<< Previous Contents Index Next >>

5.4. Packet Capture Library (libpcap)

The Packet Capture Library (libpcap) provides an alternative to the Berkeley Packet Filter for systems that do not support BPF directly. Note that on BSD systems, libpcap simply provides an interface to BPF. libpcap was developed as part of the tcpdump tool, used on many systems for network troubleshooting.

libpcap does not require any special setup, however, on some systems, libpcap requires system privilege to read packets from the interfaces. (Where libpcap is layered on BPF, the BPF setup instructions to allow non-privileged access to BPF devices apply.) Where privilege is required, the libpcap collector (ipacc-pcap) should be installed with the setuid bit set and the owner set to root. The group and other protection should be set to prevent other users from running the program.

Under Linux, the default and maximum socket buffer is usually 64 kilobytes. This may be insufficient for high packet loads, so the libpcap collector attempts to set a 1 megabyte buffer size. To allow this to occur, the maximum receive buffer size needs to be set to allow this. This can be done using the sysctl command as follows:

Note that this should also be done at system startup time, e.g. by adding to /etc/sysctl.conf:

On systems, where libpcap uses the Berkeley Packet Filter, e.g. BSD based systems, the library uses either the default capture buffer size, or 32768, whichever is the larger. On FreeBSD, the BPF buffer sizes are controlled by the system variables debug.bpf_bufsize and debug.bpf_maxbufsize. To set the BPF buffer size to one megabyte on a FreeBSD system, use:

To set these at system startup time, add to /etc/sysctl.conf:

Note that these are systemwide parameters, and will affect all software using the BPF interface. BPF does not allow the buffer size to be changed after a filter is activated on a BPF socket, so there is no way for an application to set an aribtrary BPF buffer size without changes to the pcap-bpf.c module of libpcap.

5.4.1. Configuring libpcap collection

The collect pcap interface flags ... statement enables libpcap collection on a data source. The interface is the name of the network interface to sniff, and is the same as that used by ifconfig when configuring and querying network interfaces. Only one interface may be specified, however on some systems (e.g. Linux kernels > 2.2), the keyword any may be used to collect from all interfaces.

Note that when any is used on Linux systems, only outbound packets are recorded (i.e. those forwarded through the system or originating from it.) This has implications if address translation is in use; packets in one direction will appear with translated addresses while those in the other direction will appear with untranslated addresses.

The flag keywords, promiscuous, inbound, outbound, broadcasts, multicasts and address work as for the BPF interface. These flags only work for specific interfaces (i.e. not any, and for the most part only on interfaces that appear as Ethernet devices.

libpcap interfaces may select traffic using a filter; this filter is specified using the pcap filter filter statement. filter is a filter expression, the format of which can be found under libcap filter expressions. Note that only IP packets will be processed by the libpcap collector.

The flow-cache family of statements may be used to tune the flow cache. See the section on flow cache tuning above.

<< Previous Contents Index Next >>