blob: dd959139d3f9327746a0165c94813addc2011060 [file] [log] [blame]
The Android Open Source Project478ab6c2009-03-03 19:30:05 -08001In order for libpcap to be able to capture packets on a Linux system,
2the "packet" protocol must be supported by your kernel. If it is not,
3you may get error messages such as
4
5 modprobe: can't locate module net-pf-17
6
7in "/var/adm/messages", or may get messages such as
8
9 socket: Address family not supported by protocol
10
11from applications using libpcap.
12
13You must configure the kernel with the CONFIG_PACKET option for this
14protocol; the following note is from the Linux "Configure.help" file for
15the 2.0[.x] kernel:
16
17 Packet socket
18 CONFIG_PACKET
19 The Packet protocol is used by applications which communicate
20 directly with network devices without an intermediate network
21 protocol implemented in the kernel, e.g. tcpdump. If you want them
22 to work, choose Y.
23
24 This driver is also available as a module called af_packet.o ( =
25 code which can be inserted in and removed from the running kernel
26 whenever you want). If you want to compile it as a module, say M
27 here and read Documentation/modules.txt; if you use modprobe or
28 kmod, you may also want to add "alias net-pf-17 af_packet" to
29 /etc/modules.conf.
30
31and the note for the 2.2[.x] kernel says:
32
33 Packet socket
34 CONFIG_PACKET
35 The Packet protocol is used by applications which communicate
36 directly with network devices without an intermediate network
37 protocol implemented in the kernel, e.g. tcpdump. If you want them
38 to work, choose Y. This driver is also available as a module called
39 af_packet.o ( = code which can be inserted in and removed from the
40 running kernel whenever you want). If you want to compile it as a
41 module, say M here and read Documentation/modules.txt. You will
42 need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
43 file for the module version to function automatically. If unsure,
44 say Y.
45
46In addition, there is an option that, in 2.2 and later kernels, will
47allow packet capture filters specified to programs such as tcpdump to be
48executed in the kernel, so that packets that don't pass the filter won't
49be copied from the kernel to the program, rather than having all packets
50copied to the program and libpcap doing the filtering in user mode.
51
52Copying packets from the kernel to the program consumes a significant
53amount of CPU, so filtering in the kernel can reduce the overhead of
54capturing packets if a filter has been specified that discards a
55significant number of packets. (If no filter is specified, it makes no
56difference whether the filtering isn't performed in the kernel or isn't
57performed in user mode. :-))
58
59The option for this is the CONFIG_FILTER option; the "Configure.help"
60file says:
61
62 Socket filtering
63 CONFIG_FILTER
64 The Linux Socket Filter is derived from the Berkeley Packet Filter.
65 If you say Y here, user-space programs can attach a filter to any
66 socket and thereby tell the kernel that it should allow or disallow
67 certain types of data to get through the socket. Linux Socket
68 Filtering works on all socket types except TCP for now. See the text
69 file linux/Documentation/networking/filter.txt for more information.
70 If unsure, say N.
71
72
73Statistics:
74Statistics reported by pcap are platform specific. The statistics
75reported by pcap_stats on Linux are as follows:
76
772.2.x
78=====
79ps_recv Number of packets that were accepted by the pcap filter
80ps_drops Always 0, this statistic is not gatherd on this platform
81
822.4.x
83=====
84ps_rec Number of packets that were accepted by the pcap filter
85ps_drops Number of packets that had passed filtering but were not
86 passed on to pcap due to things like buffer shortage, etc.
87 This is useful because these are packets you are interested in
88 but won't be reported by, for example, tcpdump output.