The Android Open Source Project | 478ab6c | 2009-03-03 19:30:05 -0800 | [diff] [blame] | 1 | In order for libpcap to be able to capture packets on a Linux system, |
| 2 | the "packet" protocol must be supported by your kernel. If it is not, |
| 3 | you may get error messages such as |
| 4 | |
| 5 | modprobe: can't locate module net-pf-17 |
| 6 | |
| 7 | in "/var/adm/messages", or may get messages such as |
| 8 | |
| 9 | socket: Address family not supported by protocol |
| 10 | |
| 11 | from applications using libpcap. |
| 12 | |
| 13 | You must configure the kernel with the CONFIG_PACKET option for this |
| 14 | protocol; the following note is from the Linux "Configure.help" file for |
| 15 | the 2.0[.x] kernel: |
| 16 | |
| 17 | Packet socket |
| 18 | CONFIG_PACKET |
| 19 | The Packet protocol is used by applications which communicate |
| 20 | directly with network devices without an intermediate network |
| 21 | protocol implemented in the kernel, e.g. tcpdump. If you want them |
| 22 | to work, choose Y. |
| 23 | |
| 24 | This driver is also available as a module called af_packet.o ( = |
| 25 | code which can be inserted in and removed from the running kernel |
| 26 | whenever you want). If you want to compile it as a module, say M |
| 27 | here and read Documentation/modules.txt; if you use modprobe or |
| 28 | kmod, you may also want to add "alias net-pf-17 af_packet" to |
| 29 | /etc/modules.conf. |
| 30 | |
| 31 | and the note for the 2.2[.x] kernel says: |
| 32 | |
| 33 | Packet socket |
| 34 | CONFIG_PACKET |
| 35 | The Packet protocol is used by applications which communicate |
| 36 | directly with network devices without an intermediate network |
| 37 | protocol implemented in the kernel, e.g. tcpdump. If you want them |
| 38 | to work, choose Y. This driver is also available as a module called |
| 39 | af_packet.o ( = code which can be inserted in and removed from the |
| 40 | running kernel whenever you want). If you want to compile it as a |
| 41 | module, say M here and read Documentation/modules.txt. You will |
| 42 | need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules |
| 43 | file for the module version to function automatically. If unsure, |
| 44 | say Y. |
| 45 | |
| 46 | In addition, there is an option that, in 2.2 and later kernels, will |
| 47 | allow packet capture filters specified to programs such as tcpdump to be |
| 48 | executed in the kernel, so that packets that don't pass the filter won't |
| 49 | be copied from the kernel to the program, rather than having all packets |
| 50 | copied to the program and libpcap doing the filtering in user mode. |
| 51 | |
| 52 | Copying packets from the kernel to the program consumes a significant |
| 53 | amount of CPU, so filtering in the kernel can reduce the overhead of |
| 54 | capturing packets if a filter has been specified that discards a |
| 55 | significant number of packets. (If no filter is specified, it makes no |
| 56 | difference whether the filtering isn't performed in the kernel or isn't |
| 57 | performed in user mode. :-)) |
| 58 | |
| 59 | The option for this is the CONFIG_FILTER option; the "Configure.help" |
| 60 | file says: |
| 61 | |
| 62 | Socket filtering |
| 63 | CONFIG_FILTER |
| 64 | The Linux Socket Filter is derived from the Berkeley Packet Filter. |
| 65 | If you say Y here, user-space programs can attach a filter to any |
| 66 | socket and thereby tell the kernel that it should allow or disallow |
| 67 | certain types of data to get through the socket. Linux Socket |
| 68 | Filtering works on all socket types except TCP for now. See the text |
| 69 | file linux/Documentation/networking/filter.txt for more information. |
| 70 | If unsure, say N. |
| 71 | |
| 72 | |
| 73 | Statistics: |
| 74 | Statistics reported by pcap are platform specific. The statistics |
| 75 | reported by pcap_stats on Linux are as follows: |
| 76 | |
| 77 | 2.2.x |
| 78 | ===== |
| 79 | ps_recv Number of packets that were accepted by the pcap filter |
| 80 | ps_drops Always 0, this statistic is not gatherd on this platform |
| 81 | |
| 82 | 2.4.x |
| 83 | ===== |
| 84 | ps_rec Number of packets that were accepted by the pcap filter |
| 85 | ps_drops Number of packets that had passed filtering but were not |
| 86 | passed on to pcap due to things like buffer shortage, etc. |
| 87 | This is useful because these are packets you are interested in |
| 88 | but won't be reported by, for example, tcpdump output. |