-$Id: README.linux,v 1.1 1999/08/31 06:09:25 gram Exp $
+$Id: README.linux,v 1.7 2001/01/10 09:54:44 guy Exp $
-The standard libpcap compiled for Linux has a timeout problem.
-If you use Ethereal with this libpcap on a not-so-busy network, at
-times you will see that the Ethereal GUI freezes. It will freeze until
-one more packet is received.
+In order to capture packets (with Ethereal/Tethereal, tcpdump, or any
+other packet capture program) on a Linux system, the "packet" protocol
+must be supported by your kernel. If it is not, you may get error
+messages such as
-As of version 0.4 of libpcap this problem still exists. This is the
-version of libpcap that comes with the standard Linux distributions.
-If the freezing really annoys you, you can apply a patch to the libpcap
-source code.
+ modprobe: can't locate module net-pf-17
-Libpcap can be obtained from ftp://ftp.ee.lbl.gov
+in "/var/adm/messages". The following note is from the Linux
+"Configure.help" file:
-You can download the Linux patch at http://ethereal.zing.org/~gerald/
+ Packet socket
+ CONFIG_PACKET
+ The Packet protocol is used by applications which communicate
+ directly with network devices without an intermediate network
+ protocol implemented in the kernel, e.g. tcpdump. If you want them
+ to work, choose Y.
+ This driver is also available as a module called af_packet.o ( =
+ code which can be inserted in and removed from the running kernel
+ whenever you want). If you want to compile it as a module, say M
+ here and read Documentation/modules.txt; if you use modprobe or
+ kmod, you may also want to add "alias net-pf-17 af_packet" to
+ /etc/modules.conf.
+
+In addition, the standard libpcap compiled for Linux has a timeout
+problem; it doesn't support the timeout argument to "pcap_open_live()".
+
+The current version of Ethereal attempts to work around this, so its GUI
+shouldn't freeze when capturing on a not-so-busy network. If its GUI
+does freeze when that happens, please send a note about this, indicating
+which version of which distribution of Linux you're using, and which
+version of libpcap you're using, to ethereal-dev@ethereal.com.
+
+The current version of Ethereal should work with versions of libpcap
+that have been patched to fix the timeout problem, as well as working
+with unpatched versions.
+
+An additional problem, on Linux, with current versions of libpcap, is
+that capture filters do not work when snooping loopback devices; if
+you're capturing on a Linux loopback device, do not use a capture
+filter, as it will probably reject most if not all packets, including
+the packets it's intended to accept - instead, capture all packets and
+use a display filter to select the packets you want to see.
+
+In addition, current versions of libpcap on at least some Linux
+distributions will not turn promiscuous mode off on a network device
+until the program using promiscuous mode exits, so if you start a
+capture with Ethereal on some Linux distributions, the network interface
+will be put in promiscuous mode and will remain in promiscuous mode
+until Ethereal exits. There might be additional libpcap bugs that cause
+it not to be turned off even when Ethereal exits; if your network is
+busy, this could cause the Linux networking stack to do a lot more work
+discarding packets not intended for the machine, so you may want to
+check, after running Ethereal, whether any network interfaces are in
+promiscuous mode (the output of "ifconfig -a" will say something such as
+
+eth0 Link encap:Ethernet HWaddr 00:00:66:66:66:66
+ inet addr:66.66.66.66 Bcast:66.66.66.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
+ RX packets:6493 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:100
+ Interrupt:18 Base address:0xfc80
+
+with "PROMISC" indicating that the interface is in promiscuous mode),
+and, if any interfaces are in promiscuous mode and no capture is being
+done on that interface, turn promiscuous mode off by hand with
+
+ ifconfig <ifname> -promisc
+
+where "<ifname>" is the name of the interface.
git.samba.org / obnox / wireshark / wip.git / blobdiff