,\1define\2 "" , +s,^\([ #]*\)[^ ]*\([ ]*PACKAGE_BUGREPORT\)[ (].*,\1define\2 "" , +s,^\([ #]*\)[^ ]*\([ ]*inline\)[ (].*,\1define\2 inline , +s,^\([ #]*\)[^ ]*\([ ]*HAVE___ATTRIBUTE__\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_FSEEKO\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*STDC_HEADERS\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_SYS_TYPES_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_SYS_STAT_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_STDLIB_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_STRING_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_MEMORY_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_STRINGS_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_INTTYPES_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_STDINT_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_UNISTD_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_LIMITS_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_PATHS_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_NETINET_IF_ETHER_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_STRERROR\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_VSNPRINTF\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_SNPRINTF\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_ETHER_HOSTTON\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_NETINET_ETHER_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*NETINET_ETHER_H_DECLARES_ETHER_HOSTTON\)[ (].*,\1define\2 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_DECL_ETHER_HOSTTON\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_LINUX_WIRELESS_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_TPACKET_STATS\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_SOCKLEN_T\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_REMOTE\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*INET6\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_PROC_NET_DEV\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_SOCKADDR_STORAGE\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*HAVE_VERSION_H\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*PCAP_SUPPORT_USB\)[ (].*,\1define\2 1 , +s,^\([ #]*\)[^ ]*\([ ]*LINUX_USB_MON_DEV\)[ (].*,\1define\2 "/dev/usbmon" , +s/ $// +s,^[ #]*u.*,/* & */, +CEOF + sed -f "$tmp/defines.sed" $ac_file_inputs >"$tmp/out1" +ac_result="$tmp/out1" + if test x"$ac_file" != x-; then + echo "/* $configure_input */" >"$tmp/config.h" + cat "$ac_result" >>"$tmp/config.h" + if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then + { echo "$as_me:$LINENO: $ac_file is unchanged" >&5 +echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f $ac_file + mv "$tmp/config.h" $ac_file + fi + else + echo "/* $configure_input */" + cat "$ac_result" + fi + rm -f "$tmp/out12" + ;; + + + esac + +done # for ac_tag + + +{ (exit 0); exit 0; } diff --git a/winpcap/wpcap/libpcap/net b/winpcap/wpcap/libpcap/net new file mode 120000 index 0000000..b3eaca9 --- /dev/null +++ b/winpcap/wpcap/libpcap/net @@ -0,0 +1 @@ +./bpf/net \ No newline at end of file diff --git a/winpcap/wpcap/libpcap/pcap-config b/winpcap/wpcap/libpcap/pcap-config new file mode 100755 index 0000000..d3e9329 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap-config @@ -0,0 +1,16 @@ +#! /bin/sh + +# +# Script to give the appropriate compiler flags and linker flags +# to use when building code that uses libpcap. +# +case "$1" in + +--cflags) + echo "-I /usr/local/include" + ;; + +--libs) + echo "-L /usr/local/lib -lpcap " + ;; +esac diff --git a/winpcap/wpcap/libpcap/pcap-filter.manmisc b/winpcap/wpcap/libpcap/pcap-filter.manmisc new file mode 100644 index 0000000..372bb98 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap-filter.manmisc @@ -0,0 +1,949 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap-filter.manmisc.in,v 1.1.2.2 2008-10-21 07:44:56 guy Exp $ (LBL) +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP-FILTER 7 "6 January 2008" +.SH NAME +pcap-filter \- packet filter syntax +.br +.ad +.SH DESCRIPTION +.LP +.B pcap_compile() +is used to compile a string into a filter program. +The resulting filter program can then be applied to +some stream of packets to determine which packets will be supplied to +.BR pcap_loop() , +.BR pcap_dispatch() , +.BR pcap_next() , +or +.BR pcap_next_ex() . +.LP +The \fIfilter expression\fP consists of one or more +.IR primitives . +Primitives usually consist of an +.I id +(name or number) preceded by one or more qualifiers. +There are three +different kinds of qualifier: +.IP \fItype\fP +qualifiers say what kind of thing the id name or number refers to. +Possible types are +.BR host , +.B net , +.B port +and +.BR portrange . +E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'. +If there is no type +qualifier, +.B host +is assumed. +.IP \fIdir\fP +qualifiers specify a particular transfer direction to and/or from +.IR id . +Possible directions are +.BR src , +.BR dst , +.BR "src or dst" , +.BR "src and dst" , +.BR addr1 , +.BR addr2 , +.BR addr3 , +and +.BR addr4 . +E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. +If +there is no dir qualifier, +.B "src or dst" +is assumed. +The +.BR addr1 , +.BR addr2 , +.BR addr3 , +and +.B addr4 +qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. +For some link layers, such as SLIP and the ``cooked'' Linux capture mode +used for the ``any'' device and for some other device types, the +.B inbound +and +.B outbound +qualifiers can be used to specify a desired direction. +.IP \fIproto\fP +qualifiers restrict the match to a particular protocol. +Possible +protos are: +.BR ether , +.BR fddi , +.BR tr , +.BR wlan , +.BR ip , +.BR ip6 , +.BR arp , +.BR rarp , +.BR decnet , +.B tcp +and +.BR udp . +E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange +7000-7009', `wlan addr2 0:2:3:4:5:6'. +If there is +no proto qualifier, all protocols consistent with the type are +assumed. +E.g., `src foo' means `(ip or arp or rarp) src foo' +(except the latter is not legal syntax), `net bar' means `(ip or +arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. +.LP +[`fddi' is actually an alias for `ether'; the parser treats them +identically as meaning ``the data link level used on the specified +network interface.'' FDDI headers contain Ethernet-like source +and destination addresses, and often contain Ethernet-like packet +types, so you can filter on these FDDI fields just as with the +analogous Ethernet fields. +FDDI headers also contain other fields, +but you cannot name them explicitly in a filter expression. +.LP +Similarly, `tr' and `wlan' are aliases for `ether'; the previous +paragraph's statements about FDDI headers also apply to Token Ring +and 802.11 wireless LAN headers. For 802.11 headers, the destination +address is the DA field and the source address is the SA field; the +BSSID, RA, and TA fields aren't tested.] +.LP +In addition to the above, there are some special `primitive' keywords +that don't follow the pattern: +.BR gateway , +.BR broadcast , +.BR less , +.B greater +and arithmetic expressions. +All of these are described below. +.LP +More complex filter expressions are built up by using the words +.BR and , +.B or +and +.B not +to combine primitives. +E.g., `host foo and not port ftp and not port ftp-data'. +To save typing, identical qualifier lists can be omitted. +E.g., +`tcp dst port ftp or ftp-data or domain' is exactly the same as +`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. +.LP +Allowable primitives are: +.IP "\fBdst host \fIhost\fR" +True if the IPv4/v6 destination field of the packet is \fIhost\fP, +which may be either an address or a name. +.IP "\fBsrc host \fIhost\fR" +True if the IPv4/v6 source field of the packet is \fIhost\fP. +.IP "\fBhost \fIhost\fP +True if either the IPv4/v6 source or destination of the packet is \fIhost\fP. +.IP +Any of the above host expressions can be prepended with the keywords, +\fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in: +.in +.5i +.nf +\fBip host \fIhost\fR +.fi +.in -.5i +which is equivalent to: +.in +.5i +.nf +\fBether proto \fI\\ip\fB and host \fIhost\fR +.fi +.in -.5i +If \fIhost\fR is a name with multiple IP addresses, each address will +be checked for a match. +.IP "\fBether dst \fIehost\fP +True if the Ethernet destination address is \fIehost\fP. +\fIEhost\fP +may be either a name from /etc/ethers or a number (see +.IR ethers (3N) +for numeric format). +.IP "\fBether src \fIehost\fP +True if the Ethernet source address is \fIehost\fP. +.IP "\fBether host \fIehost\fP +True if either the Ethernet source or destination address is \fIehost\fP. +.IP "\fBgateway\fP \fIhost\fP +True if the packet used \fIhost\fP as a gateway. +I.e., the Ethernet +source or destination address was \fIhost\fP but neither the IP source +nor the IP destination was \fIhost\fP. +\fIHost\fP must be a name and +must be found both by the machine's host-name-to-IP-address resolution +mechanisms (host name file, DNS, NIS, etc.) and by the machine's +host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). +(An equivalent expression is +.in +.5i +.nf +\fBether host \fIehost \fBand not host \fIhost\fR +.fi +.in -.5i +which can be used with either names or numbers for \fIhost / ehost\fP.) +This syntax does not work in IPv6-enabled configuration at this moment. +.IP "\fBdst net \fInet\fR" +True if the IPv4/v6 destination address of the packet has a network +number of \fInet\fP. +\fINet\fP may be either a name from the networks database +(/etc/networks, etc.) or a network number. +An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), +dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single +number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad +(which means that it's really a host match), 255.255.255.0 for a dotted +triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. +An IPv6 network number must be written out fully; the netmask is +ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really always +host matches, and a network match requires a netmask length. +.IP "\fBsrc net \fInet\fR" +True if the IPv4/v6 source address of the packet has a network +number of \fInet\fP. +.IP "\fBnet \fInet\fR" +True if either the IPv4/v6 source or destination address of the packet has a network +number of \fInet\fP. +.IP "\fBnet \fInet\fR \fBmask \fInetmask\fR" +True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR. +May be qualified with \fBsrc\fR or \fBdst\fR. +Note that this syntax is not valid for IPv6 \fInet\fR. +.IP "\fBnet \fInet\fR/\fIlen\fR" +True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR +bits wide. +May be qualified with \fBsrc\fR or \fBdst\fR. +.IP "\fBdst port \fIport\fR" +True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a +destination port value of \fIport\fP. +The \fIport\fP can be a number or a name used in /etc/services (see +.IR tcp (4P) +and +.IR udp (4P)). +If a name is used, both the port +number and protocol are checked. +If a number or ambiguous name is used, +only the port number is checked (e.g., \fBdst port 513\fR will print both +tcp/login traffic and udp/who traffic, and \fBport domain\fR will print +both tcp/domain and udp/domain traffic). +.IP "\fBsrc port \fIport\fR" +True if the packet has a source port value of \fIport\fP. +.IP "\fBport \fIport\fR" +True if either the source or destination port of the packet is \fIport\fP. +.IP "\fBdst portrange \fIport1\fB-\fIport2\fR" +True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a +destination port value between \fIport1\fP and \fIport2\fP. +.I port1 +and +.I port2 +are interpreted in the same fashion as the +.I port +parameter for +.BR port . +.IP "\fBsrc portrange \fIport1\fB-\fIport2\fR" +True if the packet has a source port value between \fIport1\fP and +\fIport2\fP. +.IP "\fBportrange \fIport1\fB-\fIport2\fR" +True if either the source or destination port of the packet is between +\fIport1\fP and \fIport2\fP. +.IP +Any of the above port or port range expressions can be prepended with +the keywords, \fBtcp\fP or \fBudp\fP, as in: +.in +.5i +.nf +\fBtcp src port \fIport\fR +.fi +.in -.5i +which matches only tcp packets whose source port is \fIport\fP. +.IP "\fBless \fIlength\fR" +True if the packet has a length less than or equal to \fIlength\fP. +This is equivalent to: +.in +.5i +.nf +\fBlen <= \fIlength\fP. +.fi +.in -.5i +.IP "\fBgreater \fIlength\fR" +True if the packet has a length greater than or equal to \fIlength\fP. +This is equivalent to: +.in +.5i +.nf +\fBlen >= \fIlength\fP. +.fi +.in -.5i +.IP "\fBip proto \fIprotocol\fR" +True if the packet is an IPv4 packet (see +.IR ip (4P)) +of protocol type \fIprotocol\fP. +\fIProtocol\fP can be a number or one of the names +\fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP, +\fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP. +Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also +keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell. +Note that this primitive does not chase the protocol header chain. +.IP "\fBip6 proto \fIprotocol\fR" +True if the packet is an IPv6 packet of protocol type \fIprotocol\fP. +Note that this primitive does not chase the protocol header chain. +.IP "\fBip6 protochain \fIprotocol\fR" +True if the packet is IPv6 packet, +and contains protocol header with type \fIprotocol\fR +in its protocol header chain. +For example, +.in +.5i +.nf +\fBip6 protochain 6\fR +.fi +.in -.5i +matches any IPv6 packet with TCP protocol header in the protocol header chain. +The packet may contain, for example, +authentication header, routing header, or hop-by-hop option header, +between IPv6 header and TCP header. +The BPF code emitted by this primitive is complex and +cannot be optimized by the BPF optimizer code, so this can be somewhat +slow. +.IP "\fBip protochain \fIprotocol\fR" +Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4. +.IP "\fBether broadcast\fR" +True if the packet is an Ethernet broadcast packet. +The \fIether\fP +keyword is optional. +.IP "\fBip broadcast\fR" +True if the packet is an IPv4 broadcast packet. +It checks for both the all-zeroes and all-ones broadcast conventions, +and looks up the subnet mask on the interface on which the capture is +being done. +.IP +If the subnet mask of the interface on which the capture is being done +is not available, either because the interface on which capture is being +done has no netmask or because the capture is being done on the Linux +"any" interface, which can capture on more than one interface, this +check will not work correctly. +.IP "\fBether multicast\fR" +True if the packet is an Ethernet multicast packet. +The \fBether\fP +keyword is optional. +This is shorthand for `\fBether[0] & 1 != 0\fP'. +.IP "\fBip multicast\fR" +True if the packet is an IPv4 multicast packet. +.IP "\fBip6 multicast\fR" +True if the packet is an IPv6 multicast packet. +.IP "\fBether proto \fIprotocol\fR" +True if the packet is of ether type \fIprotocol\fR. +\fIProtocol\fP can be a number or one of the names +\fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, \fBaarp\fP, +\fBdecnet\fP, \fBsca\fP, \fBlat\fP, \fBmopdl\fP, \fBmoprc\fP, +\fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP. +Note these identifiers are also keywords +and must be escaped via backslash (\\). +.IP +[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), Token Ring +(e.g., `\fBtr protocol arp\fR'), and IEEE 802.11 wireless LANS (e.g., +`\fBwlan protocol arp\fR'), for most of those protocols, the +protocol identification comes from the 802.2 Logical Link Control (LLC) +header, which is usually layered on top of the FDDI, Token Ring, or +802.11 header. +.IP +When filtering for most protocol identifiers on FDDI, Token Ring, or +802.11, the filter checks only the protocol ID field of an LLC header +in so-called SNAP format with an Organizational Unit Identifier (OUI) of +0x000000, for encapsulated Ethernet; it doesn't check whether the packet +is in SNAP format with an OUI of 0x000000. +The exceptions are: +.RS +.TP +\fBiso\fP +the filter checks the DSAP (Destination Service Access Point) and +SSAP (Source Service Access Point) fields of the LLC header; +.TP +\fBstp\fP and \fBnetbeui\fP +the filter checks the DSAP of the LLC header; +.TP +\fBatalk\fP +the filter checks for a SNAP-format packet with an OUI of 0x080007 +and the AppleTalk etype. +.RE +.IP +In the case of Ethernet, the filter checks the Ethernet type field +for most of those protocols. The exceptions are: +.RS +.TP +\fBiso\fP, \fBstp\fP, and \fBnetbeui\fP +the filter checks for an 802.3 frame and then checks the LLC header as +it does for FDDI, Token Ring, and 802.11; +.TP +\fBatalk\fP +the filter checks both for the AppleTalk etype in an Ethernet frame and +for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; +.TP +\fBaarp\fP +the filter checks for the AppleTalk ARP etype in either an Ethernet +frame or an 802.2 SNAP frame with an OUI of 0x000000; +.TP +\fBipx\fP +the filter checks for the IPX etype in an Ethernet frame, the IPX +DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of +IPX, and the IPX etype in a SNAP frame. +.RE +.IP "\fBdecnet src \fIhost\fR" +True if the DECNET source address is +.IR host , +which may be an address of the form ``10.123'', or a DECNET host +name. +[DECNET host name support is only available on ULTRIX systems +that are configured to run DECNET.] +.IP "\fBdecnet dst \fIhost\fR" +True if the DECNET destination address is +.IR host . +.IP "\fBdecnet host \fIhost\fR" +True if either the DECNET source or destination address is +.IR host . +.IP "\fBifname \fIinterface\fR" +True if the packet was logged as coming from the specified interface (applies +only to packets logged by OpenBSD's or FreeBSD's +.BR pf (4)). +.IP "\fBon \fIinterface\fR" +Synonymous with the +.B ifname +modifier. +.IP "\fBrnr \fInum\fR" +True if the packet was logged as matching the specified PF rule number +(applies only to packets logged by OpenBSD's or FreeBSD's +.BR pf (4)). +.IP "\fBrulenum \fInum\fR" +Synonymous with the +.B rnr +modifier. +.IP "\fBreason \fIcode\fR" +True if the packet was logged with the specified PF reason code. The known +codes are: +.BR match , +.BR bad-offset , +.BR fragment , +.BR short , +.BR normalize , +and +.B memory +(applies only to packets logged by OpenBSD's or FreeBSD's +.BR pf (4)). +.IP "\fBrset \fIname\fR" +True if the packet was logged as matching the specified PF ruleset +name of an anchored ruleset (applies only to packets logged by OpenBSD's +or FreeBSD's +.BR pf (4)). +.IP "\fBruleset \fIname\fR" +Synonomous with the +.B rset +modifier. +.IP "\fBsrnr \fInum\fR" +True if the packet was logged as matching the specified PF rule number +of an anchored ruleset (applies only to packets logged by OpenBSD's or +FreeBSD's +.BR pf (4)). +.IP "\fBsubrulenum \fInum\fR" +Synonomous with the +.B srnr +modifier. +.IP "\fBaction \fIact\fR" +True if PF took the specified action when the packet was logged. Known actions +are: +.B pass +and +.B block +and, with later versions of +.BR pf (4)), +.BR nat , +.BR rdr , +.B binat +and +.B scrub +(applies only to packets logged by OpenBSD's or FreeBSD's +.BR pf (4)). +.IP "\fBwlan addr1 \fIehost\fR" +True if the first IEEE 802.11 address is +.IR ehost . +.IP "\fBwlan addr2 \fIehost\fR" +True if the second IEEE 802.11 address, if present, is +.IR ehost . +The second address field is used in all frames except for CTS (Clear To +Send) and ACK (Acknowledgment) control frames. +.IP "\fBwlan addr3 \fIehost\fR" +True if the third IEEE 802.11 address, if present, is +.IR ehost . +The third address field is used in management and data frames, but not +in control frames. +.IP "\fBwlan addr4 \fIehost\fR" +True if the fourth IEEE 802.11 address, if present, is +.IR ehost . +The fourth address field is only used for +WDS (Wireless Distribution System) frames. +.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP" +Abbreviations for: +.in +.5i +.nf +\fBether proto \fIp\fR +.fi +.in -.5i +where \fIp\fR is one of the above protocols. +.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR" +Abbreviations for: +.in +.5i +.nf +\fBether proto \fIp\fR +.fi +.in -.5i +where \fIp\fR is one of the above protocols. +Note that not all applications using +.BR pcap (3) +currently know how to parse these protocols. +.IP "\fBtype \fIwlan_type\fR" +True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR. +Valid \fIwlan_type\fRs are: +\fBmgt\fP, +\fBctl\fP +and \fBdata\fP. +.IP "\fBtype \fIwlan_type \fBsubtype \fIwlan_subtype\fR" +True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR +and frame subtype matches the specified \fIwlan_subtype\fR. +.IP +If the specified \fIwlan_type\fR is \fBmgt\fP, +then valid \fIwlan_subtype\fRs are: +\fBassoc-req\fP, +\fBassoc-resp\fP, +\fBreassoc-req\fP, +\fBreassoc-resp\fP, +\fBprobe-req\fP, +\fBprobe-resp\fP, +\fBbeacon\fP, +\fBatim\fP, +\fBdisassoc\fP, +\fBauth\fP and +\fBdeauth\fP. +.IP +If the specified \fIwlan_type\fR is \fBctl\fP, +then valid \fIwlan_subtype\fRs are: +\fBps-poll\fP, +\fBrts\fP, +\fBcts\fP, +\fBack\fP, +\fBcf-end\fP and +\fBcf-end-ack\fP. +.IP +If the specified \fIwlan_type\fR is \fBdata\fP, +then valid \fIwlan_subtype\fRs are: +\fBdata\fP, +\fBdata-cf-ack\fP, +\fBdata-cf-poll\fP, +\fBdata-cf-ack-poll\fP, +\fBnull\fP, +\fBcf-ack\fP, +\fBcf-poll\fP, +\fBcf-ack-poll\fP, +\fBqos-data\fP, +\fBqos-data-cf-ack\fP, +\fBqos-data-cf-poll\fP, +\fBqos-data-cf-ack-poll\fP, +\fBqos\fP, +\fBqos-cf-poll\fP and +\fBqos-cf-ack-poll\fP. +.IP "\fBsubtype \fIwlan_subtype\fR" +True if the IEEE 802.11 frame subtype matches the specified \fIwlan_subtype\fR +and frame has the type to which the specified \fIwlan_subtype\fR belongs. +.IP "\fBdir \fIdir\fR" +True if the IEEE 802.11 frame direction matches the specified +.IR dir . +Valid directions are: +.BR nods , +.BR tods , +.BR fromds , +.BR dstods , +or a numeric value. +.IP "\fBvlan \fI[vlan_id]\fR" +True if the packet is an IEEE 802.1Q VLAN packet. +If \fI[vlan_id]\fR is specified, only true if the packet has the specified +\fIvlan_id\fR. +Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR +changes the decoding offsets for the remainder of \fIexpression\fR on +the assumption that the packet is a VLAN packet. The \fBvlan +\fI[vlan_id]\fR expression may be used more than once, to filter on VLAN +hierarchies. Each use of that expression increments the filter offsets +by 4. +.IP +For example: +.in +.5i +.nf +\fBvlan 100 && vlan 200\fR +.fi +.in -.5i +filters on VLAN 200 encapsulated within VLAN 100, and +.in +.5i +.nf +\fBvlan && vlan 300 && ip\fR +.fi +.in -.5i +filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any +higher order VLAN. +.IP "\fBmpls \fI[label_num]\fR" +True if the packet is an MPLS packet. +If \fI[label_num]\fR is specified, only true is the packet has the specified +\fIlabel_num\fR. +Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR +changes the decoding offsets for the remainder of \fIexpression\fR on +the assumption that the packet is a MPLS-encapsulated IP packet. The +\fBmpls \fI[label_num]\fR expression may be used more than once, to +filter on MPLS hierarchies. Each use of that expression increments the +filter offsets by 4. +.IP +For example: +.in +.5i +.nf +\fBmpls 100000 && mpls 1024\fR +.fi +.in -.5i +filters packets with an outer label of 100000 and an inner label of +1024, and +.in +.5i +.nf +\fBmpls && mpls 1024 && host 192.9.200.1\fR +.fi +.in -.5i +filters packets to or from 192.9.200.1 with an inner label of 1024 and +any outer label. +.IP \fBpppoed\fP +True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet +type 0x8863). +.IP \fBpppoes\fP +True if the packet is a PPP-over-Ethernet Session packet (Ethernet +type 0x8864). +Note that the first \fBpppoes\fR keyword encountered in \fIexpression\fR +changes the decoding offsets for the remainder of \fIexpression\fR on +the assumption that the packet is a PPPoE session packet. +.IP +For example: +.in +.5i +.nf +\fBpppoes && ip\fR +.fi +.in -.5i +filters IPv4 protocols encapsulated in PPPoE. +.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" +Abbreviations for: +.in +.5i +.nf +\fBip proto \fIp\fR\fB or ip6 proto \fIp\fR +.fi +.in -.5i +where \fIp\fR is one of the above protocols. +.IP "\fBiso proto \fIprotocol\fR" +True if the packet is an OSI packet of protocol type \fIprotocol\fP. +\fIProtocol\fP can be a number or one of the names +\fBclnp\fP, \fBesis\fP, or \fBisis\fP. +.IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR" +Abbreviations for: +.in +.5i +.nf +\fBiso proto \fIp\fR +.fi +.in -.5i +where \fIp\fR is one of the above protocols. +.IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR" +Abbreviations for IS-IS PDU types. +.IP "\fBvpi\fP \fIn\fR +True if the packet is an ATM packet, for SunATM on Solaris, with a +virtual path identifier of +.IR n . +.IP "\fBvci\fP \fIn\fR +True if the packet is an ATM packet, for SunATM on Solaris, with a +virtual channel identifier of +.IR n . +.IP \fBlane\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +an ATM LANE packet. +Note that the first \fBlane\fR keyword encountered in \fIexpression\fR +changes the tests done in the remainder of \fIexpression\fR +on the assumption that the packet is either a LANE emulated Ethernet +packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the +tests are done under the assumption that the packet is an +LLC-encapsulated packet. +.IP \fBllc\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +an LLC-encapsulated packet. +.IP \fBoamf4s\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +a segment OAM F4 flow cell (VPI=0 & VCI=3). +.IP \fBoamf4e\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +an end-to-end OAM F4 flow cell (VPI=0 & VCI=4). +.IP \fBoamf4\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). +.IP \fBoam\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). +.IP \fBmetac\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on a meta signaling circuit (VPI=0 & VCI=1). +.IP \fBbcc\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on a broadcast signaling circuit (VPI=0 & VCI=2). +.IP \fBsc\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on a signaling circuit (VPI=0 & VCI=5). +.IP \fBilmic\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on an ILMI circuit (VPI=0 & VCI=16). +.IP \fBconnectmsg\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, +Connect Ack, Release, or Release Done message. +.IP \fBmetaconnect\fP +True if the packet is an ATM packet, for SunATM on Solaris, and is +on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, +Release, or Release Done message. +.IP "\fIexpr relop expr\fR" +True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, +!=, and \fIexpr\fR is an arithmetic expression composed of integer +constants (expressed in standard C syntax), the normal binary operators +[+, -, *, /, &, |, <<, >>], a length operator, and special packet data +accessors. Note that all comparisons are unsigned, so that, for example, +0x80000000 and 0xffffffff are > 0. +To access +data inside the packet, use the following syntax: +.in +.5i +.nf +\fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR +.fi +.in -.5i +\fIProto\fR is one of \fBether, fddi, tr, wlan, ppp, slip, link, +ip, arp, rarp, tcp, udp, icmp, ip6\fR or \fBradio\fR, and +indicates the protocol layer for the index operation. +(\fBether, fddi, wlan, tr, ppp, slip\fR and \fBlink\fR all refer to the +link layer. \fBradio\fR refers to the "radio header" added to some +802.11 captures.) +Note that \fItcp, udp\fR and other upper-layer protocol types only +apply to IPv4, not IPv6 (this will be fixed in the future). +The byte offset, relative to the indicated protocol layer, is +given by \fIexpr\fR. +\fISize\fR is optional and indicates the number of bytes in the +field of interest; it can be either one, two, or four, and defaults to one. +The length operator, indicated by the keyword \fBlen\fP, gives the +length of the packet. + +For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic. +The expression `\fBip[0] & 0xf != 5\fP' +catches all IPv4 packets with options. +The expression +`\fBip[6:2] & 0x1fff = 0\fP' +catches only unfragmented IPv4 datagrams and frag zero of fragmented +IPv4 datagrams. +This check is implicitly applied to the \fBtcp\fP and \fBudp\fP +index operations. +For instance, \fBtcp[0]\fP always means the first +byte of the TCP \fIheader\fP, and never means the first byte of an +intervening fragment. + +Some offsets and field values may be expressed as names rather than +as numeric values. +The following protocol header field offsets are +available: \fBicmptype\fP (ICMP type field), \fBicmpcode\fP (ICMP +code field), and \fBtcpflags\fP (TCP flags field). + +The following ICMP type field values are available: \fBicmp-echoreply\fP, +\fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP, +\fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP, +\fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP, +\fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP, +\fBicmp-maskreq\fP, \fBicmp-maskreply\fP. + +The following TCP flags field values are available: \fBtcp-fin\fP, +\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, +\fBtcp-ack\fP, \fBtcp-urg\fP. +.LP +Primitives may be combined using: +.IP +A parenthesized group of primitives and operators +(parentheses are special to the Shell and must be escaped). +.IP +Negation (`\fB!\fP' or `\fBnot\fP'). +.IP +Concatenation (`\fB&&\fP' or `\fBand\fP'). +.IP +Alternation (`\fB||\fP' or `\fBor\fP'). +.LP +Negation has highest precedence. +Alternation and concatenation have equal precedence and associate +left to right. +Note that explicit \fBand\fR tokens, not juxtaposition, +are now required for concatenation. +.LP +If an identifier is given without a keyword, the most recent keyword +is assumed. +For example, +.in +.5i +.nf +\fBnot host vs and ace\fR +.fi +.in -.5i +is short for +.in +.5i +.nf +\fBnot host vs and host ace\fR +.fi +.in -.5i +which should not be confused with +.in +.5i +.nf +\fBnot ( host vs or ace )\fR +.fi +.in -.5i +.SH EXAMPLES +.LP +To select all packets arriving at or departing from \fIsundown\fP: +.RS +.nf +\fBhost sundown\fP +.fi +.RE +.LP +To select traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: +.RS +.nf +\fBhost helios and \\( hot or ace \\)\fP +.fi +.RE +.LP +To select all IP packets between \fIace\fR and any host except \fIhelios\fR: +.RS +.nf +\fBip host ace and not helios\fP +.fi +.RE +.LP +To select all traffic between local hosts and hosts at Berkeley: +.RS +.nf +.B +net ucb-ether +.fi +.RE +.LP +To select all ftp traffic through internet gateway \fIsnup\fP: +.RS +.nf +.B +gateway snup and (port ftp or ftp-data) +.fi +.RE +.LP +To select traffic neither sourced from nor destined for local hosts +(if you gateway to one other net, this stuff should never make it +onto your local net). +.RS +.nf +.B +ip and not net \fIlocalnet\fP +.fi +.RE +.LP +To select the start and end packets (the SYN and FIN packets) of each +TCP conversation that involves a non-local host. +.RS +.nf +.B +tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP +.fi +.RE +.LP +To select all IPv4 HTTP packets to and from port 80, i.e. print only +packets that contain data, not, for example, SYN and FIN packets and +ACK-only packets. (IPv6 is left as an exercise for the reader.) +.RS +.nf +.B +tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) +.fi +.RE +.LP +To select IP packets longer than 576 bytes sent through gateway \fIsnup\fP: +.RS +.nf +.B +gateway snup and ip[2:2] > 576 +.fi +.RE +.LP +To select IP broadcast or multicast packets that were +.I not +sent via Ethernet broadcast or multicast: +.RS +.nf +.B +ether[0] & 1 = 0 and ip[16] >= 224 +.fi +.RE +.LP +To select all ICMP packets that are not echo requests/replies (i.e., not +ping packets): +.RS +.nf +.B +icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply +.fi +.RE +.SH "SEE ALSO" +pcap(3PCAP) +.SH AUTHORS +The original authors are: +.LP +Van Jacobson, +Craig Leres and +Steven McCanne, all of the +Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. +.LP +It is currently being maintained by tcpdump.org. +.LP +The current version of libpcap is available via http: +.LP +.RS +.I http://www.tcpdump.org/ +.RE +.LP +The original distribution is available via anonymous ftp: +.LP +.RS +.I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z +.RE +.SH BUGS +Please send problems, bugs, questions, desirable enhancements, etc. to: +.LP +.RS +tcpdump-workers@lists.tcpdump.org +.RE +.LP +Filter expressions on fields other than those in Token Ring headers will +not correctly handle source-routed Token Ring packets. +.LP +Filter expressions on fields other than those in 802.11 headers will not +correctly handle 802.11 data packets with both To DS and From DS set. +.LP +.BR "ip6 proto" +should chase header chain, but at this moment it does not. +.BR "ip6 protochain" +is supplied for this behavior. +.LP +Arithmetic expression against transport layer headers, like \fBtcp[0]\fP, +does not work against IPv6 packets. +It only looks at IPv4 packets. diff --git a/winpcap/wpcap/libpcap/pcap-linktype.manmisc b/winpcap/wpcap/libpcap/pcap-linktype.manmisc new file mode 100644 index 0000000..ed9dba4 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap-linktype.manmisc @@ -0,0 +1,282 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap-linktype.manmisc.in,v 1.1.2.4 2008-10-27 22:52:05 guy Exp $ +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP-LINKTYPE 7 "23 October 2008" +.SH NAME +pcap-linktype \- link-layer header types supported by libpcap +.SH DESCRIPTION +For a live capture or ``savefile'', libpcap supplies, as the return +value of the +.BR pcap_datalink (3PCAP) +routine, a value that indicates the type of link-layer header at the +beginning of the packets it provides. This is not necessarily the type +of link-layer header that the packets being captured have on the network +from which they're being captured; for example, packets from an IEEE +802.11 network might be provided by libpcap with Ethernet headers that +the network adapter or the network adapter driver generates from the +802.11 headers. The names for those values begin with +.BR DLT_ , +so they are sometimes called "DLT_ values". +.PP +The values stored in the link-layer header type field in the savefile +header are, in most but not all cases, the same as the values returned +by +.BR pcap_datalink() . +The names for those values begin with +.BR LINKTYPE_ . +.PP +The link-layer header types supported by libpcap are listed here. The +value corresponding to +.B LINKTYPE_ +names are given; the value corresponding to +.B DLT_ +values are, in some cases, platform dependent, and are not given; +applications should check for particular +.B DLT_ +values by name. +.RS 5 +.TP 5 +.BR DLT_NULL "; " LINKTYPE_NULL = 0 +BSD loopback encapsulation; the link layer header is a 4-byte field, in +.I host +byte order, containing a PF_ value from +.B socket.h +for the network-layer protocol of the packet. +.IP +Note that ``host byte order'' is the byte order of the machine on which +the packets are captured, and the PF_ values are for the OS of the +machine on which the packets are captured; if a live capture is being +done, ``host byte order'' is the byte order of the machine capturing the +packets, and the PF_ values are those of the OS of the machine capturing +the packets, but if a ``savefile'' is being read, the byte order and PF_ +values are +.I not +necessarily those of the machine reading the capture file. +.TP 5 +.BR DLT_EN10MB "; " LINKTYPE_ETHERNET = 1 +Ethernet (10Mb, 100Mb, 1000Mb, and up); the +.B 10MB +in the +.B DLT_ +name is historical. +.TP 5 +.BR DLT_IEEE802 "; " LINKTYPE_TOKEN_RING = 6 +IEEE 802.5 Token Ring; the +.B IEEE802 +in the +.B DLT_ +name is historical. +.TP 5 +.BR DLT_ARCNET "; " LINKTYPE_ARCNET = 7 +ARCNET +.TP 5 +.BR DLT_SLIP "; " LINKTYPE_SLIP = 8 +SLIP; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte flag, which is 0 for packets received by the machine and 1 for +packets sent by the machine; +.LP +a 1-byte field, the upper 4 bits of which indicate the type of packet, +as per RFC 1144: +.RS 5 +.TP 5 +0x40 +an unmodified IP datagram (TYPE_IP); +.TP 5 +0x70 +an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being +the first byte of the raw IP header on the wire, containing the +connection number in the protocol field; +.TP 5 +0x80 +a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the +first byte of the compressed TCP/IP datagram header; +.RE +.LP +for UNCOMPRESSED_TCP, the rest of the modified IP header, and for +COMPRESSED_TCP, the compressed TCP/IP datagram header; +.RE +.RS 5 +.LP +for a total of 16 bytes; the uncompressed IP datagram follows the header. +.RE +.TP 5 +.BR DLT_PPP "; " LINKTYPE_PPP = 9 +PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like +framing, with the PPP header following those two bytes, otherwise it's +PPP without framing, and the packet begins with the PPP header. +.TP 5 +.BR DLT_FDDI "; " LINKTYPE_FDDI = 10 +FDDI +.TP 5 +.BR DLT_ATM_RFC1483 "; " LINKTYPE_ATM_RFC1483 = 100 +RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 +LLC header. +.TP 5 +.BR DLT_RAW "; " LINKTYPE_RAW = 101 +raw IP; the packet begins with an IP header. +.TP 5 +.BR DLT_PPP_SERIAL "; " LINKTYPE_PPP_HDLC = 50 +PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC +framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF +for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP +with HDLC framing. +.TP 5 +.BR DLT_PPP_ETHER "; " LINKTYPE_PPP_ETHER = 51 +PPPoE; the packet begins with a PPPoE header, as per RFC 2516. +.TP 5 +.BR DLT_C_HDLC "; " LINKTYPE_C_HDLC = 104 +Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547. +.TP 5 +.BR DLT_IEEE802_11 "; " LINKTYPE_IEEE802_11 = 105 +IEEE 802.11 wireless LAN +.TP 5 +.BR DLT_FRELAY "; " LINKTYPE_FRELAY = 107 +Frame Relay +.TP 5 +.BR DLT_LOOP "; " LINKTYPE_LOOP = 108 +OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in +.I network +byte order, containing a PF_ value from OpenBSD's +.B socket.h +for the network-layer protocol of the packet. +.IP +Note that, if a ``savefile'' is being read, those PF_ values are +.I not +necessarily those of the machine reading the capture file. +.TP 5 +.BR DLT_LINUX_SLL "; " LINKTYPE_LINUX_SLL = 113 +Linux "cooked" capture encapsulation; the link layer header contains, in +order: +.RS 10 +.LP +a 2-byte "packet type", in network byte order, which is one of: +.RS 5 +.TP 5 +0 +packet was sent to us by somebody else +.TP 5 +1 +packet was broadcast by somebody else +.TP 5 +2 +packet was multicast, but not broadcast, by somebody else +.TP 5 +3 +packet was sent by somebody else to somebody else +.TP 5 +4 +packet was sent by us +.RE +.LP +a 2-byte field, in network byte order, containing a Linux ARPHRD_ value +for the link layer device type; +.LP +a 2-byte field, in network byte order, containing the length of the +link layer address of the sender of the packet (which could be 0); +.LP +an 8-byte field containing that number of bytes of the link layer header +(if there are more than 8 bytes, only the first 8 are present); +.LP +a 2-byte field containing an Ethernet protocol type, in network byte +order, or containing 1 for Novell 802.3 frames without an 802.2 LLC +header or 4 for frames beginning with an 802.2 LLC header. +.RE +.TP 5 +.BR DLT_LTALK "; " LINKTYPE_LTALK = 104 +Apple LocalTalk; the packet begins with an AppleTalk LLAP header. +.TP 5 +.BR DLT_PFLOG "; " LINKTYPE_PFLOG = 117 +OpenBSD pflog; the link layer header contains a +.B "struct pfloghdr" +structure, as defined by the host on which the file was saved. (This +differs from operating system to operating system and release to +release; there is nothing in the file to indicate what the layout of +that structure is.) +.TP 5 +.BR DLT_PRISM_HEADER "; " LINKTYPE_PRISM_HEADER = 119 +Prism monitor mode information followed by an 802.11 header. +.TP 5 +.BR DLT_IP_OVER_FC "; " LINKTYPE_IP_OVER_FC = 122 +RFC 2625 IP-over-Fibre Channel, with the link-layer header being the +Network_Header as described in that RFC. +.TP 5 +.BR DLT_SUNATM "; " LINKTYPE_SUNATM = 123 +SunATM devices; the link layer header contains, in order: +.RS 10 +.LP +a 1-byte flag field, containing a direction flag in the uppermost bit, +which is set for packets transmitted by the machine and clear for +packets received by the machine, and a 4-byte traffic type in the +low-order 4 bits, which is one of: +.RS 5 +.TP 5 +0 +raw traffic +.TP 5 +1 +LANE traffic +.TP 5 +2 +LLC-encapsulated traffic +.TP 5 +3 +MARS traffic +.TP 5 +4 +IFMP traffic +.TP 5 +5 +ILMI traffic +.TP 5 +6 +Q.2931 traffic +.RE +.LP +a 1-byte VPI value; +.LP +a 2-byte VCI field, in network byte order. +.RE +.TP 5 +.BR DLT_IEEE802_11_RADIO "; " LINKTYPE_IEEE802_11_RADIO = 127 +link-layer information followed by an 802.11 header - see +http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description +of the link-layer information. +.TP 5 +.BR DLT_ARCNET_LINUX "; " LINKTYPE_ARCNET_LINUX = 129 +ARCNET, with no exception frames, reassembled packets rather than raw +frames, and an extra 16-bit offset field between the destination host +and type bytes. +.TP 5 +.BR DLT_LINUX_IRDA "; " LINKTYPE_LINUX_IRDA = 144 +Linux-IrDA packets, with a +.B DLT_LINUX_SLL +header followed by the IrLAP header. +.TP 5 +.BR DLT_LINUX_LAPD "; " LINKTYPE_LINUX_LAPD = 177 +LAPD (Q.921) frames, with a +.B DLT_LINUX_SLL +header captured via vISDN. +.RE +.SH SEE ALSO +pcap_datalink(3PCAP) diff --git a/winpcap/wpcap/libpcap/pcap-linux.c b/winpcap/wpcap/libpcap/pcap-linux.c index 069c4fd..bfd1149 100644 --- a/winpcap/wpcap/libpcap/pcap-linux.c +++ b/winpcap/wpcap/libpcap/pcap-linux.c @@ -91,6 +91,7 @@ static const char rcsid[] _U_ = #include #include #include +#include #include #include #include diff --git a/winpcap/wpcap/libpcap/pcap-new.c b/winpcap/wpcap/libpcap/pcap-new.c index 3fd07c7..46c572e 100644 --- a/winpcap/wpcap/libpcap/pcap-new.c +++ b/winpcap/wpcap/libpcap/pcap-new.c @@ -57,7 +57,8 @@ extern struct activehosts *activeHosts; See the documentation of pcap_remoteact_accept() and pcap_remoteact_cleanup() for more details. */ -SOCKET sockmain; +//SOCKET sockmain; +extern SOCKET sockmain; //! String identifier to be used in the pcap_findalldevs_ex() diff --git a/winpcap/wpcap/libpcap/pcap-savefile.manfile b/winpcap/wpcap/libpcap/pcap-savefile.manfile new file mode 100644 index 0000000..21fdb2e --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap-savefile.manfile @@ -0,0 +1,127 @@ +'\" t +.\" @(#) $Header: /tcpdump/master/libpcap/pcap-savefile.manfile.in,v 1.1.2.3 2008-10-24 07:34:06 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP-SAVEFILE 5 "21 October 2008" +.SH NAME +pcap-savefile \- libpcap savefile format +.SH DESCRIPTION +NOTE: applications and libraries should, if possible, use libpcap to +read savefiles, rather than having their own code to read savefiles. +If, in the future, a new file format is supported by libpcap, +applications and libraries using libpcap to read savefiles will be able +to read the new format of savefiles, but applications and libraries +using their own code to read savefiles will have to be changed to +support the new file format. +.PP +``Savefiles'' read and written by libpcap and applications using libpcap +start with a per-file header. The format of the per-file header is: +.RS +.TS +box; +c s +c | c +c s. +Magic number +_ +Major version Minor version +_ +Time zone offset +_ +Time stamp accuracy +_ +Snapshot length +_ +Link-layer header type +.TE +.RE +.PP +All fields in the per-file header are in the byte order of the host +writing the file. The first field in the per-file header is a 4-byte +magic number, with the value 0xa1b2c3d4. The magic number, when read by +a host with the same byte order as the host that wrote the file, will +have the value 0xa1b2c3d4, and, when read by a host with the opposite +byte order as the host that wrote the file, will have the value +0xd4c3b2a1. That allows software reading the file to determine whether +the byte order of the host that wrote the file is the same as the byte +order of the host on which the file is being read, and thus whether the +values in the per-file and per-packet headers need to be byte-swapped. +.PP +Following this are: +.IP +A 2-byte file format major version number; the current version number is +2. +.IP +A 2-byte file format minor version number; the current version number is +4. +.IP +A 4-byte time zone offset; this is always 0. +.IP +A 4-byte number giving the accuracy of time stamps in the file; this is +always 0. +.IP +A 4-byte number giving the "snapshot length" of the capture; packets +longer than the snapshot length are truncated to the snapshot length, so +that, if the snapshot length is +.IR N , +only the first +.I N +bytes of a packet longer than +.I N +bytes will be saved in the capture. +.IP +a 4-byte number giving the link-layer header type for packets in the +capture; see +.BR pcap-linktype (7) +for the +.B LINKTYPE_ +values that can appear in this field. +.PP +Following the per-file header are zero or more packets; each packet +begins with a per-packet header, which is immediately followed by the +raw packet data. The format of the per-packet header is: +.RS +.TS +box; +c. +Time stamp, seconds value +_ +Time stamp, microseconds value +_ +Length of captured packet data +_ +Un-truncated length of the packet data +.TE +.RE +.PP +All fields in the per-packet header are in the byte order of the host +writing the file. The per-packet header begins with a time stamp giving +the approximate time the packet was captured; the time stamp consists of +a 4-byte value, giving the time in seconds since January 1, 1970, +00:00:00 UTC, followed by a 4-byte value, giving the time in +microseconds since that second. Following that are a 4-byte value +giving the number of bytes of captured data that follow the per-packet +header and a 4-byte value giving the number of bytes that would have +been present had the packet not been truncated by the snapshot length. +The two lengths will be equal if the number of bytes of packet data are +less than or equal to the snapshot length. +.SH SEE ALSO +pcap(3PCAP), pcap-linktype(7) diff --git a/winpcap/wpcap/libpcap/pcap.3pcap b/winpcap/wpcap/libpcap/pcap.3pcap new file mode 100644 index 0000000..b694714 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap.3pcap @@ -0,0 +1,386 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap.3pcap.in,v 1.1.2.2 2008-10-21 07:44:57 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP 3PCAP "4 April 2008" +.SH NAME +pcap \- Packet Capture library +.SH SYNOPSIS +.nf +.ft B +#include +.LP +.ft B +.ft +.fi +.SH DESCRIPTION +The Packet Capture library +provides a high level interface to packet capture systems. All packets +on the network, even those destined for other hosts, are accessible +through this mechanism. +It also supports saving captured packets to a ``savefile'', and reading +packets from a ``savefile''. +.PP +To open a handle for a live capture, call +.BR pcap_create() , +set the appropriate options on the handle, and then activate it with +.BR pcap_activate() . +To open a handle for a ``savefile'' with captured packets, call +.BR pcap_open_offline() . +Both +.B pcap_create() +and +.B pcap_open_offline() +return a pointer to a +.BR pcap_t , +which is the handle used for reading packets from the capture stream or +the ``savefile'', and for finding out information about the capture +stream or ``savefile''. +.PP +The options that can be set on a capture handle include +.IP "snapshot length" +If, when capturing, you capture the entire contents of the packet, that +requires more CPU time to copy the packet to your application, more disk +and possibly network bandwidth to write the packet data to a file, and +more disk space to save the packet. If you don't need the entire +contents of the packet - for example, if you are only interested in the +TCP headers of packets - you can set the "snapshot length" for the +capture to an appropriate value. If the snapshot length is set to +.IR snaplen , +and +.I snaplen +is less +than the size of a packet that is captured, only the first +.I snaplen +bytes of that packet will be captured and provided as packet data. +.IP +A snapshot length of 65535 should be sufficient, on most if not all +networks, to capture all the data available from the packet. +.IP +The snapshot length is set with +.BR pcap_set_snaplen() . +.IP "promiscuous mode" +On broadcast LANs such as Ethernet, if the network isn't switched, or if +the adapter is connected to a "mirror port" on a switch to which all +packets passing through the switch are sent, a network adapter receives +all packets on the LAN, including unicast or multicast packets not sent +to a network address that the network adapter isn't configured to +recognize. +.IP +Normally, the adapter will discard those packets; however, many network +adapters support "promiscuous mode", which is a mode in which all +packets, even if they are not sent to an address that the adapter +recognizes, are provided to the host. This is useful for passively +capturing traffic between two or more other hosts for analysis. +.IP +Note that even if an application does not set promiscuous mode, the +adapter could well be in promiscuous mode for some other reason. +.IP +For now, this doesn't work on the "any" device; if an argument of "any" +or NULL is supplied, the setting of promiscuous mode is ignored. +.IP +Promiscuous mode is set with +.BR pcap_set_promisc() . +.IP "monitor mode" +On IEEE 802.11 wireless LANs, even if an adapter is in promiscuous mode, +it will supply to the host only frames for the network with which it's +associated. It might also supply only data frames, not management or +control frames, and might not provide the 802.11 header or radio +information pseudo-header for those frames. +.IP +In "monitor mode", sometimes also called "rfmon mode" (for "Radio +Frequency MONitor"), the adapter will supply all frames that it +receives, with 802.11 headers, and might supply a pseudo-header with +radio information about the frame as well. +.IP +Note that in monitor mode the adapter might disassociate from the +network with which it's associated, so that you will not be able to use +any wireless networks with that adapter. This could prevent accessing +files on a network server, or resolving host names or network addresses, +if you are capturing in monitor mode and are not connected to another +network with another adapter. +.IP +Monitor mode is set with +.BR pcap_set_rfmon() , +and +.B pcap_can_set_rfmon() +can be used to determine whether an adapter can be put into monitor +mode. +.IP "read timeout" +If, when capturing, packets are delivered as soon as they arrive, the +application capturing the packets will be woken up for each packet as it +arrives, and might have to make one or more calls to the operating +system to fetch each packet. +.IP +If, instead, packets are not delivered as soon as they arrive, but are +delivered after a short delay (called a "read timeout"), more than one +packet can be accumulated before the packets are delivered, so that a +single wakeup would be done for multiple packets, and each set of calls +made to the operating system would supply multiple packets, rather than +a single packet. This reduces the per-packet CPU overhead if packets +are arriving at a high rate, increasing the number of packets per second +that can be captured. +.IP +The read timeout is required so that an application won't wait for the +operating system's capture buffer to fill up before packets are +delivered; if packets are arriving slowly, that wait could take an +arbitrarily long period of time. +.IP +Not all platforms support a read timeout; on platforms that +don't, the read timeout is ignored. A zero value for the timeout, +on platforms that support a read timeout, +will cause a read to wait forever to allow enough packets to +arrive, with no timeout. +.IP +.BR NOTE : +the read timeout cannot be used to cause calls that read +packets to return within a limited period of time, because, on some +platforms, the read timeout isn't supported, and, on other platforms, +the timer doesn't start until at least one packet arrives. This means +that the read timeout should +.B NOT +be used, for example, in an interactive application to allow the packet +capture loop to ``poll'' for user input periodically, as there's no +guarantee that a call reading packets will return after the timeout +expires even if no packets have arrived. +.IP +The read timeout is set with +.BR pcap_set_timeout() . +.IP "buffer size" +Packets that arrive for a capture are stored in a buffer, so that they +do not have to be read by the application as soon as they arrive. On +some platforms, the buffer's size can be set; a size that's too small +could mean that, if too many packets are being captured and the snapshot +length doesn't limit the amount of data that's buffered, packets could +be dropped if the buffer fills up before the application can read +packets from it, while a size that's too large could use more +non-pageable operating system memory than is necessary to prevent +packets from being dropped. +.IP +The buffer size is set with +.BR pcap_set_buffer_size() . +.PP +Reading packets from a network interface may require that you have +special privileges: +.TP +.B Under SunOS 3.x or 4.x with NIT or BPF: +You must have read access to +.I /dev/nit +or +.IR /dev/bpf* . +.TP +.B Under Solaris with DLPI: +You must have read/write access to the network pseudo device, e.g. +.IR /dev/le . +On at least some versions of Solaris, however, this is not sufficient to +allow +.I tcpdump +to capture in promiscuous mode; on those versions of Solaris, you must +be root, or the application capturing packets +must be installed setuid to root, in order to capture in promiscuous +mode. Note that, on many (perhaps all) interfaces, if you don't capture +in promiscuous mode, you will not see any outgoing packets, so a capture +not done in promiscuous mode may not be very useful. +.IP +In newer versions of Solaris, you must have been given the +.B net_rawaccess +privilege; this is both necessary and sufficient to give you access to the +network pseudo-device - there is no need to change the privileges on +that device. A user can be given that privilege by, for example, adding +that privilege to the user's +.B defaultpriv +key with the +.B usermod (1M) +command. +.TP +.B Under HP-UX with DLPI: +You must be root or the application capturing packets must be installed +setuid to root. +.TP +.B Under IRIX with snoop: +You must be root or the application capturing packets must be installed +setuid to root. +.TP +.B Under Linux: +You must be root or the application capturing packets must be installed +setuid to root (unless your distribution has a kernel +that supports capability bits such as CAP_NET_RAW and code to allow +those capability bits to be given to particular accounts and to cause +those bits to be set on a user's initial processes when they log in, in +which case you must have CAP_NET_RAW in order to capture and +CAP_NET_ADMIN to enumerate network devices with, for example, the +.B \-D +flag). +.TP +.B Under ULTRIX and Digital UNIX/Tru64 UNIX: +Any user may capture network traffic. +However, no user (not even the super-user) can capture in promiscuous +mode on an interface unless the super-user has enabled promiscuous-mode +operation on that interface using +.IR pfconfig (8), +and no user (not even the super-user) can capture unicast traffic +received by or sent by the machine on an interface unless the super-user +has enabled copy-all-mode operation on that interface using +.IR pfconfig , +so +.I useful +packet capture on an interface probably requires that either +promiscuous-mode or copy-all-mode operation, or both modes of +operation, be enabled on that interface. +.TP +.B Under BSD (this includes Mac OS X): +You must have read access to +.I /dev/bpf* +on systems that don't have a cloning BPF device, or to +.I /dev/bpf +on systems that do. +On BSDs with a devfs (this includes Mac OS X), this might involve more +than just having somebody with super-user access setting the ownership +or permissions on the BPF devices - it might involve configuring devfs +to set the ownership or permissions every time the system is booted, +if the system even supports that; if it doesn't support that, you might +have to find some other way to make that happen at boot time. +.PP +Reading a saved packet file doesn't require special privileges. +.PP +To open a ``savefile`` to which to write packets, call +.BR pcap_dump_open() . +It returns a pointer to a +.BR pcap_dumper_t , +which is the handle used for writing packets to the ``savefile''. +.PP +Packets are read with +.B pcap_dispatch() +or +.BR pcap_loop() , +which process one or more packets, calling a callback routine for each +packet, or with +.B pcap_next() +or +.BR pcap_next_ex() , +which return the next packet. +The callback for +.B pcap_dispatch() +and +.BR pcap_loop() +is supplied a pointer to a +.IR "struct pcap_pkthdr" , +which includes the following members: +.RS +.TP +.B ts +a +.I struct timeval +containing the time when the packet was captured +.TP +.B caplen +a +.I bpf_u_int32 +giving the number of bytes of the packet that are available from the +capture +.TP +.B len +a +.I bpf_u_int32 +giving the length of the packet, in bytes (which might be more than the +number of bytes available from the capture, if the length of the packet +is larger than the maximum number of bytes to capture). +.RE +.PP +.B pcap_next_ex() +supplies that pointer through a pointer argument. +.B pcap_next() +is passed an argument that points to a +.I struct pcap_pkthdr +structure, and fills it in. +.PP +The callback is also supplied a +.I const u_char +pointer to the first +.B caplen +(as given in the +.I struct pcap_pkthdr +a pointer to which is passed to the callback routine) +bytes of data from the packet. This won't necessarily be the entire +packet; to capture the entire packet, you will have to provide a value +for +.I snaplen +in your call to +.B pcap_open_live() +that is sufficiently large to get all of the packet's data - a value of +65535 should be sufficient on most if not all networks). When reading +from a ``savefile'', the snapshot length specified when the capture was +performed will limit the amount of packet data available. +.B pcap_next() +returns that pointer; +.B pcap_next_ex() +supplies that pointer through a pointer argument. +.SH BACKWARDS COMPATIBILITY +.PP +In versions of libpcap prior to 1.0, the +.B pcap.h +header file was not in a +.B pcap +directory on most platforms; if you are writing an application that must +work on versions of libpcap prior to 1.0, include +.BR , +which will include +.B +for you, rather than including +.BR . +.PP +.B pcap_create() +and +.B pcap_activate() +were not available in versions of libpcap prior to 1.0; if you are +writing an application that must work on versions of libpcap prior to +1.0, either use +.B pcap_open_live() +to get a handle for a live capture or, if you want to be able to use the +additional capabilities offered by using +.B pcap_create() +and +.BR pcap_activate() , +use an +.BR autoconf (1) +script or some other configuration script to check whether the libpcap +1.0 APIs are available and use them only if they are. +.SH SEE ALSO +autoconf(1), tcpdump(1), tcpslice(1), pcap-filter(7), pfconfig(8), +usermod(1M) +.SH AUTHORS +The original authors of libpcap are: +.LP +Van Jacobson, +Craig Leres and +Steven McCanne, all of the +Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. +.LP +The current version is available from "The Tcpdump Group"'s Web site at +.LP +.RS +.I http://www.tcpdump.org/ +.RE +.SH BUGS +Please send problems, bugs, questions, desirable enhancements, etc. to: +.LP +.RS +tcpdump-workers@lists.tcpdump.org +.RE diff --git a/winpcap/wpcap/libpcap/pcap_compile.3pcap b/winpcap/wpcap/libpcap/pcap_compile.3pcap new file mode 100644 index 0000000..b0bfee3 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_compile.3pcap @@ -0,0 +1,72 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_compile.3pcap.in,v 1.1.2.2 2008-10-21 07:44:57 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_COMPILE 3PCAP "5 April 2008" +.SH NAME +pcap_compile \- compile a filter expression +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_compile(pcap_t *p, struct bpf_program *fp, +.ti +8 +const char *str, int optimize, bpf_u_int32 netmask); +.ft +.fi +.SH DESCRIPTION +.B pcap_compile() +is used to compile the string +.I str +into a filter program. See +.BR pcap-filter (7) +for the syntax of that string. +.I program +is a pointer to a +.I bpf_program +struct and is filled in by +.BR pcap_compile() . +.I optimize +controls whether optimization on the resulting code is performed. +.I netmask +specifies the IPv4 netmask of the network on which packets are being +captured; it is used only when checking for IPv4 broadcast addresses in +the filter program. If the netmask of the network on which packets are +being captured isn't known to the program, or if packets are being +captured on the Linux "any" pseudo-interface that can capture on more +than one network, a value of 0 can be supplied; tests for IPv4 broadcast +addreses won't be done correctly, but all other tests in the filter +program will be OK. +.SH RETURN VALUE +.B pcap_compile() +returns 0 on success and \-1 on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap(3PCAP), pcap_setfilter(3PCAP), pcap_freecode(3PCAP), +pcap_geterr(3PCAP), pcap-filter(7) diff --git a/winpcap/wpcap/libpcap/pcap_datalink.3pcap b/winpcap/wpcap/libpcap/pcap_datalink.3pcap new file mode 100644 index 0000000..06dfdee --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_datalink.3pcap @@ -0,0 +1,41 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_datalink.3pcap.in,v 1.1.2.2 2008-10-21 07:44:57 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DATALINK 3PCAP "5 April 2008" +.SH NAME +pcap_datalink \- get the link-layer header type +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_datalink(pcap_t *p); +.ft +.fi +.SH DESCRIPTION +.B pcap_datalink() +returns the link layer type for the live capture or ``savefile'' +specified by +.IR p . +.SH SEE ALSO +pcap(3PCAP), pcap-linktype(7) diff --git a/winpcap/wpcap/libpcap/pcap_dump_open.3pcap b/winpcap/wpcap/libpcap/pcap_dump_open.3pcap new file mode 100644 index 0000000..70aa932 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_dump_open.3pcap @@ -0,0 +1,87 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_dump_open.3pcap.in,v 1.1.2.2 2008-10-23 05:59:43 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_DUMP_OPEN 3PCAP "5 April 2008" +.SH NAME +pcap_dump_open, pcap_dump_fopen \- open a file to which to write packets +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.nf +.LP +.ft B +pcap_dumper_t *pcap_dump_open(pcap_t *p, const char *fname); +pcap_dumper_t *pcap_dump_fopen(pcap_t *p, FILE *fp); +.ft +.fi +.SH DESCRIPTION +.B pcap_dump_open() +is called to open a ``savefile'' for writing. +.I fname +specifies the name of the file to open. The file will have +the same format as those used by +.BR tcpdump (1) +and +.BR tcpslice (1). +The name "-" in a synonym +for +.BR stdout . +.PP +.B pcap_dump_fopen() +is called to write data to an existing open stream +.IR fp . +Note that on Windows, that stream should be opened in binary mode. +.PP +.I p +is a capture or ``savefile'' handle returned by an earlier call to +.B pcap_create() +and activated by an earlier call to +.BR pcap_activate() , +or returned by an earlier call to +.BR pcap_open_offline() , +.BR pcap_open_live() , +or +.BR pcap_open_dead() . +The link-layer type and snapshot length from +.I p +are used as the link-layer type and snapshot length of the output file. +.SH RETURN VALUES +A pointer to a +.B pcap_dumper_t +structure to use in subsequent +.B pcap_dump() +and +.B pcap_dump_close() +calls is returned on success. +.B NULL +is returned on failure. +If +.B NULL +is returned, +.B pcap_geterr(\fIp\fB) +can be used to get the error text. +.SH SEE ALSO +pcap(3PCAP), pcap_create(3PCAP), pcap_activate(3PCAP), +pcap_open_offline(3PCAP), pcap_open_live(3PCAP), pcap_open_dead(3PCAP), +pcap_dump(3PCAP), pcap_dump_close(3PCAP), pcap_geterr(3PCAP), +pcap-savefile(5) diff --git a/winpcap/wpcap/libpcap/pcap_list_datalinks.3pcap b/winpcap/wpcap/libpcap/pcap_list_datalinks.3pcap new file mode 100644 index 0000000..4e73196 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_list_datalinks.3pcap @@ -0,0 +1,58 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_list_datalinks.3pcap.in,v 1.1.2.2 2008-10-21 07:44:57 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_LIST_DATALINKS 3PCAP "5 April 2008" +.SH NAME +pcap_list_datalinks \- get a list of link-layer header types supported +by a capture device +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +int pcap_list_datalinks(pcap_t *p, int **dlt_buf); +.ft +.fi +.SH DESCRIPTION +.B pcap_list_datalinks() +is used to get a list of the supported data link types of the interface +associated with the pcap descriptor. +.B pcap_list_datalinks() +allocates an array to hold the list and sets +.IR *dlt_buf . +The caller is responsible for freeing the array with +.BR pcap_free_datalinks (3PCAP). +.SH RETURN VALUE +.B pcap_list_datalinks() +returns the number of data link types in the array on success and \-1 +on failure. +If \-1 is returned, +.B pcap_geterr() +or +.B pcap_perror() +may be called with +.I p +as an argument to fetch or display the error text. +.SH SEE ALSO +pcap(3PCAP), pcap_geterr(3PCAP), pcap_free_datalinks(3PCAP), +pcap-linktype(7) diff --git a/winpcap/wpcap/libpcap/pcap_open_dead.3pcap b/winpcap/wpcap/libpcap/pcap_open_dead.3pcap new file mode 100644 index 0000000..29b8f7a --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_open_dead.3pcap @@ -0,0 +1,52 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_open_dead.3pcap.in,v 1.1.2.2 2008-10-21 07:44:57 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_OPEN_DEAD 3PCAP "5 April 2008" +.SH NAME +pcap_open_dead \- open a fake pcap_t for compiling filters or opening a +capture for output +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.ft B +pcap_t *pcap_open_dead(int linktype, int snaplen); +.ft +.fi +.SH DESCRIPTION +.PP +.B pcap_open_dead() +is used for creating a +.B pcap_t +structure to use when calling the other functions in libpcap. It is +typically used when just using libpcap for compiling BPF code. +.PP +.I linktype +specifies the link-layer type for the +.BR pcap_t . +.PP +.I snaplen +specifies the snapshot length for the +.BR pcap_t . +.SH SEE ALSO +pcap(3PCAP), pcap-linktype(7) diff --git a/winpcap/wpcap/libpcap/pcap_open_offline.3pcap b/winpcap/wpcap/libpcap/pcap_open_offline.3pcap new file mode 100644 index 0000000..c89b867 --- /dev/null +++ b/winpcap/wpcap/libpcap/pcap_open_offline.3pcap @@ -0,0 +1,78 @@ +.\" @(#) $Header: /tcpdump/master/libpcap/pcap_open_offline.3pcap.in,v 1.1.2.2 2008-10-23 05:59:43 guy Exp $ +.\" +.\" Copyright (c) 1994, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH PCAP_OPEN_OFFLINE 3PCAP "5 April 2008" +.SH NAME +pcap_open_offline, pcap_fopen_offline \- open a saved capture file for reading +.SH SYNOPSIS +.nf +.ft B +#include +.ft +.LP +.nf +.ft B +char errbuf[PCAP_ERRBUF_SIZE]; +.ft +.LP +.ft B +pcap_t *pcap_open_offline(const char *fname, char *errbuf); +pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf); +.ft +.fi +.SH DESCRIPTION +.B pcap_open_offline() +is called to open a ``savefile'' for reading. +.PP +.I fname +specifies the name of the file to open. The file has +the same format as those used by +.BR tcpdump (1) +and +.BR tcpslice (1). +The name "-" in a synonym for +.BR stdin . +.PP +Alternatively, you may call +.B pcap_fopen_offline() +to read dumped data from an existing open stream +.IR fp . +Note that on Windows, that stream should be opened in binary mode. +.SH RETURN VALUE +.B pcap_open_offline() +and +.B pcap_fopen_offline() +return a +.I pcap_t * +on success and +.B NULL +on failure. +If +.B NULL +is returned, +.I errbuf +is filled in with an appropriate error message. +.I errbuf +is assumed to be able to hold at least +.B PCAP_ERRBUF_SIZE +chars. +.SH SEE ALSO +pcap(3PCAP), pcap-savefile(5) diff --git a/winpcap/wpcap/libpcap/remote-ext.h.orig b/winpcap/wpcap/libpcap/remote-ext.h.orig new file mode 100644 index 0000000..e748b04 --- /dev/null +++ b/winpcap/wpcap/libpcap/remote-ext.h.orig @@ -0,0 +1,448 @@ +/* + * Copyright (c) 2002 - 2003 + * NetGroup, Politecnico di Torino (Italy) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the Politecnico di Torino nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + +#ifndef __REMOTE_EXT_H__ +#define __REMOTE_EXT_H__ + + +#if !EXTRAHOP_MODS +#ifndef HAVE_REMOTE +#error Please do not include this file directly. Just define HAVE_REMOTE and then include pcap.h +#endif +#endif + +// Definition for Microsoft Visual Studio +#if _MSC_VER > 1000 +#pragma once +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/*! + \file remote-ext.h + + The goal of this file it to include most of the new definitions that should be + placed into the pcap.h file. + + It includes all new definitions (structures and functions like pcap_open(). + Some of the functions are not really a remote feature, but, right now, + they are placed here. +*/ + + + +// All this stuff is public +/*! \addtogroup remote_struct + \{ +*/ + + + + +/*! + \brief Defines the maximum buffer size in which address, port, interface names are kept. + + In case the adapter name or such is larger than this value, it is truncated. + This is not used by the user; however it must be aware that an hostname / interface + name longer than this value will be truncated. +*/ +#define PCAP_BUF_SIZE 1024 + + +/*! \addtogroup remote_source_ID + \{ +*/ + + +/*! + \brief Internal representation of the type of source in use (file, + remote/local interface). + + This indicates a file, i.e. the user want to open a capture from a local file. +*/ +#define PCAP_SRC_FILE 2 +/*! + \brief Internal representation of the type of source in use (file, + remote/local interface). + + This indicates a local interface, i.e. the user want to open a capture from + a local interface. This does not involve the RPCAP protocol. +*/ +#define PCAP_SRC_IFLOCAL 3 +/*! + \brief Internal representation of the type of source in use (file, + remote/local interface). + + This indicates a remote interface, i.e. the user want to open a capture from + an interface on a remote host. This does involve the RPCAP protocol. +*/ +#define PCAP_SRC_IFREMOTE 4 + +/*! + \} +*/ + + + +/*! \addtogroup remote_source_string + + The formats allowed by the pcap_open() are the following: + - file://path_and_filename [opens a local file] + - rpcap://devicename [opens the selected device devices available on the local host, without using the RPCAP protocol] + - rpcap://host/devicename [opens the selected device available on a remote host] + - rpcap://host:port/devicename [opens the selected device available on a remote host, using a non-standard port for RPCAP] + - adaptername [to open a local adapter; kept for compability, but it is strongly discouraged] + - (NULL) [to open the first local adapter; kept for compability, but it is strongly discouraged] + + The formats allowed by the pcap_findalldevs_ex() are the following: + - file://folder/ [lists all the files in the given folder] + - rpcap:// [lists all local adapters] + - rpcap://host:port/ [lists the devices available on a remote host] + + Referring to the 'host' and 'port' paramters, they can be either numeric or literal. Since + IPv6 is fully supported, these are the allowed formats: + + - host (literal): e.g. host.foo.bar + - host (numeric IPv4): e.g. 10.11.12.13 + - host (numeric IPv4, IPv6 style): e.g. [10.11.12.13] + - host (numeric IPv6): e.g. [1:2:3::4] + - port: can be either numeric (e.g. '80') or literal (e.g. 'http') + + Here you find some allowed examples: + - rpcap://host.foo.bar/devicename [everything literal, no port number] + - rpcap://host.foo.bar:1234/devicename [everything literal, with port number] + - rpcap://10.11.12.13/devicename [IPv4 numeric, no port number] + - rpcap://10.11.12.13:1234/devicename [IPv4 numeric, with port number] + - rpcap://[10.11.12.13]:1234/devicename [IPv4 numeric with IPv6 format, with port number] + - rpcap://[1:2:3::4]/devicename [IPv6 numeric, no port number] + - rpcap://[1:2:3::4]:1234/devicename [IPv6 numeric, with port number] + - rpcap://[1:2:3::4]:http/devicename [IPv6 numeric, with literal port number] + + \{ +*/ + + +/*! + \brief String that will be used to determine the type of source in use (file, + remote/local interface). + + This string will be prepended to the interface name in order to create a string + that contains all the information required to open the source. + + This string indicates that the user wants to open a capture from a local file. +*/ +#define PCAP_SRC_FILE_STRING "file://" +/*! + \brief String that will be used to determine the type of source in use (file, + remote/local interface). + + This string will be prepended to the interface name in order to create a string + that contains all the information required to open the source. + + This string indicates that the user wants to open a capture from a network interface. + This string does not necessarily involve the use of the RPCAP protocol. If the + interface required resides on the local host, the RPCAP protocol is not involved + and the local functions are used. +*/ +#define PCAP_SRC_IF_STRING "rpcap://" + +/*! + \} +*/ + + + + + +/*! + \addtogroup remote_open_flags + \{ +*/ + +/*! + \brief Defines if the adapter has to go in promiscuous mode. + + It is '1' if you have to open the adapter in promiscuous mode, '0' otherwise. + Note that even if this parameter is false, the interface could well be in promiscuous + mode for some other reason (for example because another capture process with + promiscuous mode enabled is currently using that interface). + On on Linux systems with 2.2 or later kernels (that have the "any" device), this + flag does not work on the "any" device; if an argument of "any" is supplied, + the 'promisc' flag is ignored. +*/ +#define PCAP_OPENFLAG_PROMISCUOUS 1 + +/*! + \brief Defines if the data trasfer (in case of a remote + capture) has to be done with UDP protocol. + + If it is '1' if you want a UDP data connection, '0' if you want + a TCP data connection; control connection is always TCP-based. + A UDP connection is much lighter, but it does not guarantee that all + the captured packets arrive to the client workstation. Moreover, + it could be harmful in case of network congestion. + This flag is meaningless if the source is not a remote interface. + In that case, it is simply ignored. +*/ +#define PCAP_OPENFLAG_DATATX_UDP 2 + + +/*! + \brief Defines if the remote probe will capture its own generated traffic. + + In case the remote probe uses the same interface to capture traffic and to send + data back to the caller, the captured traffic includes the RPCAP traffic as well. + If this flag is turned on, the RPCAP traffic is excluded from the capture, so that + the trace returned back to the collector is does not include this traffic. +*/ +#define PCAP_OPENFLAG_NOCAPTURE_RPCAP 4 + +/*! + \brief Defines if the local adapter will capture its own generated traffic. + + This flag tells the underlying capture driver to drop the packets that were sent by itself. + This is usefult when building applications like bridges, that should ignore the traffic + they just sent. +*/ +#define PCAP_OPENFLAG_NOCAPTURE_LOCAL 8 + +/*! + \brief This flag configures the adapter for maximum responsiveness. + + In presence of a large value for nbytes, WinPcap waits for the arrival of several packets before + copying the data to the user. This guarantees a low number of system calls, i.e. lower processor usage, + i.e. better performance, which is good for applications like sniffers. If the user sets the + PCAP_OPENFLAG_MAX_RESPONSIVENESS flag, the capture driver will copy the packets as soon as the application + is ready to receive them. This is suggested for real time applications (like, for example, a bridge) + that need the best responsiveness.*/ +#define PCAP_OPENFLAG_MAX_RESPONSIVENESS 16 + +/*! + \} +*/ + + +/*! + \addtogroup remote_samp_methods + \{ +*/ + +/*! + \brief No sampling has to be done on the current capture. + + In this case, no sampling algorithms are applied to the current capture. +*/ +#define PCAP_SAMP_NOSAMP 0 + +/*! + \brief It defines that only 1 out of N packets must be returned to the user. + + In this case, the 'value' field of the 'pcap_samp' structure indicates the + number of packets (minus 1) that must be discarded before one packet got accepted. + In other words, if 'value = 10', the first packet is returned to the caller, while + the following 9 are discarded. +*/ +#define PCAP_SAMP_1_EVERY_N 1 + +/*! + \brief It defines that we have to return 1 packet every N milliseconds. + + In this case, the 'value' field of the 'pcap_samp' structure indicates the 'waiting + time' in milliseconds before one packet got accepted. + In other words, if 'value = 10', the first packet is returned to the caller; the next + returned one will be the first packet that arrives when 10ms have elapsed. +*/ +#define PCAP_SAMP_FIRST_AFTER_N_MS 2 + +/*! + \} +*/ + + +/*! + \addtogroup remote_auth_methods + \{ +*/ + +/*! + \brief It defines the NULL authentication. + + This value has to be used within the 'type' member of the pcap_rmtauth structure. + The 'NULL' authentication has to be equal to 'zero', so that old applications + can just put every field of struct pcap_rmtauth to zero, and it does work. +*/ +#define RPCAP_RMTAUTH_NULL 0 +/*! + \brief It defines the username/password authentication. + + With this type of authentication, the RPCAP protocol will use the username/ + password provided to authenticate the user on the remote machine. If the + authentication is successful (and the user has the right to open network devices) + the RPCAP connection will continue; otherwise it will be dropped. + + This value has to be used within the 'type' member of the pcap_rmtauth structure. +*/ +#define RPCAP_RMTAUTH_PWD 1 + +/*! + \} +*/ + + + + +/*! + + \brief This structure keeps the information needed to autheticate + the user on a remote machine. + + The remote machine can either grant or refuse the access according + to the information provided. + In case the NULL authentication is required, both 'username' and + 'password' can be NULL pointers. + + This structure is meaningless if the source is not a remote interface; + in that case, the functions which requires such a structure can accept + a NULL pointer as well. +*/ +struct pcap_rmtauth +{ + /*! + \brief Type of the authentication required. + + In order to provide maximum flexibility, we can support different types + of authentication based on the value of this 'type' variable. The currently + supported authentication methods are defined into the + \link remote_auth_methods Remote Authentication Methods Section\endlink. + + */ + int type; + /*! + \brief Zero-terminated string containing the username that has to be + used on the remote machine for authentication. + + This field is meaningless in case of the RPCAP_RMTAUTH_NULL authentication + and it can be NULL. + */ + char *username; + /*! + \brief Zero-terminated string containing the password that has to be + used on the remote machine for authentication. + + This field is meaningless in case of the RPCAP_RMTAUTH_NULL authentication + and it can be NULL. + */ + char *password; +}; + + +/*! + \brief This structure defines the information related to sampling. + + In case the sampling is requested, the capturing device should read + only a subset of the packets coming from the source. The returned packets depend + on the sampling parameters. + + \warning The sampling process is applied after the filtering process. + In other words, packets are filtered first, then the sampling process selects a + subset of the 'filtered' packets and it returns them to the caller. +*/ +struct pcap_samp +{ + /*! + Method used for sampling. Currently, the supported methods are listed in the + \link remote_samp_methods Sampling Methods Section\endlink. + */ + int method; + + /*! + This value depends on the sampling method defined. For its meaning, please check + at the \link remote_samp_methods Sampling Methods Section\endlink. + */ + int value; +}; + + + + +//! Maximum lenght of an host name (needed for the RPCAP active mode) +#define RPCAP_HOSTLIST_SIZE 1024 + + +/*! + \} +*/ // end of public documentation + + +#if !EXTRAHOP_MODS +// Exported functions + + + +/** \name New WinPcap functions + + This section lists the new functions that are able to help considerably in writing + WinPcap programs because of their easiness of use. + */ +//\{ +pcap_t *pcap_open(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf); +int pcap_createsrcstr(char *source, int type, const char *host, const char *port, const char *name, char *errbuf); +int pcap_parsesrcstr(const char *source, int *type, char *host, char *port, char *name, char *errbuf); +int pcap_findalldevs_ex(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf); +struct pcap_samp *pcap_setsampling(pcap_t *p); + +//\} +// End of new winpcap functions + + + +/** \name Remote Capture functions + */ +//\{ +SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf); +int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf); +int pcap_remoteact_close(const char *host, char *errbuf); +void pcap_remoteact_cleanup(); +//\} +// End of remote capture functions +#endif + +#ifdef __cplusplus +} +#endif + + +#endif + diff --git a/winpcap/wpcap/libpcap/remote-ext.h.rej b/winpcap/wpcap/libpcap/remote-ext.h.rej new file mode 100644 index 0000000..bce4d6e --- /dev/null +++ b/winpcap/wpcap/libpcap/remote-ext.h.rej @@ -0,0 +1,11 @@ +--- winpcap/wpcap/libpcap/remote-ext.h ++++ winpcap/wpcap/libpcap/remote-ext.h +@@ -1,3 +1,8 @@ ++#ifndef HAVE_REMOTE ++#define HAVE_REMOTE 1 ++#endif ++ ++ + #ifndef ___REMOTE_EXT_H___ + #define ___REMOTE_EXT_H___ + diff --git a/winpcap/wpcap/libpcap/rpcapd/Makefile b/winpcap/wpcap/libpcap/rpcapd/Makefile index a7a84dd..c62ece3 100644 --- a/winpcap/wpcap/libpcap/rpcapd/Makefile +++ b/winpcap/wpcap/libpcap/rpcapd/Makefile @@ -14,7 +14,7 @@ WINCFLAGS = -DHAVE_STRUCT_TIMESPEC INCLUDE = -I../ WININCLUDE = -I../Win32/Include -I../../../Common -I../../../../win32-pthreads -LINUXLIB = -lpcap -lcrypt -static +LINUXLIB = -lpcap -lcrypt OSXLIB = -lpcap WINLIB = -lwpcap -lpthreadGC2 -lpacket -lws2_32 diff --git a/winpcap/wpcap/libpcap/rpcapd/daemon.c b/winpcap/wpcap/libpcap/rpcapd/daemon.c index 88e9607..beaf515 100644 --- a/winpcap/wpcap/libpcap/rpcapd/daemon.c +++ b/winpcap/wpcap/libpcap/rpcapd/daemon.c @@ -30,6 +30,7 @@ * */ +#include #include // for libpcap/WinPcap calls #include // for the errno variable #include // for malloc(), free(), ... @@ -49,6 +50,16 @@ #include // for password management #include + +/* Portable memory barriers for multi-threaded use. */ +#ifndef rmb +#define rmb() __sync_synchronize() +#endif + +#ifndef wmb +#define wmb() __sync_synchronize() +#endif + int set_non_blocking(int fd) { @@ -1750,11 +1761,46 @@ struct rpcap_stats *netstats; // statistics sent on the network return -1; } -#define RPCAP_NETBUF_MAX_SIZE 65536 +/*#define RPCAP_NETBUF_MAX_SIZE 65536 #define DAEMON_USE_COND_TIMEDWAIT 0 -#define rmb() asm volatile("lfence":::"memory") -#define wmb() asm volatile("sfence":::"memory") +//#define rmb() asm volatile("lfence":::"memory") +//#define wmb() asm volatile("sfence":::"memory") + +#if defined(__x86_64__) || defined(__i386__) + __asm__ __volatile__("sfence" ::: "memory"); +//#elif defined(__aarch64__) + On ARM64, use a data memory barrier instead of sfence + __asm__ __volatile__("dmb ish" ::: "memory"); +#else + __sync_synchronize(); +#endif +#if defined(__x86_64__) || defined(__i386__) + __asm__ __volatile__("lfence" ::: "memory"); +#elif defined(__aarch64__) +// On ARM64, use a load barrier instead of lfence + __asm__ __volatile__("dmb ishld" ::: "memory"); +#else + __sync_synchronize(); +#endif +*/ + +#define RPCAP_NETBUF_MAX_SIZE 65536 +#define DAEMON_USE_COND_TIMEDWAIT 0 + +/* Portable memory barriers for all architectures (ARM, x86, etc.) */ +#ifndef rmb +#define rmb() __sync_synchronize() +#endif + +#ifndef wmb +#define wmb() __sync_synchronize() +#endif + + + + + #define likely(x) __builtin_expect((x), 1) #define unlikely(x) __builtin_expect((x), 0) @@ -1829,7 +1875,8 @@ static struct daemon_ring_ctx daemon_ring_ctx; #ifdef linux #include #include -#include +#include +#include #define gettid() syscall(__NR_gettid) void diff --git a/winpcap/wpcap/libpcap/rpcapd/fileconf.c b/winpcap/wpcap/libpcap/rpcapd/fileconf.c index d676f45..3f0cb86 100644 --- a/winpcap/wpcap/libpcap/rpcapd/fileconf.c +++ b/winpcap/wpcap/libpcap/rpcapd/fileconf.c @@ -33,6 +33,7 @@ #include +#include #include #include #include // for PCAP_ERRBUF_SIZE diff --git a/winpcap/wpcap/libpcap/scanner.h b/winpcap/wpcap/libpcap/scanner.h new file mode 100644 index 0000000..934ca4c --- /dev/null +++ b/winpcap/wpcap/libpcap/scanner.h @@ -0,0 +1,6 @@ +/* This is generated by runlex.sh. Do not edit it. */ + +#ifndef YY_DECL +#define YY_DECL int yylex(void) +#endif +YY_DECL; diff --git a/winpcap/wpcap/libpcap/version.c b/winpcap/wpcap/libpcap/version.c new file mode 100644 index 0000000..a685dff --- /dev/null +++ b/winpcap/wpcap/libpcap/version.c @@ -0,0 +1 @@ +char pcap_version[] = "1.0.0"; diff --git a/winpcap/wpcap/libpcap/version.h b/winpcap/wpcap/libpcap/version.h new file mode 100644 index 0000000..31dceef --- /dev/null +++ b/winpcap/wpcap/libpcap/version.h @@ -0,0 +1 @@ +static const char pcap_version_string[] = "libpcap version 1.0.0"; From 9f964d42828aee56625b02ccdc3d99594de505de Mon Sep 17 00:00:00 2001 From: matt-0123 Date: Fri, 12 Dec 2025 23:19:50 +0000 Subject: [PATCH 2/2] Fix formatting and update ARM64 build instructions in README-ARM64.md --- README-ARM64.md | 152 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 122 insertions(+), 30 deletions(-) diff --git a/README-ARM64.md b/README-ARM64.md index 40ca92e..6acd84a 100644 --- a/README-ARM64.md +++ b/README-ARM64.md @@ -1,53 +1,145 @@ -# ARM64 / Graviton Build Instructions for rpcapd +# ARM64 / AWS Graviton Build Instructions for ExtraHop rpcapd -This fork includes the changes required to build the ExtraHop rpcapd agent on ARM64 platforms such as: +This repository is a fork of ExtraHop’s `rpcapd` agent with additional patches required to successfully build and run it on **ARM64-based Linux systems**, including: -- AWS Graviton (Amazon Linux 2 / 2023) -- Other modern ARM64 Linux distributions +- AWS Graviton (Amazon Linux 2 / Amazon Linux 2023) +- Ubuntu ARM64 +- Debian ARM64 +- Other AArch64 Linux distributions -## Changes in this fork (high level) +The original upstream project was based on very old WinPcap/libpcap code (circa ~2003), which does not compile on modern ARM systems without significant patching. This fork includes all fixes required to produce a functional, stable ARM64 `rpcapd` binary compatible with ExtraHop sensors. -- Enabled remote capture support in libpcap (HAVE_REMOTE). -- Patched old libpcap sources for modern Linux headers (e.g. SIOCGSTAMP requires ). -- Removed x86-only inline assembly (sfence / lfence) and replaced with portable memory barriers. -- Fixed missing includes for types like UINT16_MAX. -- Resolved multiple-definition of `sockmain` between rpcapd.c and pcap-new.c. -- Switched from static linking (-static) to dynamic linking to avoid missing -lc / -lcrypt issues. -- Ensured rpcapd links against libpcap and libcrypt on Amazon Linux. +## ✔ Summary of Changes in This Fork -## Build Steps (Amazon Linux / Graviton) +### libpcap fixes +- Added missing Linux header: `#include ` for `SIOCGSTAMP` +- Enabled remote capture support (`HAVE_REMOTE`) +- Updated Makefile to ensure bundled libpcap is used +- Added `` for `UINT16_MAX` +- Removed static linking (`-static`) to avoid glibc issues on ARM +- Fixed configuration script compatibility for AArch64 (`--build=aarch64-unknown-linux-gnu`) -```bash +### rpcapd code fixes +- Removed x86-specific inline ASM (`sfence`, `lfence`) +- Replaced memory barriers with portable `__sync_synchronize()` +- Resolved multiple-definition error for `sockmain` +- Ensured rpcapd links against ARM-compatible libpcap and libcrypt + +## ✔ Prerequisites + +### Amazon Linux 2 +``` sudo yum groupinstall -y "Development Tools" -sudo yum install -y libpcap libpcap-devel libxcrypt libxcrypt-devel flex bison +sudo yum install -y libpcap libpcap-devel libxcrypt libxcrypt-devel flex bison git +``` + +### Amazon Linux 2023 +``` +sudo dnf groupinstall -y "Development Tools" +sudo dnf install -y libpcap libpcap-devel libxcrypt libxcrypt-devel flex bison git +``` + +### Ubuntu (ARM64) +``` +sudo apt update +sudo apt install -y build-essential libpcap-dev libxcrypt-dev flex bison git autoconf automake libtool +``` +## ✔ Clone This Fork + +``` cd /opt -sudo git clone https://github.com/matt-0123/rpcapd.git -sudo chown -R "$USER":"$USER" rpcapd -cd rpcapd/winpcap/wpcap/libpcap +git clone https://github.com/0xM47H3W/rpcapd.git +cd rpcapd +``` + +## ✔ Build the Bundled libpcap -# Enable remote capture support +``` +cd winpcap/wpcap/libpcap ./configure --build=aarch64-unknown-linux-gnu --enable-remote make +``` -# Build rpcapd +## ✔ Build rpcapd + +``` cd rpcapd make clean || true -make -The resulting binary will be: +make CFLAGS="-g -O2 -Wno-error -DHAVE_REMOTE -I../" +``` + +Output binary: -bash -Copy code +``` winpcap/wpcap/libpcap/rpcapd/rpcapd -Install it with: +``` -bash -Copy code +## ✔ Install rpcapd + +``` sudo cp rpcapd /usr/local/sbin/rpcapd sudo chmod 755 /usr/local/sbin/rpcapd sudo chown root:root /usr/local/sbin/rpcapd -Run in active mode: +``` + +## ✔ Test rpcapd + +Foreground: +``` +sudo /usr/local/sbin/rpcapd -n -v +``` -bash -Copy code +Passive: +``` +sudo /usr/local/sbin/rpcapd -n -v -p 2002 +``` + +Active with local listener: +``` +nc -l 2003 +sudo /usr/local/sbin/rpcapd -n -v -a 127.0.0.1,2003 +``` + +## ✔ Run Against an ExtraHop Sensor + +Active: +``` sudo /usr/local/sbin/rpcapd -n -v -a ,2003 +``` + +Passive: +``` +sudo /usr/local/sbin/rpcapd -n -v -p 2002 +``` + +## ✔ systemd Service + +Create `/etc/systemd/system/rpcapd.service`: +``` +[Unit] +Description=ExtraHop rpcapd ARM64 Agent +After=network-online.target + +[Service] +ExecStart=/usr/local/sbin/rpcapd -a ,2003 -n +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target +``` + +Enable: +``` +sudo systemctl daemon-reload +sudo systemctl enable rpcapd +sudo systemctl start rpcapd +``` + +## ✔ Notes + +- This fork is **not** an official ExtraHop release. +- ARM64 patches included for compatibility. +- Precompiled binaries may be included in GitHub Releases. +