升级到新的 Linux 以太网驱动程序后,libpcap 无法捕获数据包
我有一个运行自定义 2.6.15 内核的旧系统,该内核使用 libpcap(版本 1.1.1)。最近我用 Intel 82575EB 芯片组更换了网卡,需要我将驱动程序更新为 igb.ko(原为 e1000.ko)。更新后,libpcap停止抓包。我修改了来自 tcpdump 网站的示例测试代码,捕获 1 个数据包并打印标头信息,libpcap 返回 header.len 为 1358,header.caplen 为 42,而在 e1000 情况下,packet.len 和 packet.caplen 都返回 1358。已尝试禁用 MSI/MSI-X 并增加 MTU,但没有任何效果。我还需要设置其他选项才能使 igb 驱动程序与 libpcap 一起使用吗?
这是示例测试程序(由 tcpdump/libpcap 团队提供):
#include <pcap.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
pcap_t *handle; /* Session handle */
char dev[20]; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct bpf_program fp; /* The compiled filter */
bpf_u_int32 mask; /* Our netmask */
bpf_u_int32 net; /* Our IP */
struct pcap_pkthdr header; /* The header that pcap gives us */
const u_char *packet; /* The actual packet */
if (argc <= 1) return(1);
strcpy(dev, argv[1]);
/* Find the properties for the device */
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
fprintf(stderr, "Couldn't get netmask for device %s: %s\n", dev, errbuf);
net = 0;
mask = 0;
}
/* Open the session in promiscuous mode */
handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return(2);
}
/* Grab a packet */
packet = pcap_next(handle, &header);
/* Print its length */
printf("packet length [%d]; captured length [%d]\n", header.len, header.caplen);
/* And close the session */
pcap_close(handle);
return(0);
}
I have an old system running a custom 2.6.15 kernel that uses libpcap (version 1.1.1). Recently I've changed my network card with Intel 82575EB chipset that requires me to update the driver to igb.ko (was e1000.ko). After the update, libpcap stop capturing packets. I modified a sample test code from tcpdump website that captures 1 packet and print the header information, libpcap return header.len of 1358 and header.caplen of 42, whereas in e1000 case, both packet.len and packet.caplen returns 1358. I've tried disabling MSI/MSI-X and increase the MTU but nothing works. Is there any other options I need to set to get the igb driver to work with libpcap?
Here's the sample test program (courtesy of tcpdump/libpcap team):
#include <pcap.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
pcap_t *handle; /* Session handle */
char dev[20]; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct bpf_program fp; /* The compiled filter */
bpf_u_int32 mask; /* Our netmask */
bpf_u_int32 net; /* Our IP */
struct pcap_pkthdr header; /* The header that pcap gives us */
const u_char *packet; /* The actual packet */
if (argc <= 1) return(1);
strcpy(dev, argv[1]);
/* Find the properties for the device */
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
fprintf(stderr, "Couldn't get netmask for device %s: %s\n", dev, errbuf);
net = 0;
mask = 0;
}
/* Open the session in promiscuous mode */
handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return(2);
}
/* Grab a packet */
packet = pcap_next(handle, &header);
/* Print its length */
printf("packet length [%d]; captured length [%d]\n", header.len, header.caplen);
/* And close the session */
pcap_close(handle);
return(0);
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试 libpcap 1.4.0,这是当前最新版本;我记得 1.1.1 中有一个错误,即使您为
pcap_open_live()提供了足够大的快照长度参数,该错误也可能导致为数据包提供太短的 caplen (您拥有的 -BUFSIZ通常介于 1K 和 4K 之间,两者都大于 42,我认为在 Linux 上它是 4K)。Try libpcap 1.4.0, which is currently the most recent release; there's a bug in 1.1.1 that, as I remember, could cause a packet to be supplied with a too-short caplen even though you've supplied a sufficiently-large snapshot length argument to
pcap_open_live()(which you have -BUFSIZis typically somewhere between 1K and 4K, both of which are bigger than 42, and I think it's 4K on Linux).