Since the libpcap in base is really old (last sync with upstream was
done with libpcap 0.9.4 in 2006), new programs that need libpcap >= 1.0
cannot be easily ported to OpenBSD.
net/snort is especially affected because the latest Snort 2.9.x from
upstream requires libpcap >= 1.0, and upstream no longer supports or
provides rules for older versions like Snort 2.8.6 that is currently in
ports.
I have written a diff that imports several critical functions from
libpcap 1.2.0 to libpcap in base. It should be backwards-compatible
with the older libpcap, but would benefit from wider testing to confirm.
If you use pcap-based ports, could you please consider testing this
diff? I have set up a simple set of pages at the following URLs that
has the list of pcap-based ports, some suggested tests, and my own test
results:
General info and the libpcap diff itself
http://lteo.net/libpcap/
List of pcap-based ports and my test results
http://lteo.net/libpcap/ports.html
If anyone would like to test their favorite pcap ports against this
diff, I would really appreciate it! Please send both positive and
negative test feedback to me.
Thank you!
Lawrence
=
How to apply:
cd /usr/src/lib/libpcap
patch < libpcap-1.2.0-20120511.diff
make obj
make includes
make
make install
cd /usr/src/usr.sbin/tcpdump
make obj && make && make install
cd /usr/src/libexec/spamlogd
make obj && make && make install
cd /usr/src/sbin/pflogd
make obj && make && make install
cd /usr/src/usr.sbin/pppd
make obj && make && make install
Index: Makefile
===
RCS file: /cvs/src/lib/libpcap/Makefile,v
retrieving revision 1.20
diff -u -p -r1.20 Makefile
--- Makefile13 Aug 2009 19:54:58 - 1.20
+++ Makefile11 May 2012 04:35:01 -
@@ -25,11 +25,15 @@ MLINKS= pcap.3 pcap_open_live.3 pcap.3 p
pcap.3 pcap_sendpacket.3 pcap.3 pcap_next_ex.3 \
pcap.3 pcap_setdirection.3 pcap.3 pcap_dump_file.3 \
pcap.3 pcap_dump_ftell.3 pcap.3 pcap_fopen_offline.3 \
- pcap.3 pcap_dump_flush.3
+ pcap.3 pcap_dump_flush.3 pcap.3 pcap_create.3 \
+ pcap.3 pcap_set_snaplen.3 pcap.3 pcap_set_promisc.3 \
+ pcap.3 pcap_can_set_rfmon.3 pcap.3 pcap_set_rfmon.3 \
+ pcap.3 pcap_set_timeout.3 pcap.3 pcap_set_buffer_size.3 \
+ pcap.3 pcap_activate.3 pcap.3 pcap_statustostr.3
DEFS= -DHAVE_SYS_IOCCOM_H -DHAVE_SYS_SOCKIO_H -DHAVE_ETHER_HOSTTON \
-DHAVE_STRERROR -DHAVE_SOCKADDR_SA_LEN -DLBL_ALIGN -DHAVE_IFADDRS_H \
- -DINET6
+ -DINET6 -DHAVE_BSD_IEEE80211
CFLAGS+=-I. -I${.CURDIR} -Dyylval=pcap_yylval ${DEFS}
Index: pcap-bpf.c
===
RCS file: /cvs/src/lib/libpcap/pcap-bpf.c,v
retrieving revision 1.20
diff -u -p -r1.20 pcap-bpf.c
--- pcap-bpf.c 26 Mar 2006 20:58:51 - 1.20
+++ pcap-bpf.c 11 May 2012 04:35:01 -
@@ -38,6 +38,8 @@
#include
#include
+#include
+
#include "pcap-int.h"
#ifdef HAVE_OS_PROTO_H
@@ -46,6 +48,12 @@
#include "gencode.h"
+static int find_802_11(struct bpf_dltlist *);
+static int monitor_mode(pcap_t *, int);
+
+static int pcap_activate_bpf(pcap_t *p);
+static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
+
int
pcap_stats(pcap_t *p, struct pcap_stat *ps)
{
@@ -54,7 +62,7 @@ pcap_stats(pcap_t *p, struct pcap_stat *
if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
pcap_strerror(errno));
- return (-1);
+ return (PCAP_ERROR);
}
ps->ps_recv = s.bs_recv;
@@ -76,11 +84,11 @@ pcap_read(pcap_t *p, int cnt, pcap_handl
if (p->break_loop) {
/*
* Yes - clear the flag that indicates that it
-* has, and return -2 to indicate that we were
-* told to break out of the loop.
+* has, and return PCAP_ERROR_BREAK to indicate
+* that we were told to break out of the loop.
*/
p->break_loop = 0;
- return (-2);
+ return (PCAP_ERROR_BREAK);
}
cc = p->cc;
@@ -95,6 +103,21 @@ pcap_read(pcap_t *p, int cnt, pcap_handl
case EWOULDBLOCK:
return (0);
+
+ case ENXIO:
+ /*
+* The device on which we're capturing
+* went away.
+*
+* XXX - we should really return
+* PCAP_ERROR_IFACE_NOT_UP, but
+* pcap_dispatch() etc. aren't
+* defined to retur that.
+*/
+ snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+
